Spambots targeting Drupal sites are already a plague, so we should force reasonable default policy for new accounts registration, as below:
* Visitors, but administrator approval is required (forced default)
* Require e-mail verification when a visitor creates an account (enabled)
If you wish to disable e-mail verification or set "Who can register accounts" to "Administrators only" or "Visitors", you must create a control file in
sites/foo.com/modules/disable_user_register_protection.info and then change these settings in the site.
Wed don't force "Administrators only", because it could immediately break many commerce or community sites essential features. But for other sites, "Administrators only" is strongly suggested.
It is also a good idea to check (really, do this, you may be surprised) if your sites are not already "taken over" by spambots - we have seen too many sites with 10k or even 50k spambots accounts created, not to mention *tons* of spam added, which even if not published, can slow down your site seriously anyway.