Hello, I have been following this post because I’m curious of the cause of your problem.
Quick question
If your passwords are numbers, uppercase and lowercase letters as well as symbols, and above 10 charactes they should be strong enough in order to prevent this kind of attack. What kind of botnet has that much power?
Plausible solution
-
If your database is on the same server with your Strapi app then you should check if the database ports are open to the public. They shouldn’t be. Strapi can connect to the database internally.
-
If your database is on a different server than Strapi, then you should restrict the access on your database server to only accept traffic from the Strapi server. i.e. Strapi’s server public IP.
Hope I gave you some ideas.