These three methods:
http://ocaoimh.ie/cookies-for-comments/
http://wordpress-plugins.feifei.us/hashcash/
http://www.darcynorman.net/2009/05/20/stopping-spamblog-registration-in-wordpress-multiuser/
...are mostly about comment spam. Akismet takes care of that nicely. They don't seem to do anything for registration spam.
The hashcash plugin is compatible up to version 2.6, last updated 2008-7-30. Hashcash relies on wp_head and comment_form hooks; how does this have anything to do with registration/blog spam?
I can't figure out the darcynorman solution:
# BEGIN ANTISPAMBLOG REGISTRATION
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-signup\.php*
RewriteCond %{HTTP_REFERER} !.*ucalgaryblogs.ca.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://die-spammers.com/ [R=301,L]
# END ANTISPAMBLOG REGISTRATION
Are those dots (.) and stars (*) part of the code? Should I remove them? What is the REQUEST_URI in Buddypress? What would it be if I customized a lot of core files? What should I look for?
BTW, couldn't that referrer check be part of the core code? Why is it necessary to hack the .htaccess for that?
It is designed to allow you to customize it if it doesn't suit your needs out of the box.
That's why I have to hack core files to get it to do basic things, like get firstname + lastname of members into the database somewhat consistently.
Fixing basis security should not be an issue for plugins or customization. It's the heart of the package. If WPMU/BP does not get that right, Wordpress blog/social networks will become prime targets - probably already happening...