DEV Community

DESIGN-R AI
DESIGN-R AI

Posted on • Originally published at design-r.ai

Code Is Cheap Now. So Are Exploits.

#webdev #security #programming #cybersecurity

There’s never been a better time to build software. AI coding assistants can scaffold a full-stack application in minutes. But here’s what nobody’s talking about at the Fiverr checkout: the same tools that make building cheap also make attacking cheap.

The Supply Chain Problem

Every modern web application is a tower of dependencies. A typical WordPress site runs 15–30 plugins. A React application pulls in hundreds of NPM packages. Each one is a door — and most site owners have no idea how many doors they’ve left unlocked.

When we run security scans for clients, we routinely find:

  • PHP error logs accessible to the public — exposing server usernames, file paths, plugin names, and PHP stack traces. Everything an attacker needs to map your system before they even start trying to break in.
  • Configuration files served as static content — because the web server doesn’t know the difference between your .htaccess and any other text file.
  • Admin usernames exposed via REST APIs — WordPress ships with /wp-json/wp/v2/users/ enabled by default. It hands attackers your username, user ID, and a ready-made target for brute-force attacks.
  • Self-signed or expired SSL certificates — the digital equivalent of a lock with no deadbolt. Browsers warn visitors, search engines penalise you, and attackers know you’re not paying attention.

These aren’t exotic zero-day vulnerabilities. They’re configuration oversights — the kind that every site has until someone checks.

AI Makes This Worse, Not Better

When AI generates code, it optimises for function. It gets the feature working. What it doesn’t do is audit the 200 transitive dependencies it just pulled in, or check whether that helpful WordPress plugin has a known CVE, or verify that your server isn’t leaking error logs to the internet.

The explosion of AI-generated code means:

  • More code deployed by people who aren’t security-aware. The barrier to building is lower, which is genuinely good — but the barrier to building securely hasn’t dropped at all.
  • Faster iteration means less review. When you can rebuild a feature in 10 minutes, nobody’s spending an hour auditing it.
  • Package managers become attack vectors. NPM alone has seen multiple supply chain attacks — typosquatting, dependency confusion, compromised maintainer accounts. When npm install pulls in 400 packages, how many did you actually choose?

What a Security Check Actually Reveals

We recently ran a full penetration test against our own infrastructure — the same kind of scan we offer to clients. Here’s what we found on day one:

  • A 15MB PHP error log publicly accessible on one of our WordPress sites. Fifteen megabytes of stack traces, file paths, and internal configuration, available to anyone with a browser.
  • An admin panel with an SSL certificate that expired in 2020 — five years of drift on a service nobody was actively watching.
  • Technology stack headers announcing exactly which frameworks we were running, giving any attacker a shortcut to the right exploit database.

We fixed all of these within an hour. The scans that found them took nine minutes.

That’s the asymmetry: finding these issues is fast and cheap. Leaving them unfixed is expensive — in reputation, in data, in the trust your customers place in you.

Figure 1: Distribution of 14 security findings from penetration test, March 2026. Two HIGH-severity issues (exposed error logs on two domains) were remediated within 15 minutes. One MEDIUM finding (wp-login restriction) deferred by business decision — accepted risk within tolerance.

The Uncomfortable Truth About “It Works”

Most businesses discover their security posture the hard way: after an incident. A defaced website. A customer data leak. A Google Search Console warning that tanks their organic traffic overnight.

The frustrating part is that the most common vulnerabilities are also the easiest to fix:

Issue
Fix
Time

Error log exposed
Block in server config
5 minutes

Missing security headers
Add to server config
10 minutes

Outdated SSL certificate
Let’s Encrypt (free)
15 minutes

API user enumeration
Disable unused endpoint
5 minutes

Technology stack exposed
Strip headers in proxy
2 minutes

The total time to fix the top five issues we find in a typical scan? Under 40 minutes. The cost of not fixing them? Incalculable — because you don’t know what you don’t know until someone finds it.

Vulnerability Scan Coverage

                    99.94%
                    Clean
Enter fullscreen mode Exit fullscreen mode

6,382
Templates tested

4
Matches found

0
Known CVEs

Figure 2: Nuclei vulnerability scan results against target infrastructure. 6,382 templates tested across web server, application, and network layers. Four configuration matches identified (non-CVE); zero known vulnerabilities. Scan tool: ProjectDiscovery Nuclei.

What to Do About It

If you run a website — especially if it was built by a freelancer, agency, or AI tool — here’s where to start:

  • Ask for a security scan. Not a vague promise that “it’s secure” — an actual scan with findings, evidence, and remediation steps.
  • Check your error logs. Visit yourdomain.com/error_log. If you see PHP errors, so can everyone else.
  • Check your headers. Run your domain through securityheaders.com. Anything below a B needs attention.
  • Review your plugins and dependencies. Remove what you don’t use. Update what you do. Every unused plugin is an unlocked door.
  • Set up monitoring. Security isn’t a one-time event. New vulnerabilities are disclosed daily. What was secure last month might not be secure today.

What Doesn’t Hold Up

In the interest of honesty — and because we think credibility matters more than persuasion — here’s where this argument has limits:

  • Most attacks aren’t sophisticated. The majority of WordPress compromises come from outdated plugins and weak passwords, not from supply chain attacks or AI-generated exploits. The AI angle is real but still emerging. The mundane stuff will get you first.
  • Security scans aren’t penetration tests. An automated scan finds configuration issues and known vulnerabilities. It doesn’t simulate a skilled attacker with patience and creativity. We’re clear about this distinction with our clients — a scan is a health check, not a stress test.
  • Not every business needs the same level of protection. A personal blog and an e-commerce site processing card payments have very different threat models. We’d rather be honest about that than sell everyone the same package.
  • We’re scanning our own infrastructure and reporting it publicly. That takes confidence, but it also means we’re showing you a curated picture. We chose to publish findings we’d already fixed. A truly transparent approach would include the ones we haven’t addressed yet — and we do share those privately with our own team.

The core claim stands: cheap code creates cheap attack surface, and most of it is trivially fixable. But security is a spectrum, not a binary, and no scan eliminates all risk.

Latest Web Vulnerabilities (Live Feed)

  • Loading latest CVEs…

Data from the National Vulnerability Database (NVD). Updated hourly. Source

We Can Help

DESIGN-R offers security health checks for businesses that want to know where they stand. We scan your infrastructure, explain what we find in plain English, and fix the issues we discover.

No jargon. No fear-mongering. Just a clear picture of your security posture and a practical plan to improve it.

Originally published at DESIGN-R Intelligence

Top comments (0)