Thanks ChrisW

Glad you got it resolved, and you learned something... one step at a time and youll be a wiz soon enough.   :)  

This can happen for a number of reasons but usually if you use the default captcha this happens quite a bit.  The default captcha has been busted (exploited) for a long time now and bots know how to get in and create a username without having to fill in the form. 

Remember that the form and all its data can be seen in source view (pull up your form and right click - select view source) and so this just helps bots do what they do.  And bots are now even able to use console info to get more specific data such as JS and other values from poorly coded or older scripts.  This is why the registration process of oxwall really needs to be rewritten or at least add more security application to it.

This is another reason why i never show my full token key in any of my forms on my other software (not oxwall related), because the more info you give the bots the more they can exploit the data.     So in my other scripts the bots only get half the token, the other half is hidden, if they try to submit the form with the half they can see it wont work. 

It is a constant battle to keep up with the bots, yes most of the time we keep up with them and not the other way around.  They usually find an exploit and then the rest of us apply patches to patch it, thats just how it is.

So basically it appears that a bot was able to make a username in your site and exploit something to do so.  Find a better captcha is my first recomendation.

One trick we used to do with forms and i still use it sometimes is called a "honey pot".   The trick is to exploit the bot's ability to fill out forms.  

So what you can do is add a hidden field to your form, and leave it blank.  Now with it being hidden only the bots will see it (source view), humans will never see the field on the screen.

So when the form is submitted and the field has a value, we know its a bot and can deny it.

It does not always work, but keeping bots and spam at bay is done by layers of protection, there is no one silver bullet...

You are somewhat limited on that since you are on a shared server, however see here..

https://forums.cpanel.net/threads/how-to-block-a-site-all-proxy.259681/

https://developers.oxwall.com/store/item/1641

Quote from Asoka Janaka Can we not block Proxy and VPN access. 

But this company start get gredee and setup the prices and make more limits on free plan so i jumped out because i need many ip checks on my business and it get expensive if you have a bigger business. 

I decide stop scammers with photo verification , much better step to srop fake users.

Soon we will have a video verification plugin in the store ....can not say more about that right now....i put alot of work make this process better with SD right now. 

project i doing now.... starting create a instruction video that i will add to the plugin...number 1 to have real users on ýour website....

if skalfa team not interested solve this, then i need try go my own way solve the biggest issue i have and they have to but ignore it i feel everytime i take it up with them. they think the solution is facebook ,twitter,goolge sign up is the solution but you can buy susch account for 0,1 usd on internet this days and not working at all. 

team Ghana and team Nigeria have 10000 of this fake facebook,twitter accounts they use already with VPN. it is like open the ports for scammers only add such features.