Spam Registrations

I suspect that there is malware files on your system that is allowing those user registrations. There are lots of googles/bings/ducks on how to clean a hacked system. (I use my own procedure here.)

What I would do is these things:

  • change all credentials everywhere (hosting, FTP, admin etc)
  • create a new admin user with a very secure password, log in as it (to verify it works), then demote the current admin user(s) to lowest level. Especially if your admin user is called ‘admin’.
  • disable xmlrpc.prg on your site (that can be a hack intrusion point)
  • reinstall WP (use the Update on the dashboard).
  • reinstall all theme from good sources via FTP. Do the same for all plugins
  • Manually look at all files in all folders on your site for ‘bad’ files. Sorting by date helps, since you updated everything – all updated files should have the same datestamp, so unwanted files will stick out. Don’t forget to look at all hidden files, including htaccess.
  • look at generated source code of pages to ensure nothing funky in there

The site can be cleaned (I’ve done it, which is how I developed my procedure). But IMHO there is a strong possibility of malware code on your site allowing those registrations.