How I stopped a massive WordPress spam attack with 4,700 lines of code in two days

▼ Summary
– Spammers exploited vulnerabilities in the author’s WordPress website, flooding the database with thousands of fake user accounts and registration emails.
– The author used Claude Cowork to diagnose eight security flaws, including a CAPTCHA bypass, and Codex to write a 4,700-line fix with stronger defenses and a cleanup tool.
– The cleanup process deleted 15,069 of 39,314 user accounts and 275,567 of 723,799 user meta records, restoring site functionality.
– The entire mitigation effort was completed over a weekend using a $20/month ChatGPT Plus plan, utilizing free usage resets to overcome coding limits.
– The author emphasizes that active human oversight was essential, as the AIs made errors, but the collaboration made the crisis manageable and even enjoyable.
About a month ago, my main website came under a fresh wave of spam attacks. Bad actors were weaponizing the WordPress username field, packing it with fake domains and crypto lures like “check balance,” “withdraw funds,” “BTC transfer,” and “action required.” WordPress then dutifully forwarded that junk to me in thousands of “new user registration” emails. The commercial security plugin I was paying to block registration spam failed completely.
I already develop a WordPress security plugin focused on access restrictions. Since the paid tool wasn’t cutting it, I decided to build spam defenses into my own product. I grabbed screenshots of hundreds of spam emails from Gmail, fed them into OpenAI Codex, and asked it to write a mitigation routine I could deploy fast. Within an hour, the active attack went silent. That was early June.
Then, last week, the attacks roared back like a lion.
Spammers escalate over time. They probe for easy vulnerabilities, exploit them, and when you block one path, they keep hunting for another. I suspect AI is now amplifying their probing. On Friday evening, my hosting provider alerted me that my site database had ballooned to over 39,000 user accounts and more than 700,000 user meta records. Thousands of registration bounces were flooding my inbox. The user account dashboard was so clogged it wouldn’t load. The unspoken message was clear: fix this fast, or my site would be kicked off the server.
This article covers how I spent the weekend using Claude Cowork and OpenAI Codex to fight back, building far more aggressive mitigation features into my security plugin.
I use both AIs to report on them, but keep them separate: Codex handles the WordPress product, while Claude Code works on my Apple ecosystem tools. Since the attack hit my WordPress site, that was Codex’s job. But I didn’t want to upgrade from my $20-a-month ChatGPT Plus tier. So I split the work: Claude Cowork for diagnosis and review (it has a much larger usage window), and Codex for writing code. This tag team worked incredibly well.
I explained the problem to Claude Cowork and let it loose on my site. After about 40 minutes, it identified eight different flaws that let spammers bypass my existing tests. The biggest issue: my CAPTCHA was only on the registration page itself, but spammers could submit URLs that triggered registration without requesting a CAPTCHA. I exported my site database and fed it into Claude, asking it to find signals that identified spam accounts. It spotted that spammers were dumping URLs into the bio field, not the URL field. Claude then wrote a prompt for Codex to implement fixes for all the vulnerabilities.
On the first draft, Claude’s prompt would have produced destructive code. I caught it, explained the problem, and it rewrote the prompt correctly. You must double-check everything these AIs produce.
I then turned the project over to Codex. I wanted to see if I could build the entire mitigation using just my $20-a-month ChatGPT Plus subscription. I did, but barely.
Codex built three main systems: enhanced spam detection signals, a registration CAPTCHA on every open pathway (standard form, REST API, XML-RPC, admin-ajax, custom forms), and a massive multi-stage spam account cleanup tool with a new UI section for resumable batch analysis and deletion. Every hour without deployment meant more accounts were created.
I got shut out of Codex twice on Saturday. The first time, I waited a short while and had lunch. The second time, the wait was hours. I clicked a “Reset usage” option I hadn’t seen before, and it worked. Each reset gave me about 45 more minutes of coding. I used two resets on Saturday. Sunday was mostly testing. I moved a copy of the database to my local machine and ran the cleanup tool. Each test run took about two hours due to remote checks against StopForumSpam. I used a third reset after the first test run, and by late afternoon Sunday, I deployed the new modules. I haven’t seen any account spam since. I deleted 15,069 of 39,314 user accounts and 275,567 of 723,799 user meta records.
I asked Codex to analyze my usage. It estimated my entire weekend run used 166,806,884 tokens, which at API rates would cost about $146. In credits, that’s roughly 3,651. My Plus plan covered about 500 credits in a short window, so I would have needed to buy about 3,100 credits. OpenAI later clarified that upgrading to the $100 Pro tier would have been an $80 increase and would likely have given me enough capacity. Either way, it was well worth it.
Over the weekend, I added 4,700 lines of code and deleted 170, for a net gain of 4,530 lines across 138 new functions. That doesn’t count CSS, HTML, validation, or UI work. A full-time programmer would likely have taken 25 to 45 engineering days. Claude’s database analysis would have added another four or five days. I got it all done in a weekend for my $120 monthly subscription.
This wasn’t passive “vibe coding.” I put in 12 hours Saturday and eight Sunday, constantly bouncing between AIs, fixing errors, and steering the work. Codex made numerous mistakes. Claude wasted three hours on a rabbit hole that led nowhere. But I wasn’t alone. For the first time in a cyberattack crisis, I had capable partners who came up to speed in minutes. They helped me diagnose, develop, test, and deploy a massive intervention in two days. I asked both AIs to give each other assignments, and they did, without any pushback over being competing products.
I know AI is compressing jobs, especially for programmers. But as a solo developer shouldering the tech debt for my tiny company and over 20,000 server installations, having this help was eye-opening. I came out of this attack feeling something I’ve never felt before during a cyber crisis: it was actually fun.
(Source: ZDNet)




