Yup, I did a standard install.
My first thought was simply being slashdotted, but 24hrs later I’m still getting hammered.
The quick temporary fix was to shut the front door and set the site to “login required”. Which worked, CPU usage dropped from 100% down to 3% within 60 seconds.
As soon as I unlock the front door my /search page is instantly being hammered with rubbish like:
/search?q=dogs+order:latest&page=2
/search?q=cats+order:latest&page=2
/search?q=fly+order:latest&page=2
etc
This happens within 60 seconds of opening the site again.
We’re a small niche group, not sure why anyone would target us with anything 
It’s only an estimate but according to Google Analytics we normally have 8 to 10 active users and this spikes to 1,000+ within seconds of me opening the site back up to the public again. All connections show as coming from various parts of USA, all direct with no referrers.
I’ll leave the site closed to members only for a few days and see if it goes away, or see if I can limit the /search to logged in users only, and if not I’ll probably have to go the cloudflare route.
Thanks everyone 