If you're willing to learn, check out CIDRAM at Github, but don't ask me all kinds of questions on how to use it. Use the Github and Gitter channels.
It will block an enormous amount of unsavory traffic. The author is a friend of mine and some of my suggestions made it into the project like an AbuseIPDB module which will use your AbuseIPDB API key to lookup the IP at AbuseIPDB and/or file a report back at AbuseIPDB. CIDRAM also has a Stop Forum Spam module using the SFS database. The massive list of IPs cover many VPNs, etc. And I add to it all the time. CIDRAM is also available as a WordPress plug-in.
Not only do I use CIDRAM, I have 78 pages of ASNs (whole lists of CIDRs) that are blocked in CloudFlare. It's been an ever increasing project for five years now. Depending on the IP, CIDR or ASN, they may be outright blocked, JS checked or Captchaed. ASNs can have a mix of ISP and hosters so you need to know what you are doing least you block legit users. You also need to know how to deploy CloudFlare correctly. I know many ways of getting the origin IP and so do the bad guys if you're not a good Admin. I wrote about how to use CloudFlare properly on my website.
If you want to see a list of CIDRAM's default blocks it's here
. It's in htaccess format and can be massaged in Notepad ++ which I do all the time for my Peerblock list's, but I would NEVER use it in htaccess. Your site won't even run.
In the CIDRAM PHP format, it's extremely fast.
PS: I also block Opera's so-called browser-based "VPN". I just installed Opera and found all of their ASNs. Problem solved.
If I see new shenanigans, they get blocked.