Would it be possible to use RSA keys or some other form of public key/private key authentication to prevent hacked clients from joining servers? I have absolutely no experience with Java, so I don't know how easy it would be to "hack out" the RSA key and use it in the hacked clients... but it seems like a viable option for now. Or maybe the server could run an MD5 checksum of the client and it could be verified that way?
Or maybe it'd be easiest to autoban people who move upwards more than two blocks when not in water? That would take out a bunch of hacked clients.
Oh, and an idea for griefers...
Before a voteban can occur, the player must be votekicked.
Lower the requirement for a voteban to be... +2 votekick or something similar.
A voteban would also ban the IP address of the player for 48 hours.
That would prevent the same person using multiple player accounts to harass a server. After 48 hours, the ban would be lifted and anyone with that IP would be allowed back in. However, the ban on the account would still exist. This would allow people with dynamic IP addresses to not be randomly banned from all the servers (say if someone in the same range was assigned the banned IP address) but would prevent account hopping. Maybe in the bans file, you could have a timestamp for ban removal listed after the IP address and when that time passes (the server could check every 15 minutes or so), it would remove that IP ban.
I'm thinking that would make the whole game easier and more secure.