I have confirmation by e-mail and all the same at one fine moment the bots fell. I turned on the captcha in the form of questions and answers - it became less, but they climbed. I replaced the questions and replaced some letters in the questions with similar Latin ones - not a single bot in six months.

We need any non-standard self-written protection, even the most banal one. It's just that the bots are set up in a standard way, it is unlikely that someone will rewrite them specifically for your forum.
It is possible through javascript to add some extra field to the POST registration form and check its presence in the php script.
Something like this. The code adds a hidden field to the registration form (needs jquery). Bots will not insert it into the form and on this basis they can be cut off.

function SubFunc() {
     $('#reg').append('<input type="hidden" value="1" name="JsPassed">');
     document.reg.submit(); 
     return false;
  }
<a href="javascript:SubFunc()" >Регистрация</a>

As an option, you can add some algorithm that, based on the IP address, for example, will perform some kind of crypt or just take a hash and then check on the PHP side, but in 99% it will be superfluous, because if the bots are stray, they will not this will be blown away.

Most likely, confirmation of registration by e-mail and updating the engine to the latest version will help.

Try another behavioral filter .

An interesting way to protect against bots

A question in the style - "two multiply by seven" for any bot will cause self-DDoS and the format of itself)))

I have not heard about the fact that now there is a working algorithm for bypassing recaptcha,
from which I conclude that the connected recaptcha does not work normally on your forum. Probably due to some algorithmic error.
I support all those who wrote above that you are integrating the most elementary procedure slightly modifying the standard registration process on the forum. This will not stop a person who is purposefully going to harm you, but it will stop 99% of the machines.

1) How to protect yourself from bots. If the bots are not written specifically for your site, then just change the registration code a little (for example, make the email field a bait or consider the confirmation code to be JavaScript or Flash) and the bots will fall off. They are accustomed to standard forms.
Don't want to rewrite the code/hire someone/laziness/look for someone to do everything for you for free? Suffer further then.
Disable or make phone verification for registrations from problematic countries (list of countries below), from Tor and proxy.
2) About the high load. You should not use shared hosting at all. Now cloud servers with a minimum config are very cheap and cost about the same as your hosting, but there no one will soar your brains about traffic ratios and processor load, how much they are willing to pay, and load for so much. A site on shared hosting is easy to install even from a schoolbotnet - it is easier for a hoster to turn off a loaded site than to look for the causes of problems.
On your server, all bots can be easily banned using iptables and ipset. I would advise not to wait for bots to come to you, but to preventively ban all IPs from countries: Indonesia, Thailand, China, Philippines, Poland, Brazil. As experience shows, in these countries people have not heard about antiviruses, they use IE (here are idiots), and providers ignore abuses (mailboxes from vhuiz do not work or are full and do not accept letters). As you understand, valuable visitors to your site are unlikely to come from there, but spam, trojans, botnets and other rubbish are easy. I would personally cut these countries off the Internet and the civilized world altogether, they got it already.
"Anti-DDOS" services are needed when attacking at least half a gigabit, smaller traffic is easily banned manually on iptables. Free antiddos (and blocking of the mentioned countries), by the way, is offered by services like cloudflare. Why pay horse rates to all sorts of extortionists from anti-ddos services when you can not pay?

I corrected the registration form for Content-Type: multipart/form-data. Typically this type is only used by browsers with upload fields. In bots with a multipart, no one ever takes a steam bath.
On the server side, I just checked the Content-Type. If not multi-part - away demon, away.
99.9% hit.

Any captcha like "enter text from a picture" costs a penny through antigate.
I advise you to look in this direction .

control questions that change periodically… and bots will disappear… tested on my own experience

Expand the standard form. XLS\XLST will help.
The problem will disappear.

There is a service stopforumspam.com/ it has an API. I attached a check through this service to registration on the forum, 80 percent of bots are cut off.

I use ReCaptcha and e-mail registration confirmation on the IP.Board forum, but spammers still sometimes get through.
Implemented simple protection: if a user has <5 posts, he cannot write posts with a link in the text.
The protection operation is saved in a separate table and then I can delete the user who tried to spam with one click. I also plan to automatically add IP addresses to the blacklist.

Another idea came up. When opening the page, set a cookie, and in the registration script, check for the presence of this cookie. Again, if the bot is not self-written and does not know how to adapt to specific conditions, it will not work.

Any non-standard solution will work for itself by 90 percent. For example, cover registration in general with regular forum tools, and on another domain or subdomain, make a page with a custom registration form for registration in the same database.

Use reCaptcha ( installation video ), or better yet, keyCaptcha for your forum, and there will be no problems with spam.

Guys who suffer with bots and don't know what to do with them. We have written a guide with thousands of ways to ward them off.