@thor i'm aware of that.
A patch can prevent similar attacks like this but why not have captcha for both open and closed registrations which admins can't toggle off via the web settings?
Because I imagine quite a few admins want their registration to be open no matter the default and then spam bots find their way back in again.
To combat automated account creation there needs to be more than having a toggle off only for new installations and many want to have it open anyway