Using 2.8.4 and today a user signed up on 2 of my blogs, and I do not show the meta/login widget, so how did they do it? Is WP account registration is simple URL that anyone can type in? By default new users are subscribers, but a bit worrying that people can sign up. Some suggested it could be a bot, and I did find an instance of another chap who mentioned that the same person (account and email) had "hacked" his blog (sign up).
Is this a 2.8.4 vulnerability, or just an easy trick for a bot to do, and not a major problem so long as default new users subscribers?