Disable registration to deal with persistant spam attacks
After almost a year online we've finally found our way onto some automated spam lists and we've started getting a substantial amount of fake user registrations and spam posts. Since we use a custom SSO solution to share logins between MediaWiki, Vanilla and Wordpress, and we've always hidden the local registration option, I figured I could just disable local user registration, which the spammers are obviously submitting fake data to directly. I selected the "Connect" option in Dashboard > Registation which states "New users are only registered through SSO plugins".
This works in the sense that http://practicalplants.org/community/entry/register now just redirects to the main discussions page, but the spammers are still able to register local forum accounts and are still spamming. The users are not being registered via our SSO app, the spam accounts exist only in the Vanilla user database. Presumably they're submitting an automated POST request directly to the relevant endpoint in the application, and the "Connect" registration option doesn't actually disable this.
Does anyone know a workaround or solution?