Not sure if your issue was the same as mine but we got 600K spam registrations because they were finding this url… /wp-login.php?action=register which was different than our Buddy Press Registration form: /register .
Even though we had Recaptcha, etc the query page was not protected. We ended up creating a redirect to the /register page.
