Updated
Updated · ZDNet · Jul 1
David Gewirtz Deploys 4,700-Line AI Fix, Deleting 15,069 Accounts in WordPress Spam Attack
Updated
Updated · ZDNet · Jul 1

David Gewirtz Deploys 4,700-Line AI Fix, Deleting 15,069 Accounts in WordPress Spam Attack

1 articles · Updated · ZDNet · Jul 1

Summary

  • 15,069 of 39,314 user accounts were deleted after David Gewirtz deployed a weekend-built WordPress plugin update that he said stopped a renewed spam attack flooding his site with fake registrations.
  • 39,000-plus accounts and 700,000-plus user-meta records had triggered a hosting-provider warning, after spammers bypassed existing protections and used multiple registration paths to stuff usernames and bios with scam messages.
  • Claude identified eight flaws—including CAPTCHA-free URL-triggered registrations—and analyzed the database for spam signals; Codex then wrote stronger detection, broader CAPTCHA coverage, and a resumable cleanup tool.
  • 166.8 million tokens powered the coding push, which Gewirtz said added 4,700 lines in two days on mostly a $20 ChatGPT Plus plan, with testing runs taking about two hours on a local database copy.
  • The episode underscores how AI tools can sharply compress solo security-response work, even as Gewirtz said both models made serious mistakes that required close human review.

Insights

Is this developer's AI-coded fix a ticking time bomb, given AI's poor record on writing secure code?
When AI writes thousands of lines of code, what is the true cost of human oversight to prevent disaster?
As AI fuels both attacks and defenses, are small businesses trapped in an unwinnable cybersecurity arms race?