I just made the oldest stupid admin mistake in the book, lol. I used stock code with a default password to ensure spammers had no access to my backend system. Naturally they tried the default passvariable and got through. I fixed that little problem with a nice, 255 character randomized string. Easy to implement, pain in the ass to break. I love it.