
Imagine your website, a digital home you’ve carefully built and nurtured, suddenly under siege. That’s precisely what happened to my main WordPress site recently, as a relentless spam attack threatened to bring it to its knees. Spammers, leveraging the username field as a carrier for fake domains and cryptocurrency lures like “check balance” or “withdraw funds,” overwhelmed my database, flooding my inbox with thousands of “new user registration” emails.
My existing, commercially purchased security product, which was supposed to be my fortress against such attacks, proved woefully inadequate. With my site’s integrity on the line, I realized it was time to take matters into my own hands. As the developer of a WordPress security plugin, I decided to integrate a robust spam defense directly into my existing tool.
The First Wave: A Quick AI-Powered Fix
My initial response was swift. I fed screenshots of the deluge of spam emails into Codex, OpenAI’s coding agent, and tasked it with generating a mitigation routine. Within moments, Codex delivered the necessary code, which I immediately deployed to my plugin and my own website. The results were astounding: the active attack went completely silent in under an hour.
That initial success, however, was just a temporary reprieve. Spammers, I’ve learned, are relentless. They probe for weaknesses, exploit them, and when met with resistance, they escalate. With AI now likely powering their sophisticated probes, I knew a more permanent solution was needed. Just a few weeks later, the attacks returned with renewed ferocity.
Facing the Onslaught: Database Meltdown & AI Tag Team
The situation quickly escalated. My hosting provider informed me that my site’s database had ballooned to over 39,000 user accounts and more than 700,000 user meta records. Thousands of constant registration bounces were occurring, rendering my user account dashboard unusable. The message from my host was clear: clean up the database or face potential website deactivation.
This dire situation set the stage for an intense weekend battle against spam, where I harnessed the power of two AI titans: Claude Cowork for diagnosis and review, and OpenAI Codex for code generation. While my WordPress security product is technically a Codex project, my current $20/month ChatGPT Plus tier had usage limitations. Given Claude Cowork’s larger usage window, it became the perfect partner for identifying vulnerabilities and strategizing fixes, leaving Codex to focus on what it does best: writing the code.
Unmasking Hidden Vulnerabilities
My first step was to play a high-stakes game of cybersecurity whack-a-mole. Despite having blocked registration pages, detected spammy signals, implemented honeypot fields, validated MX records, and consulted blocklists, the spammers found a way back in. After an hour of manual searching, I turned to Claude Cowork for help.
I explained the problem, and Claude Cowork began meticulously “hammering” on my site. After about 40 minutes, it uncovered several critical flaws. The most significant was that spammers could bypass my CAPTCHA by submitting specific URLs that initiated registration directly. All told, Claude identified eight different exploits that allowed spammers to bypass existing security tests and register accounts.
Next, I fed my exported site database into Claude Cowork, asking it to analyze historical spam accounts. Claude revealed telling signals, including spammers dumping malicious URLs into the bio field instead of the designated URL field. With Claude’s insights, I had a clear roadmap of vulnerabilities and the new features required to fortify my plugin.
Building a Bulletproof Defense with Codex
Armed with Claude’s comprehensive diagnostics, I turned to Codex, still on my $20/month ChatGPT Plus subscription, to implement the fixes. I wanted to see if I could build a complete, robust mitigation using my current tier, avoiding the need for a more expensive upgrade. And it delivered.
Codex helped me build three crucial systems. First, it expanded the range of signals my plugin used to detect spam, making it more intelligent in identifying suspicious activity. Second, I integrated a registration CAPTCHA into every conceivable entry point for user registration, including the standard WordPress form, REST API, XML-RPC, admin-ajax, and custom forms.
Finally, and perhaps most importantly, Codex developed a massive, multi-stage spam account cleanup tool. This tool leverages all the newly enhanced spam detection signals to identify and remove spam accounts. It even features a new user interface section with resumable, browser-driven batch analysis and deletion, capable of tackling databases of any size.
The Weekend Sprint and a Surprise Reset
This was an intensive weekend coding sprint. The clock was ticking, with more spam accounts being created every hour. I was racing against time, not just against the spammers, but also against the possibility of my hosting provider shutting down my server. I pushed Codex hard, so hard that I was cut off twice on Saturday due to usage limits.
However, I discovered a crucial feature: the “Reset usage” option. Each reset granted me about 45 minutes of additional coding time, allowing me to continue building. I used two resets on Saturday, pushing late into the night. Sunday was dedicated to rigorous testing. I moved a copy of my massive database (39,314 user accounts, 723,799 user meta records) to my local development machine and ran the cleanup tool. Each test run, including calls to the remote StopForumSpam clearinghouse, took approximately two hours.
By late Sunday afternoon, I was ready to deploy. The new modules were uploaded to my server, and since then, I haven’t seen any account spam. After running the cleanup process, a staggering 15,069 of 39,314 user accounts were deleted, along with 275,567 of 723,799 user meta records. Not only did this satisfy my hosting provider, but it also made my user account dashboard accessible once more.
I’m genuinely amazed at the amount of work I accomplished with my $20-a-month ChatGPT Plus account, thanks to Codex and Claude Cowork. This experience underscored the incredible power of AI, not just in writing code, but in diagnosing complex problems and providing actionable strategies, proving an invaluable asset in the never-ending battle against online threats.
Source: ZDNet – AI