A fake user registration attack spiked on my Q2A site.

Question

• The unknown malicious attacker managed to register a fake 6000+ IDs in the last eight days. 
• I have already implemented Google reCaptcha. Still, the attacker managed to register fake users bypassing reCaptcha. 
• I got a suspension notice from the hosting provider due to a sudden spike in outgoing emails in order to convey registration details. 
• Most email IDs are either fake or disposable. 

Has anyone a solution to prevent spam registration attacks?

PS:  The plugin named Q2A user manager helps me to delete users in bulk. It's not solution but helped lot in cleaning the junk users.
 https://github.com/q2a-projects/Q2A-User-Manager

Answer 1

I'm using my own fork of the Registration Blocker plugin, which reduces the spammer registration volume to a manageable number. Don't expect it to be a silver bullet, though. It takes some training (i.e. adding the domains and/or mail addresses and/or usernames abused by the spammers), and even then fighting spammer registrations remains a continuous effort.

The current spike is to be expected, since apparently many admins are on vacation over the holidays.

Answer 2

User Email Activation is an optional security measure. If you’d like an even more secure method of user registration, you can opt for Manual Approval. The approval method will require you to review each user registration request before the new user can join your website.  You’ll receive an email notice for each request, and the option to approve or deny the new member.