Last modified: 2013-09-25 19:33:45 UTC
MediaWiki allows the creation of new accounts before confirming email or in fact without providing one at all. Email confirmation is purely optional. This makes sense in the context of Wikipedia and other Wikimedia sites because these projects made this choice. However, the usual practice in most websites is to have an account created only after confirming email. It is reasonable to expect that most 3rd party MediaWiki admins will expect this functionality, especially when they start seeing dozens of spam accounts created every day. It's quite trivial for spammers to go through captchas to create new accounts. I'm sure they can also get a system to confirm emails massively, but at least that is a higher level of complexity. If this is not considered for core then an option would be to integrate this functionality in [[mw:Extension:ConfirmAccount]]. This extension does require email confirmation, but admins must approve all requests manually. Besides, the project seems to be unmaintained...
Can't you just restrict editing to users who confirmed their e-mail address? This is, surprisingly, even documented: [[mw:Manual:User rights#Examples]].
Huh, there's even [[mw:Manual:$wgEmailConfirmToEdit]] (but this is kinda less documented ;) ).
Sure, but this doesn't prevent account creation. A regular (and even unknown) wiki will get about 20 spam accounts created every day unless they introduce some kind of antispam measure - and even then bots and spammers are getting better at passing through captchas. Site admins and communities want to know who are the legitimate users in order to e.g. reach out to them or have some stats. And well, just to have your house clean of rubbish. It's hard to tell spam accounts apart from legitimate silent accounts.
Ah. Yeah, you're right.