First of all I would like to say that this is a common issue and implementation in almost all good e-commerce systems out there, including WooCommerce, JigoShop etc. Here's an example: http://wordpress.org/support/topic/a-lot-of-wc-sessions?replies=14 . Mapping each anonymous customer to a row in your database is unavoidable. If you have 80,000 anonymous hits (spam, bots and real users combined), then invariably, you'll have 80,000+ new rows in your database (unless there's a bug in WPEC that create 3 user accounts for one anonymous customer, which is unlikely because the majority of our users and all of our test sites don't have this problem).
Prior to WPEC 3.8.9 (if my memory serves right), anonymous customer sessions are recorded in PHP sessions, which is not compatible with a lot of server configurations. So from 3.8.9 we switched from using PHP sessions, to storing anonymous customer data in transients, and eventually in user and user meta tables as we're doing now in 3.8.13.
There are a few things I would like to clarify about the situation with customer data:
1. Your site might have more anonymous traffic than your Google Analytics statistics show. The reason is because Google Analytics (and the likes) have already filtered out traffic from legitimate as well as spam bots (which could be 5 to 10 times the amount of real organic traffic, we've seen that many on getshopped.org). A better visit count could be obtained by getting the number of unique IPs in your server's access log.
2. Every e-commerce system stores anonymous customer data behind the scene, they're just not showing it. We're sorry for not hiding all those accounts by default. This will be fixed in the next release.
3. WPEC has a mechanism to filter out as many bots as possible that access your site, so that those will not create new user accounts, but it cannot replace a full-blown spam recognition and protection service. If you have 80,000 anonymous accesses in 4 days, and a lot of them are from spam bots, you need to do something on your server to prevent as many bots as possible. If all those 80,000 visits are by legitimate users, then what you need is a better server to handle that traffic. The size of the database is the least of your worries. Of course I cannot rule out the possibility that you probably have only about 5k anonymous users but somehow 80k accounts are generated, in which case, please email me at email@example.com and I will help you verify whether this is indeed the case.
4. The leading e-commerce plugins such as WooCommerce, Jigoshop and WP e-Commerce in version 3.8.12 all use transients to store customer data (hence, threads like this: http://wordpress.org/support/topic/a-lot-of-wc-sessions?replies=14). What this means is, if you have 80k anonymous hits in 4 days, this would be blown into 160k transient rows in your options table. This could be a performance issue when you have a lot of anonymous customers. As a result, in 3.8.13 we migrated to using user account and user meta, which is a more viable option. The anonymous customer data has to go somewhere, and the user & user meta table is the "less bad" place for them. We just need to hide all those ugly anonymous users from your admin UI so that you're not inconvenienced by them.
5. If your cron job is not being run and anonymous user accounts older than 2 days are still there, this could mean further issue with your server's firewall or caching system blocking the cron job request (mod_sec could sometimes be troublesome).
So what I would advice you to do if you have a lot of user accounts created in a short amount of time:
1. Edit your wp-config.php file, add this line below your database configuration:
define( 'WPSC_CUSTOMER_DATA_EXPIRATION', 12 * 3600 );
What this line does is it will instruct WPEC to clear anonymous accounts that have been around more than 12 hours. Modify the
12 number above to what you deem appropriate.
2. If you find this step complicated, shoot an email to firstname.lastname@example.org along with SSH access to your server and I'm happy to personally help you do this, or point you to our support staff who can: verify the anonymous traffic you have on your site. Don't rely on Google Analytics alone because that analytics would already filter out the number of legitimate as well as spam bots. Take a look at your server's access log and you'll have a better estimate of the traffic you're handling by filter out the number of unique IP addresses in the last 48 hours (or 12 hours if you follow step 1 which is setting the expiration constant in wp-config.php). Then compare the number of unique IP addresses in your access log with the number of your anonymous user accounts. If the ratio is a lot more than 1 : 1 then this could mean it's a bug in WPEC. Otherwise, you need to setup another layer of spam bot protection (mod_sec is a great solution).
3. Make sure cron job is not being blocked and are run at the correct interval. Install the debug bar plugin, then install this to take a look at your cron schedule:
4. If indeed all of these IP addresses are legitimate customers, and you're concerned about the size of your user table, there are a lot of ways to mitigate this load, such as using memcached / APC, using hyperdb and separate your user table to another server etc. You have to do this anyways if you want to scale no matter what e-commerce system you use.