What if the user has $wgEnableWriteAPI = true? Will spam account creation be possible?
See also Thread:Project:Support_desk/API:_Disable_selected_dangerous_write_actions
What if the user has $wgEnableWriteAPI = true? Will spam account creation be possible?
See also Thread:Project:Support_desk/API:_Disable_selected_dangerous_write_actions
ConfirmEdit and other CAPTCHA implementations work with the API so if you depend on it for spam protection, it should continue to be protected.
You may also consider disabling account creation by
$wgAPIModules['createaccount'] = 'ApiDisabled';