fix: [security] flood protection control enabled by default

- as reported by Dawid Czarnecki from Zigrin Security

src/Controller/UsersController.php

@@ -317,7 +317,7 @@ class UsersController extends AppController
         if (empty(Configure::read('security.registration.self-registration'))) {
             throw new UnauthorizedException(__('User self-registration is not open.'));
         }
-        if (!empty(Configure::read('security.registration.floodProtection'))) {
+        if (!Configure::check('security.registration.floodProtection') || Configure::read('security.registration.floodProtection')) {
             $this->FloodProtection->check('register');
         }
         if ($this->request->is('post')) {

src/Model/Table/SettingProviders/CerebrateSettingsProvider.php

@@ -301,7 +301,7 @@ class CerebrateSettingsProvider extends BaseSettingsProvider
                             'name' => __('Enable registration flood-protection'),
                             'type' => 'boolean',
                             'description' => __('Enabling this setting will only allow 5 registrations / IP address every 15 minutes (rolling time-frame).'),
-                            'default' => false,
+                            'default' => true,
                         ],
                     ]
                 ],