I’m on bbPress 2.6.6, WordPress 5.8.1, and the site is http://bluebirdnut.com/forums/.
I had another SPAM attack last night, this time in the main forum. Hundreds of posts were made, all filled with what looked like Chinese characters. After the last attack, I set flood control at 90 seconds. Whatever or whoever made this attack managed to make it by just waiting 90 seconds between posts. I only caught it because I woke up at 4AM and checked my email and found a new participant had signed up for the forum. I UNchecked the box to “Automatically give registered visitors the
Participant forum role”, which the documentation says will force me to manually assign all user access to your forums. But the new user was able to post without my having approved his role as a participant. I’ve now installed a reCaptcha plugin, but I don’t understand why the settings I’ve specified are being ignored.
Oh, and when I checked the user’s profile (before deleting it) it was able to assign itself the MODERATOR role in addition to participant! I had to disable the plugin in the middle of the night in order to stop the attack. And the IP address of both this attack and the previous one (which I reported in this forum, but didn’t receive a single reply) resolved to the West coast of the US, not China.

[@robin-w Moderator 4 years ago]

ok, given that i think this is your second attack, and that the user was able to change his settings, I would suspect the user has gained access details.

I would :

1. install https://en-gb.wordpress.org/plugins/wps-hide-login/ and change login
2. install https://en-gb.wordpress.org/plugins/wordfence/ and consider 2fa for mods and admins, and ensure that you get emails if any admins log in
3. change or get admins to change passwords for admins, moderators etc.
4. change all FTP passwords
5. change your database password