How I stopped a massive WordPress spam attack with 4,700 lines of code in two days - thanks to Codex and Claude

20 hours ago 13
img-9859
Screenshot by David Gewirtz/ZDNET

Follow ZDNET: Add america arsenic a preferred source connected Google.


ZDNET's cardinal takeaways

  • Spammers recovered ways successful and flooded my database.
  • Claude and Codex became my exigency coding team.
  • The 4,700-line hole added stronger defenses and cleanup tools.

About a period ago, my main website was connected the receiving extremity of a caller attack. Spammers were utilizing the username tract arsenic a connection carrier, stuffing it with a fake domain and crypto bait specified arsenic "check balance," "withdraw funds," "BTC transfer" and "action required." WordPress past helpfully forwarded that payload to maine successful thousands of "new idiosyncratic registration" emails.

Also: Apple rushed to squash 29 bugs due to the fact that AI is supercharging hackers - update ASAP

At that time, my server was utilizing a commercially purchased information merchandise that was expected to support my WordPress website from registration spam. That merchandise intelligibly wasn't up to the task.

I'm the developer of a WordPress information plugin that is designed to assistance users restrict entree to their websites. Since the registration spam information merchandise I had been paying for wasn't working, I decided to physique a spam security capability into my existing plugin.

email
Screenshot by David Gewirtz/ZDNET

I rapidly grabbed copies of my Gmail screen with a fewer 100 spam emails listed, fed those emails into Codex, and asked it to constitute a mitigation regular I could unrecorded deploy astatine velocity wrong my existing tool. Once Codex finished, I deployed the enhanced plugin to users and to my ain website.

The occupation went from progressive onslaught to wholly hushed successful nether an hour. That was astatine the opening of June. Then, past week, the attacks came roaring backmost similar a lion.

Over the years, I've noticed that spammers thin to escalate. They enactment retired feelers to sites and effort to find casual vulnerabilities. If they find one, they exploit it. But erstwhile you enactment successful mitigation, the attacks don't spell away. They support probing the site, looking for caller ways in. AI, I'm sure, is present being deployed by the atrocious guys to summation the extent of those probes.

Also: 5 information tactics your concern can't get incorrect successful the property of AI - and wherefore they're critical

Friday evening, my hosting supplier told maine my tract database had grown to much than 39,000 idiosyncratic accounts with much than 700,000 idiosyncratic meta records. They were seeing thousands of changeless registration bounces. I saw them arsenic well, due to the fact that my inbox and my spam folder were receiving aggregate variations astatine a reasonably accelerated rate. The idiosyncratic relationship dashboard was truthful clogged, you couldn't adjacent load the page.

I was politely informed I needed to cleanable my database and halt this from happening. The unspoken subtext of the connection from my supplier was that if I didn't halt the attacks from infecting its database infrastructure, my website would go persona non grata.

This nonfiction is astir however I spent the play utilizing Claude Cowork and OpenAI Codex to combat backmost against the spam, gathering acold much brutally robust mitigation features into my information merchandise to deploy against the attacks.

Setting the signifier

As I mentioned, arsenic a broadside project, I person a reasonably almighty information merchandise that protects WordPress websites. Last year, I utilized Codex to substantially summation its capabilities.

Also: I got 4 years of merchandise improvement done successful 4 days for $200, and I'm inactive stunned

At the time, I upgraded Codex to the $200-a-month ChatGPT Pro tier. After those add-ons were shipped, I dropped backmost to the $20-a-month ChatGPT Plus tier. I americium actively processing a bid of Apple ecosystem products. For that, I'm utilizing Claude Code connected the $100-a-month Max tier.

I usage some AIs truthful I tin study backmost to you astir them, but I support each AI retired of the others' code. So Codex does the WordPress product, portion Claude Code does the Apple products.

Also: I utilized Claude Code to vibe codification a Mac app successful 8 hours, but it was much enactment than magic

Since the onslaught was connected my website, which is protected by the WordPress product, that was a task for Codex. That said, I truly didn't privation to walk the other wealth to motion up for the $100-a-month ChatGPT tier to hole this. So I decided to usage Claude Cowork for aspects of the task that didn't constitute codification due to the fact that it has overmuch much AI capableness and usage Codex chiefly for codification writing.

To accidental this premix of services worked good would beryllium a immense understatement.

Letting Claude Cowork escaped connected my website

My fightback began with a cybersecurity crippled of whack-a-mole. How, exactly, were the atrocious guys getting in?

I'd blocked the idiosyncratic registration leafage successful my erstwhile mitigation. I'd adjacent detected spammy signals (machine-generated oregon gibberish usernames and malformed email addresses), positive utilized honeypot fields to trap bots, blocked registrations without valid MX records, and checked registrations against the StopForumSpam blocklist.

Yet, somehow, the spammers were backmost successful force. I spent an hr oregon truthful paging done my site, and couldn't find immoderate anemic points. So I decided to deploy an AI.

Technically, the information merchandise belongs to ChatGPT Codex. But due to the fact that I was connected the $20 Plus tier, I didn't privation to springiness it much enactment than my usage bounds would allow. Since Claude had a overmuch larger usage window, I decided that I'd divided my effort. I'd usage Claude to diagnose and review, and Codex to constitute my code. As it turned out, this proved to beryllium a heck of a tag team.

I explained the occupation to Cowork and acceptable it loose. At first, it wanted an administrative login, but I explained that spammers were uncovering exploits without admin access. The AI seemed to understand, and past acceptable disconnected to hammer connected my site.

After astir 40 minutes of chugging, it identified a fig of problems. The astir pronounced was that though my idiosyncratic registration leafage had a CAPTCHA, spammers could taxable URLs that would initiate registration without requesting a CAPTCHA. That needed to beryllium fixed.

Also: Treat your AI agents similar anxious but misguided quality interns - earlier you suffer control

All told, it recovered 8 antithetic flaws that gave spammers entree to registration entries. Even though my information instrumentality was investigating submissions, these exploits bypassed those tests.

The adjacent happening I did was export my tract database and provender that into Claude Cowork. I told it to glean immoderate accusation it could astir identifying spammy accounts and spam practices, based connected what historically made it done protections.

Cowork recovered a clump of signals that galore accounts were spammy. It besides noticed that spammers were dumping URLs into the bio tract (not the URL field).

Claude helped maine place the vulnerability points connected the site, and specified caller features to adhd to the plugin. I past asked Claude to constitute a punctual for maine that I could provender into Codex, truthful it could instrumentality fixes for the vulnerabilities Claude identified.

On its archetypal draft, Claude screwed up and gave maine a punctual that would person resulted successful incredibly destructive code. After a cautious read-through, I explained the occupation to Claude, and it rewrote the prompt. This clip it was helpful, not destructive. You indispensable double-check everything the AIs produce, particularly prompts for different AIs.

I was acceptable to crook implicit the task to Codex.

How acold volition $20 get you?

Codex, OpenAI's coding agent, is disposable from wrong the $20-a-month Plus tier of ChatGPT. In 1 of my erstwhile coding sessions, I recovered Codex to beryllium precise powerful, but the magnitude of enactment it would bash was reasonably constricted without upgrading. Back then, you had to spell to the $200-a-month Pro tier (which I did, for a month). Now, determination are assorted upgrade thresholds.

I wanted to spot if I could physique the full artifact of codification needed to mitigate the spam attacks, conscionable utilizing my existing ChatGPT Plus subscription.

TL;DR: I did, but barely.

Also: I did 24 days of coding successful 12 hours with a $20 AI instrumentality - but there's 1 large pitfall

I utilized Codex to physique 3 main systems. First, I added to the signals it would usage to observe spam. Second, I added a registration CAPTCHA to each unfastened pathway wherever thing could effort to register, including the modular WordPress registration signifier and different nationalist introduction points, specified arsenic REST API, XML-RPC, admin-ajax, and customized registration forms.

Finally, I utilized Codex to adhd a massive, multi-stage spam relationship cleanup instrumentality that uses each the spam relationship awesome investigation features to find whether a idiosyncratic relationship is spam. This progressive adding a full caller idiosyncratic interface section, implicit with resumable browser-driven batch investigation and deletion.

This was a play intensive coding push. For each hr this instrumentality went undeployed, much and much idiosyncratic accounts were being created. I was successful a contention against clip to halt it earlier either the spammers oregon my hosting supplier unopen down my server.

I got unopen retired of Codex doubly connected Saturday. The archetypal time, I lone had to hold a abbreviated clip for it to reset. I took that arsenic an excuse to person lunch. But the 2nd clip was going to beryllium for hours, which I didn't truly have. Codex displayed this message:

out-of-codex
Screenshot by David Gewirtz/ZDNET

Clicking Upgrade gives you the enactment to bargain much usage credits. But I had nary thought however credits related to the magnitude of enactment I was asking Codex to do.

credits
Screenshot by David Gewirtz/ZDNET

Then determination was that "Reset usage" option. I hadn't seen that before. I decided to click it to spot what happened. Here's the connection Codex displayed.

reset
Screenshot by David Gewirtz/ZDNET

So I tried it. I deed Reset Usage and was backmost successful Codex, penning much code. I utilized 2 of those resets connected Saturday, pushing hard until it was clip to spell to sleep. Each reset got maine astir 45 minutes much coding time.

Sunday was much astir investigating than coding. Remember, I had much than 39,000 idiosyncratic accounts with much than 700,000 idiosyncratic meta records to remove. I moved a transcript of that database from my server to my section improvement instrumentality and ran my relationship cleanup instrumentality connected it. With the callouts to the distant StopForumSpam relationship clearinghouse, each trial tally took astir 2 hours.

Also: Chainguard's caller Athena conjugation uses AI to hole open-source flaws - earlier attackers exploit them

I utilized my 3rd reset to get 45 minutes of coding changes aft my archetypal relationship cleanup trial run. By the clip I was chopped disconnected again, I was acceptable to bash different two-hour cleanup tally test. That (plus lunch) got maine implicit the mandatory hold clip for my last coding push.

By precocious day connected Sunday, I was acceptable to deploy the caller modules to my server. I uploaded the caller build. I haven't seen immoderate relationship spam since then. After moving the cleanup process, I deleted 15,069 of 39,314 idiosyncratic accounts. I besides deleted 275,567 retired of 723,799 idiosyncratic meta records.

final
Screenshot by David Gewirtz/ZDNET

Not lone did this marque my hosting provider happy, it besides made it imaginable to erstwhile again entree the idiosyncratic relationship dashboard.

Understanding Codex usage

Let maine beryllium precise clear. I americium amazed astatine however overmuch enactment I got done connected my $20-a-month ChatGPT Plus account. I was consenting to bargain much usage credits oregon bash immoderate I needed to support my server, but I didn't person to.

Also: 5 ways to fortify your web against the caller velocity of AI attacks

But why? After finishing up the propulsion to get this caller merchandise retired (and each these features are present going to my users for free), I had clip to deliberation astir Codex a spot more. What are resets and however bash they work? What are usage credits? How overmuch bash they bargain you?

On June 11, OpenAI rolled retired the reset diagnostic successful an X post. I was told by an OpenAI spokesperson:

They don't accrue done mean usage and are abstracted from purchased credits. Eligible Plus and Pro users received 1 escaped reset erstwhile the diagnostic launched. There isn't conscionable 1 crushed we assistance resets. Sometimes erstwhile we're moving done a bug. Sometimes, to observe a milestone. And different times, they're conscionable for fun! Banked resets mostly expire 30 days aft they're granted.

Credits, connected the different hand, are besides benignant of unclear. Usage is measured based connected tokens, not credits. But usage is sold by credits (and subscriptions), not tokens. Maybe if this worldly were a small clearer, we wouldn't request an AI.

I asked OpenAI, and they suggested I inquire Codex. Here are the prompts I used:

Inspect ~/.codex/sessions, full the input, cached-input and output tokens from that coding window, and use the existent complaint card.

How does that token number comparison to the existent complaint for buying credits?

Codex told maine that my full play coding tally utilized 166,806,884 tokens. If I had conscionable paid utilizing API rates, that would person outgo $146. Honestly, not astatine each atrocious for the magnitude of enactment I asked it to do. In presumption of credits, Codex estimates I would person utilized 3,651 credits.

But that was for my full play of work, including the enactment that came with my ChatGPT Plus plan. Based connected my league log, Codex estimates that the ChatGPT short-window allowance was astir 500 credits, truthful I would person needed to bargain astir 3,100 credits to support going without waiting.

Also: These 4 captious AI vulnerabilities are being exploited faster than defenders tin respond

In that situation, the close thought would person been to upgrade to the $100-a-month Pro tier. Codex provided this estimate:

$100/mo Pro apt gives you astir 40K Codex credits per longer usage window, based connected your observed Plus usage, but OpenAI does not publically warrant that arsenic a fixed recognition grant.

To beryllium honest, whether it would person outgo an other 100 bucks oregon $146, it would person been good worthy it. The information that it didn't, and I accomplished each I did with conscionable my regular $20 plan, is thing abbreviated of amazing.

How astonishing is it?

Over the weekend, moving with Codex, I added 4,700 lines of codification and deleted 170 lines, for a nett summation of 4,530 lines crossed 138 caller procedural functions. That doesn't number each the CSS and HTML code, the validation and investigating routines, and each of the UI enactment that was accomplished successful the aforesaid period.

For a full-time, experienced programmer, this enactment apt would person taken 25 to 45 engineering days, oregon arsenic agelong arsenic 8 weeks. Claude's database investigation enactment would astir apt adhd different 4 to 5 days connected apical of that.

But I got each of that done implicit a weekend, arsenic portion of the $120 I walk monthly connected Claude and ChatGPT. If I had to bash it each alone, determination would person been nary mode I could allocate 2 afloat months to thing but mitigation coding.

Also: 'Like handing retired the blueprint to a slope vault': Why AI led 1 institution to wantonness unfastened source

Let maine beryllium clear, though. This benignant of vibe coding is not sitting backmost and conscionable letting the AIs bash each the work. I'm perpetually bouncing backmost and distant betwixt AIs, moving 1 portion the different is thinking. I enactment successful 12 hours connected Saturday and astatine slightest 8 much connected Sunday. My progressive oversight and engagement was perfectly indispensable to the process.

During the process, Codex made galore errors that needed to beryllium fixed. Claude made 1 mistake that would person nuked my server, and astatine different constituent it wasted 3 hours going down the wholly incorrect rabbit hole, lone to observe excessively precocious that you couldn't get determination from here.

But bash not underestimate the enactment that was accomplished. I produced a monolithic involution successful a play that different would person taken a full-time dedicated programmer months.

There's besides a big, intangible benefit. In years past, I've been unsocial erstwhile trying to lick server problems. Often, my servers person been moving my ain code, and dealing with attacks and issues fell connected maine to solve. Getting assistance would person progressive a hefty consulting cost. Even if 1 oregon much of my friends would person been consenting oregon capable to help, getting them up to velocity would person taken days.

So I fought disconnected attacks each alone. My woman tin attest to however demoralizing and overwhelming that feeling was.

Not this time. This time, I was capable to collaborate with my small squad of Codex and Cowork. I cannot overstate what a large quality that is. Yes, they tin beryllium a spot obtuse. And yes, this wasn't what I planned to bash implicit the weekend. And yes, determination was accent due to the fact that each hr without a solution meant much incursions.

Also: I tested ChatGPT vs. Claude to spot which is amended - and if it's worthy switching

But, successful the end, I wasn't alone. I had 2 susceptible partners who were capable to travel up to velocity successful minutes. They helped maine diagnose, develop, test, and deploy a monolithic involution successful 2 days. I asked questions and (mostly) got backmost constructive, adjuvant answers.

I asked Claude, "Can you supply a clarifying punctual for Codex?" and asked Codex, "Do you person immoderate investigation assignments you privation maine to springiness Claude?" And they did. Both AIs were made alert of the different connected the team, and neither offered immoderate pushback due to the fact that they were competing products.

I cognize we regularly speech astir the occupation compression AI is causing, particularly among programmers and writers. But arsenic a solo practitioner who shoulders the full tech indebtedness load of my tiny institution (and the much than 20,000 server installations for my users), having the assistance of the AIs was eye-opening, adjacent this acold into generative AI.

I'm bushed and a spot fried aft a precise aggravated weekend, but I came retired of this onslaught acquisition with a feeling I've never, ever had portion managing a cyberattack situation before: it was really fun.

How chaotic is that? It was really fun.


You tin travel my day-to-day task updates connected societal media. Be definite to subscribe to my play update newsletter, and travel maine connected Twitter/X astatine @DavidGewirtz, connected Facebook astatine Facebook.com/DavidGewirtz, connected Instagram astatine Instagram.com/DavidGewirtz, connected Bluesky astatine @DavidGewirtz.com, and connected YouTube astatine YouTube.com/DavidGewirtzTV.

Read Entire Article