unfocus Prune Users is a pretty straight forward nuclear option. It checks those 3 things listed above for each user, and then deletes them, mercilessly.
Actually, those 3 checks are done through WP API calls – so I’m not really sure if other wp-posts tables would be checked. I would guess not..
I should also mention – backup your database before doing any of this! 
This is all in one (not very robust). It uses brute force to loop through every user, then uses built in functions of WordPress to check each user’s credentials.
It almost timed out on my site with a measly 7000 users, so 200,000 will almost certainly be a problem.
Suffice to say, it’ll need chunking. I’m also checking on some safety issues with the way I’m detecting superfluous users. It currently does these checks:
1. Is the user only a subscriber (this is the questionable check – though it seems to work)?
2. Does the user have any posts?
3. Does the user have any approved comments?
As long as the user has no posts, no approved comments, and is only a subscriber, it’ll delete that user.
If you want to use this as is, you can comment out the entire foreach block starting on line 73. That will make it so you can at least load the page (this block tries to count the number of users it will delete – which in your case will likely timeout).
You can then just hit “Do it!” a few times (it’ll time out each time, but it’ll take a chunk of user out before it times out).
Why turn off XML-RPC? I have that on (and the Atom publishing protocol) and the steps I mentioned above have stopped the UGG boots spam.
I did a couple of things to block these (same ugg boots bots).
1. I added “WP-reCAPTCHA” to the registration form – this seems to have halted new registrations for the moment.
2. Kept the forum set so that users must register to post.
3. I left regular comments so anyone can post – akizmet caches everything there.
I wrote a make-shift plugin to prune all the spam-bot-old users just to make sure.
https://github.com/unFocus/Prune-Users
Also check your forum tags – the bots have been gumming those up too.
Kevin N.
In WordPress admin -> Settings (not the forums submenu – its in WordPress’s normal Settings block) -> Forums. The settings you seek are in there.
Very good, thank you for the information.
Another question – if I hit spam on the spammy comments, does that train the Akizmet filter? It does seem that some spam is getting caught, so I’d guess it’s all going through Akizmet?
Also somewhat related (though more generally applicable to WordPress) – anyone know of a good User pruning plugin? The ones I find in the plugin repos don’t seem to work.
Oof, the spammers are also gumming up my tags. Is that checked by akizmet?
I just tried “Math Comment Spam Protection Plugin” as suggested in another thread, but sadly, the input field does not appear on the forum post pages.
I forgot to mention another issue I’ve had – bbpress doesn’t get along with wp-super-cache – is there any easy way to get around that (disable the cache just for the forums tree for example)?
