How I stopped a massive WordPress spam attack with 4,700 lines of code in two days — thanks to Codex and Claude

The commercial security plugin I paid for didn't just fail — it spectated. While spammers stuffed my registration forms with crypto bait and fake domains, the "enterprise-grade" protection I'd bought watched thousands of bogus accounts pile up like bodies in a morgue. My hosting provider finally tapped me on the shoulder: 39,000 spam users, 700,000 metadata records, and a database groaning under the weight. Clean it up, they said, or find a new home.

That was Friday evening. By Sunday night, I'd shipped 4,700 lines of brutal mitigation code — written not by me, not alone, but in a furious weekend pairing session with OpenAI's Codex and Anthropic's Claude. The attacks flatlined. The database is clean. The commercial plugin is gone.

The uncomfortable truth about WordPress security

Let's start with the elephant in the room: the WordPress security ecosystem is largely theater. You pay for "premium" plugins that promise fortress walls, but deliver picket fences with better marketing. The product I'd been paying for — I won't name it, but you'd recognize it — had one job: stop registration spam. It couldn't even recognize that "withdraw funds BTC transfer action required" in a username field isn't a legitimate human registering for a newsletter.

This isn't a new problem. It's an old problem wearing a new coat. Spammers have used registration forms as message carriers for years. What's changed is the velocity and variation. The first wave in early June was crude: thousands of near-identical registrations, easy to pattern-match. I fed a few hundred spam emails to Codex, asked for a mitigation routine, deployed it, and watched the noise drop to zero in under an hour. I thought I'd won.

I was naive. Spammers don't quit — they iterate. The second wave, last week, wasdifferent. Distributed. Polymorphic. User agents rotating, IPs cycling, payloads mutating just enough to slip past static rules. They're probing, learning, adapting. And I'm convinced AI is now on their side too — generating variations at scale, testing defenses in real time, finding the seams faster than any human operator could.

The weekend that changed my stack

Friday night, staring at a dashboard that wouldn't even load, I had a choice: nuke the site and restore from backup (losing legitimate users), or build something that could survive the next evolution. I chose the latter.

Here's what 4,700 lines of AI-assisted code buys you in 48 hours: a registration firewall that doesn't just block — it understands. Behavioral analysis that flags the cadence of a bot farm. Honeypot fields that only automation trips. Device fingerprinting that survives IP rotation. A cleanup engine that surgically excises 39,000 spam accounts and their 700,000 orphaned metadata rows without touching a single legitimate user. And a reporting dashboard that lets me watch the attacks bounce off in real time.

I didn't write most of this code. I architected it. I directed it. I said "here's the attack vector, here's the constraint, here's the data structure — give me a solution that deploys on a live production site without downtime." Codex produced the heavy lifting: the database migration scripts, the batch processing logic, the SQL optimization for a shared hosting environment. Claude handled the nuance: the edge cases, the false-positive safeguards, the admin UX that lets non-technical users understand what's happening.

This isn't "vibe coding." This is directed synthesis. The difference matters.

The economics of AI-assisted defense

Last year, I paid $200/month for ChatGPT Pro to build the first major version of this plugin. This year, $20/month for Plus. The capability per dollar has inverted. What cost me weeks of solo development now costs a weekend of directed collaboration.

But here's the kicker: the spammers have access to the same economics. The same tools that let me build 4,700 lines of defense in two days let them generate 47,000 attack variations in two hours. The asymmetry hasn't disappeared — it's just moved up the stack. The battle is no longer "can you write a regex?" It's "can you architect a system that adapts faster than the opposition?"

Commercial WordPress security vendors are in trouble. Their model — static rules, quarterly updates, seat-based licensing — cannot compete with threats that mutate daily and defenders who can rewrite their entire defense layer over a weekend. The moat isn't code anymore. The moat is the feedback loop: telemetry → analysis → deployment → verification, compressing from months to hours.

What this means for you

If you run a WordPress site — any site with public registration, comments, or forms — your commercial security plugin is probably lying to you. Check your user table. Check your metadata. Check your email logs. The spam you see is the spam that got through; the spam you don't see is the spam that succeeded.

You have two paths. Path one: keep paying for theater, hope the next wave isn't the one that gets your site suspended. Path two: accept that defense is now a development activity, not a configuration activity. Learn to direct AI tools. Build your own immune system. The code isn't the hard part anymore — the architecture is. The threat modeling is. The decision to stop outsourcing your survival is.

My site runs on code I didn't write but did direct, deployed on infrastructure I don't own but do control. The attacks still come. They hit a wall that didn't exist on Friday. Next week, they'll find a new angle. And next weekend, I'll teach the wall to move.

That's the job now. Not "secure." Never "secure." Hardening. Continuous, AI-accelerated, architect-directed hardening. The tools are finally good enough to make that feasible. The question is whether you're ready to use them.