I am getting hundreds of spam in messages - I have re-captcha but it does not work - How to stop this

How where do you get spam? do you have an url to your spam form etc or is it the Joomla user registration form, quote & contact form https://demo.cmsjunkie.com/j-businessdirectory/templates.php?template=j-nexus etc ?

Check Joomla extension for help like Micheael Richey https://www.richeyweb.com/extension-repository

Contact - Valid Email

Captcha - HashCash

Authentication - Email

Authentication - As User

... etc

OSpam-a-not

https://www.joomlashack.com/joomla-extensions/ospam-a-not/

Also use the must have long time developed and used Joomla Master htaccess with Admin Tools Pro Akeeba https://www.akeeba.com/products/admin-tools.html that was developed enhanced from Nikos Akeeba and others for Joomla better performance, security and SEF handling. And then exclude all AI and other spam boots. Check your traffic to do excludes by JRealtime Analytics or Matomo   https://storejextensions.org/extensions/jrealtime_analytics.html

You have test this htaccess file here and adapt it to your own site change the domain name. Its extracted from latest Akeeba Admin Tools pro and some other extra settings there.

### ===========================================================================
### Security Enhanced & Highly Optimized .htaccess File for Joomla!
### automatically generated by Admin Tools 7.8.1 on 2025-08-07 15:34:41 CEST
### Auto-detected Apache version: 2.4 (best guess)
### ===========================================================================
###
### The contents of this file are based on the same author's work "Master
### .htaccess".
###
### Admin Tools is Free Software, distributed under the terms of the GNU
### General Public License version 3 or, at your option, any later version
### published by the Free Software Foundation.
###
### !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! IMPORTANT !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
### !! !!
### !! If you get an Internal Server Error 500 or a blank page when trying !!
### !! to access your site, remove this file and try tweaking its settings !!
### !! in the back-end of the Admin Tools component. !!
### !! !!
### !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
###

##### Restricted access by IP address -- BEGIN
Require ip 173.245.48.0/20
Require ip 103.21.244.0/22
Require ip 103.22.200.0/22
Require ip 103.31.4.0/22
Require ip 141.101.64.0/18
Require ip 108.162.192.0/18
Require ip 190.93.240.0/20
Require ip 188.114.96.0/20
Require ip 197.234.240.0/22
Require ip 198.41.128.0/17
Require ip 162.158.0.0/15
Require ip 104.16.0.0/13
Require ip 104.24.0.0/14
Require ip 172.64.0.0/13
Require ip 131.0.72.0/22
Require ip 173.245.48.0/20
Require ip 103.21.244.0/22
Require ip 103.22.200.0/22
Require ip 103.31.4.0/22
Require ip 141.101.64.0/18
Require ip 108.162.192.0/18
Require ip 190.93.240.0/20
Require ip 188.114.96.0/20
Require ip 197.234.240.0/22
Require ip 198.41.128.0/17
Require ip 162.158.0.0/15
Require ip 104.16.0.0/13
Require ip 104.24.0.0/14
Require ip 172.64.0.0/13
Require ip 131.0.72.0/22
##### Restricted access by IP address -- END

##### RewriteEngine enabled - BEGIN
RewriteEngine On
##### RewriteEngine enabled - END

# PHP FastCGI fix for HTTP Authorization
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
##### RewriteBase set - BEGIN
RewriteBase /
##### RewriteBase set - END

##### HTTP to HTTPS redirection
## Since you have enabled HSTS the first redirection rule will instruct the browser to visit the HTTPS version of your
## site. This prevents unsafe redirections through HTTP.
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP:X-Forwarded-Proto} !=https
RewriteRule .* https://www.yoursitechangehere.com%{REQUEST_URI} [L,R=301]

##### Custom Rules (Top of File) -- BEGIN
php_value upload_max_filesize 512M
php_value post_max_size 512M
php_value memory_limit 128G
php_value max_input_time 280
php_value max_execution_time 3500
php_value max_input_vars 6500
php_value output_buffering Off
RewriteRule .*wp-.* /no.html [NC,L,R=301]
<FilesMatch ".(ttf|ttc|otf|eot|woff)$">

Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Header always set X-Content-Type-Options "nosniff"


## Always use latest PHP-version
AddType application/x-httpd-php-latest .php
RewriteRule ".css.gz$" "-" [T=text/css,E=no-gzip:1,E=no-brotli:1]
RewriteRule ".js.gz$" "-" [T=text/javascript,E=no-gzip:1,E=no-brotli:1]
##### Custom Rules (Top of File) -- END

##### File execution order -- BEGIN
DirectoryIndex index.php index.html
##### File execution order -- END

##### No directory listings -- BEGIN
IndexIgnore *
##### No directory listings -- END

##### Common hacking tools and bandwidth hoggers block -- BEGIN

SetEnvIf user-agent "(?i:AI2Bot)" stayout=1
SetEnvIf user-agent "(?i:Acunetix)" stayout=1
SetEnvIf user-agent "(?i:Amazonbot)" stayout=1
SetEnvIf user-agent "(?i:Applebot)" stayout=1
SetEnvIf user-agent "(?i:Applebot-Extended)" stayout=1
SetEnvIf user-agent "(?i:BOT for JCE)" stayout=1
SetEnvIf user-agent "(?i:BingBot)" stayout=1
SetEnvIf user-agent "(?i:BlackWidow)" stayout=1
SetEnvIf user-agent "(?i:Bolt 0)" stayout=1
SetEnvIf user-agent "(?i:Bot mailto:craftbot@yahoo.com)" stayout=1
SetEnvIf user-agent "(?i:Bytespider)" stayout=1
SetEnvIf user-agent "(?i:CCBot)" stayout=1
SetEnvIf user-agent "(?i:CazoodleBot)" stayout=1
SetEnvIf user-agent "(?i:ChatGPT-User)" stayout=1
SetEnvIf user-agent "(?i:ChatGPT-User/2.0)" stayout=1
SetEnvIf user-agent "(?i:ChinaClaw)" stayout=1
SetEnvIf user-agent "(?i:ClaudeBot)" stayout=1
SetEnvIf user-agent "(?i:Custo)" stayout=1
SetEnvIf user-agent "(?i:DIIbot)" stayout=1
SetEnvIf user-agent "(?i:DISCo)" stayout=1
SetEnvIf user-agent "(?i:Default Browser 0)" stayout=1
SetEnvIf user-agent "(?i:Diffbot)" stayout=1
SetEnvIf user-agent "(?i:Download Demon)" stayout=1
SetEnvIf user-agent "(?i:DuckAssistBot)" stayout=1
SetEnvIf user-agent "(?i:EirGrabber)" stayout=1
SetEnvIf user-agent "(?i:EmailCollector)" stayout=1
SetEnvIf user-agent "(?i:EmailSiphon)" stayout=1
SetEnvIf user-agent "(?i:EmailWolf)" stayout=1
SetEnvIf user-agent "(?i:Express WebPictures)" stayout=1
SetEnvIf user-agent "(?i:ExtractorPro)" stayout=1
SetEnvIf user-agent "(?i:EyeNetIE)" stayout=1
SetEnvIf user-agent "(?i:FHscan)" stayout=1
SetEnvIf user-agent "(?i:FacebookBot)" stayout=1
SetEnvIf user-agent "(?i:FlashGet)" stayout=1
SetEnvIf user-agent "(?i:GPTBot)" stayout=1
SetEnvIf user-agent "(?i:GT::WWW)" stayout=1
SetEnvIf user-agent "(?i:GetRight)" stayout=1
SetEnvIf user-agent "(?i:GetWeb!)" stayout=1
SetEnvIf user-agent "(?i:Go!Zilla)" stayout=1
SetEnvIf user-agent "(?i:Go-Ahead-Got-It)" stayout=1
SetEnvIf user-agent "(?i:Google-Extended)" stayout=1
SetEnvIf user-agent "(?i:GrabNet)" stayout=1
SetEnvIf user-agent "(?i:Grafula)" stayout=1
SetEnvIf user-agent "(?i:HMView)" stayout=1
SetEnvIf user-agent "(?i:HTTP::Lite)" stayout=1
SetEnvIf user-agent "(?i:HTTrack)" stayout=1
SetEnvIf user-agent "(?i:IDBot)" stayout=1
SetEnvIf user-agent "(?i:IRLbot)" stayout=1
SetEnvIf user-agent "(?i:ISC Systems iRc Search 2.1)" stayout=1
SetEnvIf user-agent "(?i:Image Stripper)" stayout=1
SetEnvIf user-agent "(?i:Image Sucker)" stayout=1
SetEnvIf user-agent "(?i:Indy Library)" stayout=1
SetEnvIf user-agent "(?i:InterGET)" stayout=1
SetEnvIf user-agent "(?i:Internet Ninja)" stayout=1
SetEnvIf user-agent "(?i:InternetSeer.com)" stayout=1
SetEnvIf user-agent "(?i:JOC Web Spider)" stayout=1
SetEnvIf user-agent "(?i:Java)" stayout=1
SetEnvIf user-agent "(?i:JetCar)" stayout=1
SetEnvIf user-agent "(?i:LeechFTP)" stayout=1
SetEnvIf user-agent "(?i:LinkedInBot)" stayout=1
SetEnvIf user-agent "(?i:LinksManager.com_bot)" stayout=1
SetEnvIf user-agent "(?i:MFC_Tear_Sample)" stayout=1
SetEnvIf user-agent "(?i:MIDown tool)" stayout=1
SetEnvIf user-agent "(?i:MSFrontPage)" stayout=1
SetEnvIf user-agent "(?i:Mass Downloader)" stayout=1
SetEnvIf user-agent "(?i:Maxthon$)" stayout=1
SetEnvIf user-agent "(?i:Microsoft URL Control)" stayout=1
SetEnvIf user-agent "(?i:Missigua Locator)" stayout=1
SetEnvIf user-agent "(?i:Mister PiX)" stayout=1
SetEnvIf user-agent "(?i:MistralAI-User)" stayout=1
SetEnvIf user-agent "(?i:MistralAI-User/1.0)" stayout=1
SetEnvIf user-agent "(?i:NEWT)" stayout=1
SetEnvIf user-agent "(?i:Navroad)" stayout=1
SetEnvIf user-agent "(?i:NearSite)" stayout=1
SetEnvIf user-agent "(?i:Net Vampire)" stayout=1
SetEnvIf user-agent "(?i:NetAnts)" stayout=1
SetEnvIf user-agent "(?i:NetSpider)" stayout=1
SetEnvIf user-agent "(?i:NetZIP)" stayout=1
SetEnvIf user-agent "(?i:OAI-SearchBot)" stayout=1
SetEnvIf user-agent "(?i:Octopus)" stayout=1
SetEnvIf user-agent "(?i:Offline Explorer)" stayout=1
SetEnvIf user-agent "(?i:Offline Navigator)" stayout=1
SetEnvIf user-agent "(?i:PECL::HTTP)" stayout=1
SetEnvIf user-agent "(?i:PHPCrawl)" stayout=1
SetEnvIf user-agent "(?i:PageGrabber)" stayout=1
SetEnvIf user-agent "(?i:Papa Foto)" stayout=1
SetEnvIf user-agent "(?i:PeoplePal)" stayout=1
SetEnvIf user-agent "(?i:Perplexity-User)" stayout=1
SetEnvIf user-agent "(?i:Perplexity-User/1.0)" stayout=1
SetEnvIf user-agent "(?i:PerplexityBot)" stayout=1
SetEnvIf user-agent "(?i:PleaseCrawl)" stayout=1
SetEnvIf user-agent "(?i:ReGet)" stayout=1
SetEnvIf user-agent "(?i:RealDownload)" stayout=1
SetEnvIf user-agent "(?i:Rippers 0)" stayout=1
SetEnvIf user-agent "(?i:SBIder)" stayout=1
SetEnvIf user-agent "(?i:SeaMonkey$)" stayout=1
SetEnvIf user-agent "(?i:SiteSnagger)" stayout=1
SetEnvIf user-agent "(?i:SmartDownload)" stayout=1
SetEnvIf user-agent "(?i:Snoopy)" stayout=1
SetEnvIf user-agent "(?i:Steeler)" stayout=1
SetEnvIf user-agent "(?i:SuperBot)" stayout=1
SetEnvIf user-agent "(?i:SuperHTTP)" stayout=1
SetEnvIf user-agent "(?i:Surfbot)" stayout=1
SetEnvIf user-agent "(?i:Teleport Pro)" stayout=1
SetEnvIf user-agent "(?i:TimpiBot)" stayout=1
SetEnvIf user-agent "(?i:Toata dragostea mea pentru diavola)" stayout=1
SetEnvIf user-agent "(?i:TurnitinBot)" stayout=1
SetEnvIf user-agent "(?i:URI::Fetch)" stayout=1
SetEnvIf user-agent "(?i:VoidEYE)" stayout=1
SetEnvIf user-agent "(?i:WEP Search)" stayout=1
SetEnvIf user-agent "(?i:WWW-Mechanize)" stayout=1
SetEnvIf user-agent "(?i:WWWOFFLE)" stayout=1
SetEnvIf user-agent "(?i:Web Image Collector)" stayout=1
SetEnvIf user-agent "(?i:Web Sucker)" stayout=1
SetEnvIf user-agent "(?i:WebAuto)" stayout=1
SetEnvIf user-agent "(?i:WebBandit)" stayout=1
SetEnvIf user-agent "(?i:WebCollage)" stayout=1
SetEnvIf user-agent "(?i:WebCopier)" stayout=1
SetEnvIf user-agent "(?i:WebFetch)" stayout=1
SetEnvIf user-agent "(?i:WebGo IS)" stayout=1
SetEnvIf user-agent "(?i:WebLeacher)" stayout=1
SetEnvIf user-agent "(?i:WebReaper)" stayout=1
SetEnvIf user-agent "(?i:WebSauger)" stayout=1
SetEnvIf user-agent "(?i:WebStripper)" stayout=1
SetEnvIf user-agent "(?i:WebWhacker)" stayout=1
SetEnvIf user-agent "(?i:WebZIP)" stayout=1
SetEnvIf user-agent "(?i:Website Quester)" stayout=1
SetEnvIf user-agent "(?i:Website eXtractor)" stayout=1
SetEnvIf user-agent "(?i:Wells Search II)" stayout=1
SetEnvIf user-agent "(?i:Wget)" stayout=1
SetEnvIf user-agent "(?i:Widow)" stayout=1
SetEnvIf user-agent "(?i:Xaldon WebSpider)" stayout=1
SetEnvIf user-agent "(?i:Yandex)" stayout=1
SetEnvIf user-agent "(?i:YouBot)" stayout=1
SetEnvIf user-agent "(?i:Zeus)" stayout=1
SetEnvIf user-agent "(?i:ZyBorg)" stayout=1
SetEnvIf user-agent "(?i:binlar)" stayout=1
SetEnvIf user-agent "(?i:casper)" stayout=1
SetEnvIf user-agent "(?i:checkprivacy)" stayout=1
SetEnvIf user-agent "(?i:claude-web)" stayout=1
SetEnvIf user-agent "(?i:clshttp)" stayout=1
SetEnvIf user-agent "(?i:cmsworldmap)" stayout=1
SetEnvIf user-agent "(?i:cohere-ai)" stayout=1
SetEnvIf user-agent "(?i:comodo)" stayout=1
SetEnvIf user-agent "(?i:diavol)" stayout=1
SetEnvIf user-agent "(?i:discobot)" stayout=1
SetEnvIf user-agent "(?i:dotbot)" stayout=1
SetEnvIf user-agent "(?i:eCatch)" stayout=1
SetEnvIf user-agent "(?i:ecxi)" stayout=1
SetEnvIf user-agent "(?i:extract)" stayout=1
SetEnvIf user-agent "(?i:feedfinder)" stayout=1
SetEnvIf user-agent "(?i:flicky)" stayout=1
SetEnvIf user-agent "(?i:grab)" stayout=1
SetEnvIf user-agent "(?i:harvest)" stayout=1
SetEnvIf user-agent "(?i:heritrix)" stayout=1
SetEnvIf user-agent "(?i:ia_archiver)" stayout=1
SetEnvIf user-agent "(?i:id-search)" stayout=1
SetEnvIf user-agent "(?i:id-search.org)" stayout=1
SetEnvIf user-agent "(?i:jakarta)" stayout=1
SetEnvIf user-agent "(?i:kmccrew)" stayout=1
SetEnvIf user-agent "(?i:larbin)" stayout=1
SetEnvIf user-agent "(?i:libwww)" stayout=1
SetEnvIf user-agent "(?i:libwww-perl)" stayout=1
SetEnvIf user-agent "(?i:linkwalker)" stayout=1
SetEnvIf user-agent "(?i:lwp-trivial)" stayout=1
SetEnvIf user-agent "(?i:meta-externalagent)" stayout=1
SetEnvIf user-agent "(?i:microsoft.url)" stayout=1
SetEnvIf user-agent "(?i:miner)" stayout=1
SetEnvIf user-agent "(?i:nutch)" stayout=1
SetEnvIf user-agent "(?i:omgili)" stayout=1
SetEnvIf user-agent "(?i:panscient.com)" stayout=1
SetEnvIf user-agent "(?i:pavuk)" stayout=1
SetEnvIf user-agent "(?i:pcBrowser)" stayout=1
SetEnvIf user-agent "(?i:planetwork)" stayout=1
SetEnvIf user-agent "(?i:psbot)" stayout=1
SetEnvIf user-agent "(?i:purebot)" stayout=1
SetEnvIf user-agent "(?i:pycurl)" stayout=1
SetEnvIf user-agent "(?i:sitecheck.internetseer.com)" stayout=1
SetEnvIf user-agent "(?i:skygrid)" stayout=1
SetEnvIf user-agent "(?i:sqlmap)" stayout=1
SetEnvIf user-agent "(?i:sucker)" stayout=1
SetEnvIf user-agent "(?i:tAkeOut)" stayout=1
SetEnvIf user-agent "(?i:turnit)" stayout=1
SetEnvIf user-agent "(?i:urllib)" stayout=1
SetEnvIf user-agent "(?i:vikspider)" stayout=1
SetEnvIf user-agent "(?i:webalta)" stayout=1
SetEnvIf user-agent "(?i:webbandit)" stayout=1
SetEnvIf user-agent "(?i:zermelo)" stayout=1
SetEnvIf user-agent "(?i:zmeu)" stayout=1

deny from env=stayout



Require all granted
Require not env stayout


##### Common hacking tools and bandwidth hoggers block -- END

##### Automatic compression of resources -- BEGIN
# Automatically serve .css.gz, .css.br, .js.gz or .js.br instead of the original file
# These are versions of the files pre-compressed with GZip or Brotli, respectively

# Serve Brotli compressed CSS files if they exist and the client accepts Brotli.
RewriteCond "%{HTTP:Accept-encoding}" "br"
RewriteCond "%{REQUEST_FILENAME}.br" -s
RewriteRule "^(.*).css" "$1.css.br" [QSA]

# Serve Brotli compressed JS files if they exist and the client accepts Brotli.
RewriteCond "%{HTTP:Accept-encoding}" "br"
RewriteCond "%{REQUEST_FILENAME}.br" -s
RewriteRule "^(.*).js" "$1.js.br" [QSA]

# Serve correct content types, and prevent double compression.
RewriteRule ".css.br$" "-" [T=text/css,E=no-gzip:1,E=no-brotli:1,L]
RewriteRule ".js.br$" "-" [T=text/javascript,E=no-gzip:1,E=no-brotli:1,L]

<FilesMatch "(.js.br|.css.br)$">
# Serve correct encoding type.
Header set Content-Encoding br

# Force proxies to cache gzipped & non-gzipped css/js files separately.
Header append Vary Accept-Encoding

# Serve gzip compressed CSS files if they exist and the client accepts gzip.
RewriteCond "%{HTTP:Accept-encoding}" "gzip"
RewriteCond "%{REQUEST_FILENAME}.gz" -s
RewriteRule "^(.*).css" "$1.css.gz" [QSA]

# Serve gzip compressed JS files if they exist and the client accepts gzip.
RewriteCond "%{HTTP:Accept-encoding}" "gzip"
RewriteCond "%{REQUEST_FILENAME}.gz" -s
RewriteRule "^(.*).js" "$1.js.gz" [QSA]

# Serve correct content types, and prevent mod_filter double gzip.
# Also set it as the last rule to prevent the Front- or Backend protection from preventing access to the .gz file.
RewriteRule ".css.gz$" "-" [T=text/css,E=no-gzip:1,E=no-brotli:1,L]
RewriteRule ".js.gz$" "-" [T=text/javascript,E=no-gzip:1,E=no-brotli:1,L]

<FilesMatch "(.js.gz|.css.gz)$">
# Serve correct encoding type.
Header set Content-Encoding gzip

# Force proxies to cache gzipped & non-gzipped css/js files separately.
Header append Vary Accept-Encoding

## Automatically compress by MIME type using mod_brotli. Takes priority due to better compression ratio.

AddOutputFilterByType BROTLI_COMPRESS text/plain text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript text/javascript image/svg+xml

## Automatically compress by MIME type using mod_filter.

AddOutputFilterByType DEFLATE text/plain text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript text/javascript image/svg+xml

## Fallback to mod_gzip when neither mod_brotli nor mod_filter is available



mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_keep_workfiles No
mod_gzip_can_negotiate Yes
mod_gzip_add_header_count Yes
mod_gzip_send_vary Yes
mod_gzip_min_http 1000
mod_gzip_minimum_file_size 300
mod_gzip_maximum_file_size 512000
mod_gzip_maximum_inmem_size 60000
mod_gzip_handle_methods GET
mod_gzip_item_include file .(html?|txt|css|js|php|pl|xml|rb|py|svg|scgz)$
mod_gzip_item_include mime ^text/javascript$
mod_gzip_item_include mime ^text/plain$
mod_gzip_item_include mime ^text/xml$
mod_gzip_item_include mime ^text/css$
mod_gzip_item_include mime ^application/xml$
mod_gzip_item_include mime ^application/xhtml+xml$
mod_gzip_item_include mime ^application/rss+xml$
mod_gzip_item_include mime ^application/javascript$
mod_gzip_item_include mime ^application/x-javascript$
mod_gzip_item_include mime ^image/svg+xml$
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include handler ^server-status$
mod_gzip_item_include handler ^server-info$
mod_gzip_item_include handler ^application/x-httpd-php
mod_gzip_item_exclude mime ^image/.*



##### Automatic compression of resources -- END
## Force GZip compression for mangled Accept-Encoding headers


SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)s*,?s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding


##### Redirect index.php to / -- BEGIN
RewriteCond %{THE_REQUEST} !^POST
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9} /index.php HTTP/
RewriteRule ^index.php$ / [R=301,L]
##### Redirect index.php to / -- END
##### Redirect non-www to www -- BEGIN
RewriteCond %{HTTP_HOST} !^www. [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]
##### Redirect non-www to www -- END

##### Force HTTPS for certain pages -- BEGIN
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP:X-Forwarded-Proto} !=https
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP:X-Forwarded-Proto} !=https
##### Force HTTPS for certain pages -- END

##### Rewrite rules to block out some common exploits -- BEGIN
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code(.*) [OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
RewriteRule .* index.php [F]
##### Rewrite rules to block out some common exploits -- END
##### File injection protection -- BEGIN
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http[s]?:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(..//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]
##### File injection protection -- END

##### Advanced server protection rules exceptions -- BEGIN
RewriteRule ^administrator/components/com_akeeba/restore.php$ - [L]
RewriteRule ^administrator/components/com_akeebabackup/restore.php$ - [L]
RewriteRule ^administrator/components/com_joomlaupdate/restore.php$ - [L]
RewriteRule ^administrator/components/com_joomlaupdate/extract.php$ - [L]
RewriteRule ^components/com_jbusinessdirectory/libraries/staticmaplite/staticmap.php$ - [L]
RewriteRule ^templates/shaper_helixultimate/component.php$ - [L]
RewriteRule ^phpinfo.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !(.php)$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^.well-known/ - [L]
RewriteCond %{REQUEST_FILENAME} !(.php)$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} !(.php)$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^images/ - [L]
RewriteRule ^installation/ - [L]
RewriteRule ^administrator/components/com_sppagebuilder/ - [L]
RewriteRule ^components/com_sppagebuilder/ - [L]
RewriteRule ^administrator/index.php?option=com_sppagebuilder&view=editor&tmpl=component/ - [L]
##### Advanced server protection rules exceptions -- END

##### Advanced server protection -- BEGIN

#### Back-end protection
RewriteRule ^administrator/?$ - [L]
RewriteRule ^administrator/index.(php|html?)$ - [L]
RewriteRule ^administrator/(components|modules|templates)/.*.(7z|CSS|EOT|GIF|JPEG|JPG|JS|PNG|TTF|WEBP|WOFF|WOFF2|avi|bmp|css|doc|docx|eot|flv|gif|htm|html|ico|jp2|jpe|jpe2|jpeg|jpg|js|mov|mp3|mp4|mpeg|mpg|odp|ods|odt|ogg|ogv|pdf|png|ppt|pptx|rar|svg|swf|ttf|txt|wav|webp|woff|woff2|xls|xlsx|xps|xsl|zip)$ - [L,NC]
RewriteRule ^administrator/ - [F]
#### Front-end protection
## Allow limited access to additional TinyMCE plugins' HTML files
RewriteRule ^media/plg_editors_tinymce/js/plugins/.*.(htm|html)$ - [L,NC]
## Allow limited access for certain directories with client-accessible content
RewriteRule ^(components|modules|templates|images|plugins|media|libraries|wtduploads|files)/.*.(7z|CSS|EOT|GIF|JPEG|JPG|JS|PNG|TTF|WEBP|WOFF|WOFF2|avi|bmp|css|doc|docx|eot|flv|gif|htm|html|ico|jp2|jpe|jpe2|jpeg|jpg|js|mov|mp3|mp4|mpeg|mpg|odp|ods|odt|ogg|ogv|pdf|png|ppt|pptx|rar|svg|swf|ttf|txt|wav|webp|woff|woff2|xls|xlsx|xps|xsl|zip)$ - [L,NC]
RewriteRule ^(components|modules|templates|images|plugins|media|libraries|wtduploads|files)/ - [F]
## Disallow front-end access for certain Joomla! system directories (unless access to their files is allowed above)
RewriteRule ^includes/js/ - [L]
RewriteRule ^(cache|includes|language|logs|log|tmp)/ - [F]
RewriteRule ^(configuration.php|CONTRIBUTING.md|htaccess.txt|joomla.xml|LICENSE.txt|phpunit.xml|README.txt|web.config.txt) - [F]

## Explicitly allow access to the site's index.php main entry point file
RewriteRule ^index.php(/.*){0,1}$ - [L]
## Explicitly allow access to the API application's index.php main entry point file
RewriteRule ^api/index.php(/.*){0,1}$ - [L]
## Explicitly allow access to the site's robots.txt file
RewriteRule ^robots.txt$ - [L]

## Disallow access to all other PHP files throughout the site, unless they are explicitly allowed
RewriteCond %{REQUEST_FILENAME} (.php)$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule (.*.php)$ - [F]
## Disallow access to htaccess.txt, php.ini, .user.ini and configuration.php-dist
RewriteRule ^(htaccess.txt|configuration.php-dist|php.ini|.user.ini)$ - [F]
# Disallow access to all other front-end folders
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_URI} !^/
RewriteRule .* - [F]

# Disallow access to all other front-end files
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule !^index.php$ - [F]
## Protect against clickjacking

Header always set X-Frame-Options SAMEORIGIN

# The `X-Frame-Options` response header should be send only for
# HTML documents and not for the other resources.

<FilesMatch ".(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$">
Header unset X-Frame-Options

## Reduce MIME type security risks

Header set X-Content-Type-Options "nosniff"

## Reflected XSS prevention

Header set X-XSS-Protection "1; mode=block"

# mod_headers cannot match based on the content-type, however,
# the X-XSS-Protection response header should be sent only for
# HTML documents and not for the other resources.

<FilesMatch ".(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
Header unset X-XSS-Protection


## Neutralize scripts in SVG files
<FilesMatch ".svg$">

Header always set Content-Security-Policy "script-src 'none'"


## Remove Apache and PHP version signature

Header always unset X-Powered-By
Header always unset X-Content-Powered-By

ServerSignature Off
##### Advanced server protection -- END

## HSTS Header - See http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

SetEnvIfExpr "%{HTTPS}='on'" USE_HSTS_HEADER
SetEnvIf X-Forwarded-Proto "https" USE_HSTS_HEADER
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=USE_HSTS_HEADER

## Disable HTTP methods TRACE and TRACK (protect against XST)
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule ^ - [R=405,L]
## Referrer-policy

Header always set Referrer-Policy "strict-origin-when-cross-origin"

## Set the UTF-8 character set as the default
# Serve all resources labeled as `text/html` or `text/plain`
# with the media type `charset` parameter set to `UTF-8`.

AddDefaultCharset utf-8

# Serve the following file types with the media type `charset`
# parameter set to `UTF-8`.
#
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset

AddCharset utf-8 .atom
.bbaw
.css
.geojson
.js
.json
.jsonld
.rdf
.rss
.topojson
.vtt
.webapp
.xloc
.xml

##### Joomla! core SEF Section -- BEGIN
# -- SEF URLs for the API application
RewriteCond %{REQUEST_URI} ^/api/
RewriteCond %{REQUEST_URI} !^/api/index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* api/index.php [L]
# -- SEF URLs for the public frontend application
##### Joomla! core SEF Section -- BEGIN
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php [L]
##### Joomla! core SEF Section -- END
RewriteCond %{HTTP_USER_AGENT} SemrushBot [NC]
RewriteRule .* - [F,L]

The only place it shows up is in the messages in JBD dashboard - none of them are registered users. I dont even have a message button

Thank you all - trying some plugins now