If it helps anyone, we use three layers of firewall on this site. First is Cloudflare – stops a lot of bad stuff before it even hits our servers. Any traffic that does hit our servers is then filtered through a set of custom Web Application Firewall rules before it hits the WordPress site. Anything that makes it through that is then filtered by WordFence. Nothing works perfectly and each vendor responds to emerging treats differently at different rates – so having multiple security layers is the best approach in our opinion. Performance takes a small hit but we’ll take security over performance any day.
Even with all that, there is still a bunch of stuff that makes it through and attempts dictionary style login attacks. Those eventually gets taking care of by blocking based on number of failed attempts and such…
Not only are the bots registering but surprisingly they created around 500 subsites on my site…
It sounds like you’re running a WordPress Multisite network. If not, then the hosting account has been seriously compromised.
If so: Do you run any sort of Splog moderation and control, other than captcha on your registration page?
We run a very large WPMS network at Tripawds. I’ve been fighting spam blog registrations for years and have implemented various methods to bring it under control.
Anti-Splog is the first step.
I also implemented a Signup Code and display that on the reg page, to ensure humans are filling out the form.
Finally, I am working with the developer of Beyond Multisite, who is almost ready to release an update to include Blog Moderation, which allows us to prevent first posts from being published, with an easy way to delete sites and users. No ETA on this, but the beta is working great.
FYI: These methods are in addition to server level csf firewall, and our Wordfence Premium account.