Taobao Selling Trick Makes Its Way To eBay

Going to do something a little different. I’m going to share a little known tactic used by Taobao sellers to gain sales. If you’ve never heard of Taobao, you should as Alibaba, their parent company just recently went public. Taobao is the eBay equivalent in China. Having used it a couple of times when I stayed in China, it’s pretty much the same deal. If you’re a seller starting out on Taobao, there are two things you could do. These are just tactics I’ve heard from fellow Taobao store owners and there could be more.

1. Sell your goods at a severe discount, like 80% off, practically giving it away, in order to generate buzz and sales and ultimately, reviews. Most Taobao sellers do this as they take a loss initially to build their store and ratings. This is the legit way to go about it. What’s the other way you ask?

2. Gather a bunch of people to “buy” your stuff, but send them empty boxes so the purchase and shipment is registered with Taobao. For their efforts, you return their money + a reward, like 10 RMB or something. This way you don’t actually need to store inventory nor take a loss in order to generate buzz and ratings. I know a Taobao seller doing this with great success. Of course, this is not exactly legit and downright deceitful.

Now, today I was looking on eBay for yoyos as my kid decided he wanted one for Christmas. I’m actually a yoyo fan myself and have quite a bit of knowledge so what I found on a particular listing shocked me. Here’s the screenshot of the item:

crazy dollar tree yoyo selling for over $100

Now, to give a bit of background on yoyos, there are the cheap kind made of plastic from companies like Duncan and Yomega. These are the brands you see at your local toy store. They go for around $10 to $20. They also make some metal yoyos ranging $30 to $50. Going a step higher, you get your performance level yoyos from companies like One Drop, CLYW, and YoyoFactory. These companies produce yoyos mainly for the professional level players who enter competitions, with prices upwards of $150 is not unheard of.

About a year ago, there was this popular yoyo among the yoyo community when someone discovered a $1 yoyo at Dollar Tree. Yoyo enthusiasts went out and bought them in bulk, looking to give away, mod, and just have fun with them. I know because I bought several myself. These are yoyos made of rolled tin metal, very cheap stuff, with plastic response, but they did have a metal bearing, which was surprising. Here’s what it looks like:

dollar tree yoyo

Anyways, back to this eBay listing. The yoyo featured in this listing is almost an exact duplicate of that $1 yoyo, same rolled tin metal, same printing on the side, same plastic starburst response, but yet they’re selling it for $105! Insane right?! What’s even more shocking is the listing says 109 of these yoyos have been sold. Checking the seller’s rating, he sets them all as private. I wonder why. This seller is using the same tactic #2 I’ve mentioned above. Even if most of those 109 sold are fake, there could be one or a few who aren’t and guess what, they just made over 100x return on each sale. This is just plain wrong, to deceive folks like this, generating fake sales so it looks like it’s a good deal. Anyways, here’s another shot of the item. It looks like it originated from China.

crap dollar yoyo sold at $105

It’s such a shame for people to resort to this. But really, it’s the way of life for┬áChina. Having lived in China for a while, you kind of just get used to stuff like this. Anyways, this post has turned into more of a rant, but I hope you enjoyed it.

How To Stop WordPress Brute Force Attack on xmlrpc.php

Yesterday one of my sites running WordPress got attacked. I only found out because my VPS provider restarted my server as my server load was climbing over 2.0 throughout the course of 2 hours. Upon investigating, I didn’t see any brute force attacked on the WordPress login page, as expected. Instead, I examined the access log to discover POST requests to a file named xmlrpc.php. This file is used for pingbacks and remote posting and even JetPack uses it. Because it allows remote posting, it serves as a method of authenticating username/password instead of the traditional wp-login page. This was what they were trying to brute force, causing ram to spike to over 2GB and server load to spike past 2.0. How can you prevent this attack? The most effective way for me is to put this in your .htaccess file:

RewriteRule ^xmlrpc\.php$ “http\:\/\/0\.0\.0\.0\/” [R=301,L]

That’s it. It simply redirects requests for this xmlrpc file to a non-existant address: http://0.0.0.0/.

VPS: More Cores The Better?

Short answer? No. It’s actually far worse.

If you’ve been shopping for a new VPS, you’ll likely come across specs for the server like RAM, disk transfer (incorrectly, but often times referred to as ‘bandwidth’), and CPU. When you compare packages and one host offers 4 or 8 vCPUs or core while others offer only 1 or 2 vCPUs, do you automatically go with the larger number of cores? Let me explain why going with more cores is a bad idea.

The whole point of VPS hosting to virtualize a physical server node so many smaller chunks of servers can co-exist. The goal is isolation, first and foremost. Coming from shared hosting, you’ll likely be sick of those who are oversold and other people’s accounts are stealing all the server’s resources. This has come a long way with the advent of CloudLinux, but most people still flock to VPS for the isolation, whether it’s isolation of resources or isolation of software packages. Either way, a VPS is your own server and you can do anything you want.

While the idea of 8 vCPUs sounds enticing as their marketing likely tells you that you can burst up to 8 cores when the server is idle, you’re just one of many who finds this enticing and you immediately sign up and migrate your high-resource website to the VPS. What people don’t seem to comprehend is that CPU steal is a real thing and when you give everyone access to 8 cores, they’re all stealing from each other and the performance of your own VPS becomes very shaky and inconsistent. One point your site is flying and all of a sudden, it’s crawling. No one wants this. Limiting each VPS to only have access to 1 or 2 cores makes the playing field much more fair. An individual VPS cannot burst and steal CPU from others.

After years of using VPS, you’ll come to appreciate the right host that divides up their nodes fairly.