Thanks to jontiw for pointing out a potential problem in my bcSpamblock code. He noted the the PHP crypt() function returns the salt along with the encrypted value. My code was passing the salt to the visitor so that an attacker could potentially learn the salt value that a website was using and create valid responses.
I modified the code to strip out that salt before passing it to the user. I also modified the data used to create the salt so that previous vulnerable version doesn’t use the same value for the site. The wordpress plugin has also been updated as well.
I was happy to see other people looking through my code and pointing this type of issue out.