Black Hats (BH) are always ahead of White Hats (WH) until WH catch up but then the BH find another way.
Hosting on systems where you are not in total control puts you at a disadvantage ... if your provider won't install things like mod_security or mod_evasive.
There are some things that you could do ... that will probably lead to some pain at first ... and won't be 100% ... but better than what you have now ...
Concepts - block/stop as far away from your server as you can and one might have to also block at the network layer (which might require you to upgrade your hosting to a VPS (un-managed).
First, investigate what you can do ... software wise ... research
CloudFlare
Moodle plugin for Multi-Factor
https://moodle.org/plugins/tool_mfa
If you had greater control over your firewall, one could put the peskiest IP addresses or range of IP addresses in a drop zone of the Firewall of your server. That's at the network layer. It also requires you to do more investigation of the IP addresses and range of IP addresses. Example: don't think any of your valid students would be using a browser from a DigitalOcean (DO) Server. If after looking at logs of server you see several coming from DO servers you could block a range of IP addresses that included most DO servers - those bots won't see *anything* of your server (note: they will try proxies at that point).
Above takes time and diligence once you begin. You could eventually get to a point where you only have to work on such stuff once a week!
'SoS', Ken