Brief IA

WordPress: A Massive Spam Attack Foiled by AI

💻 Code & Dev·Tom Levy·

WordPress: A Massive Spam Attack Foiled by AI

WordPress: A Massive Spam Attack Foiled by AI
Key Takeaways
1A developer countered a spam attack on his WordPress site in two days by integrating new security measures.
2The attack exploited the username field to flood the site with fake accounts and messages related to cryptocurrency.
3The use of Codex and Claude Cowork helped strengthen the existing security plugin and identify the exploited vulnerabilities.
💡Why it mattersThis intervention demonstrates how AI can be used to enhance website security against evolving threats.
Le brief IA que lisent les pros

Le brief IA que les pros lisent chaque soir

Les 7 actus IA du jour, décryptées en 5 min. Gratuit.

Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.

Choisis ton rythme

Gratuit · Pas de spam · Désabonnement en 1 clic

📄
Full Analysis

A Targeted Spam Attack on WordPress

About a month ago, my main site was the target of a massive spam attack. Spammers were using the username field as a message vector, filling it with a fake domain and cryptocurrency prompts such as "check balance," "withdraw funds," and "action required." WordPress then forwarded this load to me in thousands of "new user registration" emails.

At that time, my server was using a commercially purchased security product intended to protect my WordPress site from registration spam. This product was clearly not up to the task. I am the developer of a WordPress security plugin designed to help users restrict access to their sites. Since the spam registration security product I was paying for was ineffective, I decided to integrate spam mitigation capabilities into my existing plugin.

Developing the Solution

I quickly took screenshots of my Gmail inbox filled with a few hundred spam emails, fed these emails into Codex, and asked it to write a mitigation routine that I could quickly deploy in my existing tool. Once Codex was finished, I deployed the enhanced plugin to users and on my own site.

The problem went from an active attack to complete silence in less than an hour. This was at the beginning of June. Then, last week, the attacks returned with a vengeance.

Analyzing the Attacks

Over the years, I've noticed that spammers tend to escalate. They send probes to sites to try to find easy vulnerabilities. If they find one, they exploit it. But once you implement a mitigation, the attacks don’t just disappear. They continue probing the site, looking for new ways in. I am sure that AI is now being deployed by criminals to increase the depth of these probes.

My hosting provider informed me that my database had exceeded 39,000 user accounts with over 700,000 user metadata records. They were observing thousands of constant registrations. I also noticed this, as my inbox and spam folder were receiving multiple variations at a fairly rapid pace. The user accounts dashboard was so cluttered that the page couldn't even load.

I was politely informed that I needed to clean up my database and prevent this from happening again. The unspoken subtext of this message was that if I failed to stop the attacks infecting their database infrastructure, my site would become persona non grata.

Setting Up the Defense

This weekend, I used Claude Cowork and OpenAI Codex to combat spam, integrating much more robust mitigation features into my security product to counter the attacks.

As a side project, I have a fairly powerful security product that protects WordPress sites. Last year, I used Codex to significantly enhance its capabilities. At that time, I had upgraded Codex to the Pro level at $200 per month. After shipping these additions, I reverted to the Plus level at $20 per month. I am actively developing a series of products for the Apple ecosystem, for which I am using Claude Code at the Max level at $100 per month.

Diagnosing with Claude Cowork

My struggle began as a game of whack-a-mole in cybersecurity. How, exactly, were the criminals managing to get in? I had blocked the user registration page in my previous mitigation. I had even detected spam signals (machine-generated usernames or gibberish and malformed email addresses), used honeypot fields to trap bots, blocked registrations without valid MX records, and checked registrations against the StopForumSpam blacklist.

Yet, somehow, the spammers were back in force. I spent about an hour combing through my site, finding no weak points. So, I decided to deploy an AI.

I explained the problem to Cowork and let it do its thing. At first, it wanted admin access, but I explained that spammers were finding exploits without admin access. The AI seemed to understand and began examining my site.

After about 40 minutes, it identified several issues. The most pronounced was that although my registration page had a CAPTCHA, spammers could submit URLs that would initiate registration without prompting for a CAPTCHA. This needed to be fixed.

Developing the Fixes

I exported my site database and fed it into Claude Cowork. I asked it to extract any information it could regarding identifying spam accounts and spam practices, based on what had historically managed to slip through the protections.

Cowork found several signals indicating that many accounts were spam. It also noted that spammers were dumping URLs in the bio field (rather than the URL field). Claude helped me identify the vulnerabilities on the site and specified new features to add to the plugin. I then asked Claude to write a prompt that I could pass to Codex to implement the fixes for the identified vulnerabilities.

Using Codex

Codex, OpenAI's coding agent, is available in the $20 per month Plus tier of ChatGPT. In one of my previous coding sessions, I found Codex to be very powerful, but the amount of work it could do was quite limited without an upgrade.

I wanted to see if I could build the entire block of code necessary to mitigate spam attacks, just using my existing ChatGPT Plus subscription. In summary: I succeeded, but barely.

I used Codex to build three main systems:

  • I added additional signals to detect spam.
  • I added a registration CAPTCHA to every open entry point where something could attempt to register, including the standard WordPress registration form and other public entry points, such as REST API, XML-RPC, admin-ajax, and custom registration forms.
  • I used Codex to add a spam account cleanup tool that utilizes all the spam account signal analysis features to determine if a user account is spam.

It was an intensive coding push over the weekend. For every hour this tool remained undeployed, more and more user accounts were being created. I was in a race against time to stop it before the spammers or my hosting provider shut down my server.

Brief IA — L'actualité IA en français

L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.