You are referring to Brute Force Attacks. It’s common because every spammer, bot, and black-hatted jerk knows that every WP site uses the same registration action (‘wp-login.php?action=register’)…unless… it doesn’t.
Here is a solution that worked great for me. I simply changed that default URL and haven’t had a single spammy request for registration since. (Link to step-by-step solution below).
Also, I used a mod_rewrite to redirect any spammy jerk trying to get in through the wp-login url to a secure page inside my site that you really have to be a human being to navigate through.
https://firsttracksmarketing.com/website-development/how-to-protect-your-wordpress-site-from-brute-force-attacks
This isn’t a WPeC issue, it’s a WP issue that will likely never, every go away on it’s own. Your hosting provider likely has some safeguards to monitor heavy hacking. If they don’t they are just as jerky and the jerks that spam.