Use cloudflare or some other firewall to block some countries if you can. China, Hong Kong, Russia. This does not stop all the spam however and does not work if you need those countries to be able to access of course. But it was helpful to let me actually use the admin panel as the server was getting hammered pretty hard.
Enable the build in Google Recaptcha or use an alternative plugin if you have not updated Magento to 2.3.0+
In Magento 2.3 to enable the built in Google reCAPTCHA.
1) Visit Stores > Settings > Configuration > Security > Google reCAPTCHA
2) Generate Recaptcha v2 invisible recaptcha or I’m not a bot keys.
3) Enter them into the admin config on that page and enable it on the frontend for Use in Create user.
Enabling for other features can’t really hurt either however.
For cleaning up existing accounts find patterns in their input and create queries to select them whilst ensuring your normal users are not part of that set of data.
You can delete them from the customer_entity table.
Example SQL from a site I cleaned up:
Craft your own as it would need to be mindful of your circumstances your dataset etc don’t hold me responsible if you wipe wrong users take backup first!
DELETE FROM customer_entity
WHERE SUBSTRING_INDEX(email, '@', -1) IN ('pp.com',
OR lastname LIKE '%http://%'
OR lastname LIKE '%https://%'
OR lastname LIKE '%【%】%'
OR lastname LIKE '%tw55.cc%'
OR lastname LIKE '%www.ope2228.com%'
Ensure the old basic Magento Captcha is disabled. Customers > Customer Configuration > CAPTCHA
Enable CAPTCHA on Storefront: No
As it will conflict with the Google reCAPTCHA…
Official documentation links:
The bots just seem to hit the account creation endpoint (Yes even if you delete the Create Account buttons/links from your theme) but deleting their accounts or deactivating is recommended as they could sleep till later and spam other things and they use up space in your DB anyway….
Good luck everyone.