Hah! Got you!
I finally figured out how spambots are getting past my registration checks. The default login URL was active even though the option was hidden. Not any more 😉
User base now cleaned up to those I know are genuine. Fresh users starts now.
Simple registration is available for anyone who wants to create an account for commenting. I’m not going to make more complex changes, eg. allowing full customisation of profile, because it’s not necessary and may fall under GDPR, which I don’t really want. Just a username and email address so you can self verify and reset password of necessary. You should never get any other email from this blog and if you do, let me know so I can stop it.