David Gewirtz Deploys 4,700-Line AI Fix, Deleting 15,069 Accounts in WordPress Spam Attack
Updated
Updated · ZDNet · Jul 1
David Gewirtz Deploys 4,700-Line AI Fix, Deleting 15,069 Accounts in WordPress Spam Attack
1 articles · Updated · ZDNet · Jul 1
Summary
15,069 of 39,314 user accounts were deleted after David Gewirtz deployed a weekend-built WordPress plugin update that he said stopped a renewed spam attack flooding his site with fake registrations.
39,000-plus accounts and 700,000-plus user-meta records had triggered a hosting-provider warning, after spammers bypassed existing protections and used multiple registration paths to stuff usernames and bios with scam messages.
Claude identified eight flaws—including CAPTCHA-free URL-triggered registrations—and analyzed the database for spam signals; Codex then wrote stronger detection, broader CAPTCHA coverage, and a resumable cleanup tool.
166.8 million tokens powered the coding push, which Gewirtz said added 4,700 lines in two days on mostly a $20 ChatGPT Plus plan, with testing runs taking about two hours on a local database copy.
The episode underscores how AI tools can sharply compress solo security-response work, even as Gewirtz said both models made serious mistakes that required close human review.