Beware the ‘wp.service.controller’

The pesky wp.service.controller.WCjQy has tried overnight to log in to my blog – again. Think security, bloggers: hacks can happen to anyone.

Cleaning up after hackers have infested your site with whatever is time-consuming and a pain. Though I have learned a lot in the process!

If your host/WP plan allows you to install them, there are a lot of plug-ins that can help:

And use one like Sucuri that sets up email alerts so you know when someone’s tried it: especially, if like me, you neglect a blog for a while, or don’t update it all that often. They have some sound advice here.

Oh, and if you have access to SiteLock… let’s just say my experience of their weekly scans wasn’t a positive one, eh?


The pesky WCjQy (not sure what to call him/her for short!) does keep trying. A new kid in town calls himself superuser19505. That smacks of an inflated ego. They both use multiple IP addresses, unsurprisingly.

Meanwhile, HostGator wanted to bill me about US $30 to renew SiteLock. (Falls about laughing in disbelief).

And the latest trick…

…is to try to log in as one of the two genuine people with admin rights for this website. He/she/they use password-guessing brute-force attacks and either it’s a lot of them, or it’s someone bouncing things round the globe to hide their location (Amsterdam, Berlin, Columbia, Indonesia, Malaysia, Virginia USA…).

Best advice to anyone is to a) to have a very long password, and b) to add security measures to make it harder (ideally impossible) for anyone to crack it.

Given how persistent the attempts on this site are, I won’t go into details that might help them!

Why do they bother?

Some cheering news: it’s getting less worthwhile for hackers to infest innocent websites anyway.

In 2017: “Google cut the number of hacked websites from showing in the search results by 80 percent.”

Google’s full report is here . It’s cheering reading: go Google!