I have disabled editing for anons and use various anti-spam protections.
And I use $wgEnableWriteAPI = true because ajax watching is nice.
I find it somehow dangerous to have API actions like createaccount. I disabled it manually now in the core, but a proper way might be better?
Also, how does that work together with Extension:ConfirmEdit?