TL;DR: Comment spam on my site was getting out of hand, and existing solutions were either bloated or conflicted with the WordPress ecosystem. So, I used free AI tools to build my own full-blown WordPress anti-spam plugin Cardea which is now live in the repository for everyone to use.
If you run a blog, you already know the drill: the moment your site gets any traction, the comment spam starts pouring in. Managing it manually quickly becomes a massive time sink, even when all comments are spam. In February 2026 I received almost 100 spam comments.
Naturally, the first instinct was to search for a dedicated anti-spam plugin. But the current landscape is frustrating. Traditional CAPTCHAs are incredibly irritating for real users: I’m personally sick of identifying traffic lights or distorted letters. Proof of Work (PoW) is the obvious, user-friendly choice: let the visitor’s browser do a little invisible cryptographic math to prove it’s not a bot. Unfortunately, almost every PoW WordPress plugin out there is bloated, packed with unnecessary features, and aggressively upselling premium tiers.
Then there’s Cloudflare. Their Turnstile defense is undeniably good, but recently, they started a new line of business directly competing with WordPress. Following their acquisition moves around the Astro framework, Cloudflare launched a CMS called “EmDash,” explicitly positioning it as the “spiritual successor to WordPress” to peel away market share. Given that aggressive stance against the open-source WP ecosystem, I obviously wasn’t going to rely on their infrastructure for my site.
We live in a new AI world, which opens up entirely new possibilities. Instead of settling for bloated plugins or supporting a competitor, I decided to explore how feasible it was to just produce my own.
For the development environment, I turned to OpenCode, taking advantage of the free MiniMax M2.5 model that comes with it. To orchestrate the build, Gemini acted as my driver. I mapped out the architecture, generated the specific prompts using Gemini, and was feeding them straight into OpenCode.
The result? OpenCode produced a full-blown, production-ready WordPress plugin from scratch that’s hosted on GitHub with build actions triggered on every push to main. I packaged the SVN structure and submitted it to the official WordPress plugin repository as Cardea. The WordPress plugin directory has a notoriously strict manual evaluation, but Cardea successfully passed the human review in just three weeks, requiring only a single minor comment for adjustment.
Under the hood, the implementation is beautifully straightforward. Cardea intercepts the standard WordPress comment form generation and injects a cryptographic challenge (a nonce and a target difficulty). When a visitor starts typing a comment a lightweight piece of frontend JavaScript (in a separate Worker thread) computes a SHA-256 hash until it finds a value that satisfies the target difficulty. The comment is only accepted by the backend if the valid Proof of Work is appended. Spam bots, which typically submit POST requests directly without executing JavaScript or spending CPU cycles, simply fail the verification and are discarded before they ever touch your database.
The biggest takeaway for me wasn’t just solving the spam issue – it was the realization of how accessible software creation has become. With the right AI orchestration, you can build advanced, highly specific, repository-approved tools for exactly $0.
Leave a Reply