We've already had two user accounts created, which are just for the purpose of spam. It seems likely that this is a bot, which is using the fact that our combination of Wordpress and phpBB is sufficiently common to make it worth writing software that can automatically create an account, and post a spam e-mail. What is interesting is that I'm not sure if these posts bypassed the "initial 3 posts must be moderated" limit that new user accounts normally get.
The accounts were characterised by using gmail addresses and both the user name and e-mail address looking like a semi-random word. The personal information for the account, the profile for example, appeared to have been filled in in a reasonably sophisticated way.
I've deleted the two spamming accounts completely. There didn't seem any point in keeping them around except for forensic reasons.
The main change that I've made is that all future users registering must confirm by e-mail. I anticipate this will not be enough, but, we'll see.
The battle between sys admins and spammers continues!