ChatGPT Rebuilt My Broken Website Plugin In An Hour

My mornings usually start at 5:30 am with a quick check of work emails to ensure no emergencies have cropped up overnight. As someone based in Oregon working with an East Coast team, this early start is a necessity. But one morning in June, I woke up to a figurative fire: my website was in trouble.

My web hosting provider had sent a notice that a critical security plugin had vulnerabilities and was deactivated. Normally, this is a simple fix—I'd just update the plugin. This time, however, there was no update. A visit to the plugin's page on the WordPress repository confirmed the worst: it had been closed and removed due to security issues, including cross-site scripting vulnerabilities.

I immediately disabled the plugin, and the consequences were instantaneous.

What the Broken Plugin Was Protecting

The plugin had one crucial job: stopping registration spam. This is when malicious actors create thousands of fake user accounts on a site, often to gain a foothold for future attacks, clog up servers, and overwhelm site administrators with notifications. The moment I turned off the faulty plugin, a flood of new user registration emails began to pour in.

I searched for a replacement, but most anti-spam tools were broad, comprehensive security suites. I already had other security measures in place; I just needed to block registration spam. Finding no suitable alternative, I decided to have an AI write one for me.

The Power of Open Source

This is where the beauty of open source truly shines. WordPress and its plugins are primarily written in PHP and JavaScript, which are interpreted languages. This means the source code is readily available. Since the plugin was open source, I had the right to access and modify the code, which was still on my server.

While the original developer had stopped supporting it, I had the code and the right to fix it. So, I got to work.

Step 1: Forensic Analysis with AI

My first step was to understand what was wrong with the plugin. I uploaded the plugin's code to a private GitHub repository and gave ChatGPT access to it, utilizing its Deep Research feature. I used the following prompt to guide the AI:

I am the manager of a website that has been receiving spam user registrations. Up until recently, I've relied on a plugin called Stop Spammer Registrations, which is what I'm about to ask you to analyze. Unfortunately, it has been disabled by my hosting provider and the WordPress plugin repository for unspecified security concerns.

I therefore need to build my own plugin that replicates much of the functionality of this blocked plugin. Your job is to go into all of the code and identify the spam protection mechanisms it uses, provide details of how it accomplishes the spam protection, and provide a detailed set of instructions for OpenAI Codex to create a new plugin with similar functionality.

While you're looking at the code, please also identify the security or malware concerns that caused the plugin to be blocked originally.

(Disclosure: Ziff Davis, ZDNET's parent company, filed an April 2025 lawsuit against OpenAI, alleging it infringed Ziff Davis copyrights in training and operating its AI systems.)

Twenty minutes later, ChatGPT delivered a 16-page analysis. It detailed the plugin's functions and, more importantly, its extensive list of vulnerabilities:

• Cross-site request forgery (CSRF) vulnerabilities
• Reflected cross-site scripting (XSS)
• Unauthenticated PHP object injection
• Improper input and output sanitization
• Suspicious code patterns

It was clear that repairing the old plugin was not an option. However, the AI report also provided a step-by-step guide to building a new, secure plugin with similar features.

Step 2: Defining a New, Minimal Specification

The original plugin had more features than I needed. I wanted a minimal, secure version that only handled registration spam. To avoid the AI getting confused by our long conversation, I started a fresh session. This is a pro-tip I've learned: starting fresh helps the AI stay on track. I uploaded the 16-page analysis as a PDF to the new session and provided this prompt:

Given the details in the attached PDF, provide a specification for the development of the simplest set of features for preventing registration spam only. Ignore any options that would require user tuning, or design those options to be fully default choices. Create any admin page specifications by requiring the use of the CMB2 UI tool. Use all WordPress security best practices.

The requirement is that the PDF should be able to be fed to ChatGPT and the result of that document would be a working plugin written by ChatGPT.

The AI produced a concise specification outlining three core spam prevention mechanisms and a list of WordPress security best practices to follow. I had the AI save this new specification as a PDF, preparing for the final step.

Step 3: Generating the Code

With the detailed specification ready, the hard work was done. I started one more fresh session, uploaded the new specification PDF, and gave a simple command:

Please read the attached PDF, follow its specifications, and give me a zip file to download and install.

It took the AI just 21 seconds.

The Result: A Resounding Success

Did it work? Yes, perfectly. I installed the new plugin, and the registration spam immediately stopped, while legitimate user registrations continued without issue. The entire process, from discovering the problem to deploying the AI-generated solution, took about an hour.

This project highlights the incredible synergy between open source and generative AI. By carefully managing the context and breaking the problem into distinct steps—analysis, specification, and generation—I was able to solve a critical real-world problem quickly and effectively. This AI thing might just have its uses after all.

What are your thoughts? Have you used an AI to build or fix code? Let us know in the comments.

---

You can follow my day-to-day project updates on social media. Be sure to subscribe to my weekly update newsletter, and follow me on Twitter/X at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, on Bluesky at @DavidGewirtz.com, and on YouTube at YouTube.com/DavidGewirtzTV.