I’m very new with wp But: wp has a standard login and registration url that contains the domain name for the registration is always the same except for the domain. For example:
https://abcd.com/wordpress/wp-login/xxx/xxx
All the spammer need do is use a script to change domain name “abcd.com” to get to the original wp login and registration and enter standard information to generate a new user. This bypasses your security and the spammer never goes to you registration page.
We fixed this by redirecting the default wp url to go to our registration page, which has more required fields.
Please let me know if this fixes the problem for you. Best Wishes
