@ex19 - i am academically technically curious and interested in studying your problem. if you want to let me study your database to see how the spamming was done to make it difficult to delete. send me a pm if interested...
One of the first things I did was override the registration to require that the username field only contain alphanumeric characters (and a few other requirements, like passwords being 6 or more characters, username must be at least 3, things like that). There really isn't any sanity check as it stands.
On your current problem, you don't have to actually go to the user's profile page to delete them. On the member list page, there's a little triangle that appears on the profile icons and it gives you a popup menu of actions you can take, one of which is to delete the user. All the admin options are in red.
As for deleting a group of users, is there something they all have in common that you could search on, say by using some of the elgg_get_entity routines? If you can get an array of the user guids, then do something like on each one:
$entity = get_entity($guid);
if (($entity) && ($entity->canEdit())) {
if ($entity->delete()) { // success on delete
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.