I am not a morning person, yet my alarm goes off at 5:30 am every day. This is because the editorial team I work with is on the East Coast, and I’m in Oregon. I do a quick check of email and Slack to make sure nothing is on fire, then settle down to a relaxed first cup of coffee. Once caffeinated, I’m fairly gruntled.
Unfortunately, one day in early June, my website was, at least figuratively, on fire. My hosting provider sent me a notice telling me that one of the plugins that kept the site secure had security vulnerabilities and needed to be deactivated.
Also: What is AI vibe coding? It’s all the rage but it’s not for everyone – here’s why
Usually, when I receive such a notice, I just go to the plugin page on my site and run an update. This time, there was no update. Worse, when I went to that plugin’s page on the WordPress repository (basically the app store for WordPress plugins), I saw this notice.
That was not a good sign. I did some research and found that the plugin had been listed as having cross-site scripting vulnerabilities, among other things. These vulnerabilities allow malicious users to inject nasty scripts into affected sites. It’s not the sort of thing you take a chance on. I immediately disabled the plugin.
Also: How to use ChatGPT to write code – and my top trick for debugging what it generates
I immediately felt the effects.
What the plugin was protecting
The plugin in question served a very specific purpose on my site: it stopped registration spam. Registration spam is the practice of creating a ton of spurious user accounts on a site.
Spammers or hackers do this for a bunch of reasons, usually to provide a foothold in case a future vulnerability is introduced on the site (like a plugin with a cross-site scripting vulnerability) or to create a foothold for later attacks.
The increase in user accounts also ties up the server, spams a site operator’s inbox, potentially overwhelming the operator into missing important notifications, increases costs for email lists, and possibly poisons email lists with a lot of failed email addresses.
Also: How to turn ChatGPT into your AI coding power tool – and double your output
I don’t know exactly why the spammers were attacking my site, but the minute I turned off the plugin, I started to get a non-stop flood of new user registration notices.
I took a look at the WordPress plugin repo. While there are a great many anti-spam tools, most are very broad-reaching. I have other security tools in place that work fine. I just wanted to block registration spam. I didn’t find a tool that performed just that one function.
So I decided to have an AI write me one.
The power of open source
This is where the power of open source becomes truly apparent.
WordPress and all WordPress plugins are written primarily in PHP and JavaScript. Both of these are languages that are interpreted, not compiled. Interpreted languages are read and interpreted by the computer at run time, so the source code needs to be available for the computer to read. Compiled languages convert the source code into bits and bytes, so when the compiled programs are distributed to users’ computers, their source code isn’t included.
As a condition for inclusion in the plugin repo, all WordPress plugins are required to be distributed in open source form, with a license that permits forking. This means that not only is the source code available, the code is inherently available for anyone to take and modify.
Also: How AI coding agents could destroy open source software
Most of the time that doesn’t happen, because a plugin product is far more than just its code. It’s also all the documentation, supporting assets, and, most importantly, the support from the developer.
But in the case of the stop registration spam plugin I had been using, the developer apparently had stopped supporting it. In early June, the repo blocked users from downloading it — apparently because of its internal security issues.
But I had a copy of the plugin, and therefore all the source code, right on my server. I also had the inherent right to go in, look at the code, and do stuff with it. So I did.
Forensic analysis via Deep Research and ChatGPT’s GitHub link
The first thing I wanted to know was what was wrong with the plugin. I also wanted to understand its functions and structure. But mostly, I really wanted to know what got it banned.
Also: I test a lot of AI coding tools, and this stunning new OpenAI release just saved me days of work
Since the ChatGPT Plus o3 model allows Deep Research to look at a GitHub repo, I uploaded a copy of the flawed plugin into a new private repo and gave ChatGPT access to that repo.
Then I constructed a ChatGPT Deep Research prompt.
I am the manager of a website that has been receiving spam user registrations. Up until recently, I’ve relied on a plugin called Stop Spammer Registrations, which is what I’m about to ask you to analyze. Unfortunately, it has been disabled by my hosting provider and the WordPress plugin repository for unspecified security concerns.
I therefore need to build my own plugin that replicates much of the functionality of this blocked plugin. Your job is to go into all of the code and identify the spam protection mechanisms it uses, provide details of how it accomplishes the spam protection, and provide a detailed set of instructions for OpenAI Codex to create a new plugin with similar functionality.
While you’re looking at the code, please also identify the security or malware concerns that caused the plugin to be blocked originally.
(Disclosure: Ziff Davis, ZDNET’s parent company, filed an April 2025 lawsuit against OpenAI, alleging it infringed Ziff Davis copyrights in training and operating its AI systems.)
Also: The best AI for coding in 2025 (including a new winner – and what not to use)
I let Deep Research go to work. Twenty minutes later, it returned a 16-page analysis describing everything I wanted to know about the plugin.
Although the plugin used a wide variety of techniques to block registration spam, the analysis concluded, “These vulnerabilities could allow attackers to undermine a site’s security — ironically using an anti-spam plugin as the entry point.”
It provided an extensive laundry list of vulnerabilities, including:
- Cross-site request forgery (CSRF) vulnerabilities
- Reflected cross-site scripting (XSS)
- Unauthenticated PHP object injection
- Improper or non-existent input sanitization and validation
- Improper or non-existent output sanitation
- Suspicious code patterns
For each of these issues (and more), it provided detailed and useful information. Based on the analysis, it was clear that the plugin was not something I was going to debug and repair.
But I didn’t have to. The Deep Research report also provided a detailed, step-by-step guide for producing a similar plugin with equivalent spam protections, along with guidelines for coding it in a secure manner. That, too, was fascinating reading.
Keep in mind this took all of 20 minutes while I got a cup of coffee and ate my lunch of fruit and cottage cheese.
Using o3 to define a new set of specifications
To recap, so far, the AI had provided analysis that explained what went wrong with the original plugin that had been turned off, as well as what it would take to reproduce a plugin that provided all the services of that original plugin without the vulnerabilities. Reading the analysis, I found out that the original plugin provided a lot more features than I had been using, or thought were necessary. I didn’t want to just reproduce the complexity of that work, because that’s part of what went wrong initially. I just wanted basic functionality.
I wanted the AI to create a much more minimal plugin for my site, one that had just the essential spam protections that kept the spammers at bay. So I took that original architectural specification and instructed the AI to give me a new specification for a new, more minimal plugin, but starting with the knowledge already derived from the original implementation.
Keep in mind that I’m still not asking the AI to write code at this point. I’m still asking the AI to describe what code should be written only to block registration spam for my own site.
The ChatGPT Plus o3 model is designed to provide additional reasoning for larger and more complex coding projects.
Also: Why I’m switching to VS Code. Hint: It’s all about AI tool integration
I wanted to start with a fresh session, so ChatGPT wasn’t polluted by its earlier analysis process. In a previous experience with ChatGPT, I learned the value of starting with a fresh session. ChatGPT has a tendency to go off the rails when sessions go on too long, so starting a new session meant that my prompts would be treated with a clear head.
That said, I did want the o3 model to see the results of the previous Deep Research analysis. So I saved that analysis as a PDF and uploaded it into the new session. That gave me the best of both worlds. The AI had the analysis and details of the failed plugin, but could start creating a new spec from scratch.
After uploading the PDF, I gave it this prompt.
Given the details in the attached PDF, provide a specification for the development of the simplest set of features for preventing registration spam only. Ignore any options that would require user tuning, or design those options to be fully default choices. Create any admin page specifications by requiring the use of the CMB2 UI tool. Use all WordPress security best practices.
The requirement is that the PDF should be able to be fed to ChatGPT and the result of that document would be a working plugin written by ChatGPT.
The AI went off and created a simple set of specifications. Of note, it identified three basic spam prevention mechanisms:
- A hidden “honeypot” form field. If this field was filled in, it would imply the form was filled programmatically, most likely a bot.
- An API lookup to a free service that aggregates forum spam information. This checks to see if the user name or IP address is suspicious.
- An MX (mail exchange) record check, to see if the domain being registered actually exists.
It also specified a list of WordPress plugin best practices that were to be followed:
- Guard every file with defined( ‘ABSPATH’ ) || exit;.
- Escape all admin-facing text with esc_html().
- Wrap the clear-log action in check_admin_referer( ‘rsg_clear_log’ ).
- Use wp_remote_get() with [ ‘timeout’ => 5 ]; on WP_Error treat as not spam (fail-open).
- Never call eval(), unserialize(), or store base64 blobs (mitigates CVEs noted in original plugin).
- Adhere to WordPress coding standards (spacing, naming, i18n).
By this time, I had become comfortable with the idea of separating sessions and feeding back just the results of a previous session into a new session. So I told ChatGPT:
Give me this back to me in a PDF.
It presented me with a link, I downloaded it, and then proceeded to the next step, creating new code.
Producing code
By this point, most of the work had been done. First, I got the AI to analyze the original code that I’d been using to keep my site free of registration spam. Next, from that analysis, I asked the AI to create a minimal spec that would work for my site.
Also: Google’s Jules AI coding agent built a new feature I could actually ship – while I made coffee
Finally, it was time to upload the specification PDF to o3 and make code. That was a mere matter of this prompt.
Please read the attached PDF, follow its specifications, and give me a zip file to download and install.
It took the AI 21 seconds. Twenty-one seconds.
But did it work?
Yes. Yes it did. And still does. I installed the newly created plugin on my site, and registration spam dropped off. I had no problem with regular new user registrations, either. It just worked. I’ve been running it for about a month now.
It’s important to understand that this project was all about context, not just prompting. I carefully isolated each round of interaction with the AI from previous rounds, so I could carefully control just what the AI used as its starting point.
Also: How to use ChatGPT: A beginner’s guide to the most popular AI chatbot
This practice worked spectacularly well. Rather than having to cajole the AI back on track after it inevitably lost the thread, I just fed it a very carefully prepackaged set of instructions and had it start fresh.
More to the point, a capability I had been relying upon was restored. Essentially, this project took two very powerful “movements,” open source and generative AI, and kitbashed them together.
What happens when you have open source and AI? Pretty much exactly what you want. Given how annoyed I regularly am by the various delusions and stubbornesses of AI chatbots, this approach worked well, and quickly, and fully solved a real-world server management problem.
From end to end, it took about an hour. The new code has been running for a few weeks with no issues. Writing this article took way longer than writing the code the article describes.
Also: Is ChatGPT Plus really worth $20 when the free version offers so many premium features?
This AI thing, it might have its uses.
Have you ever tried using ChatGPT or another AI tool to analyze or rebuild real code? What would you use Deep Research for in your own projects? Do you think this level of automated forensic analysis is something you’ll trust for your production systems? And if you’ve faced plugin failures or security alerts before, how did you handle them? Let us know in the comments below.
You can follow my day-to-day project updates on social media. Be sure to subscribe to my weekly update newsletter, and follow me on Twitter/X at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, on Bluesky at @DavidGewirtz.com, and on YouTube at YouTube.com/DavidGewirtzTV.
Want more stories about AI? Sign up for Innovation, our weekly newsletter.
Leave a Reply