2018 Stock Market Returns of Lump Sum Buy-and-Forget Investment Strategy for The Last Five Years

This is a documentation about an on-going experiment that I started since November 2013.

In November 2013, I opened a separate HLeBroking (Hong Leong Investment Bank Berhad) trading account to do a lump sum (one time) investment in Bursa Malaysia. I chose buy-and-forget as the strategy for this experiment because it requires the minimal effort to maintain.

The portfolio contains 11 stocks from different industries for diversification purposes.

Among the stocks that I bought are from consumer products (APOLLO, DLADY, MAGNI, NESTLE), trading/services (BTECH, MARCO), properties (HUAYANG, UOADEV), finance (MBSB), industrial products (SKPRES) and REITs (TWRREIT) sectors.

The portfolio is skewed heavily towards companies in consumer products sector. This is the sector that is the most immune to negative market volatility.

The amount I had at the time was RM 35008 and was distributed about equally among all stocks (except BTECH which was bought with the remainder of the available sum).

I bought most of the above stocks during the period between November 2013 and January 2014. And I never touched the account since then.

From the date of the first stock purchase (on 20 November 2013) till now (8 September 2018), it has been roughly 4.8 years (1753 days to be exact).

So how is the performance of the buy-and-forget portfolio?

Below is the snapshot of the account as of 8 September 2018 (you can click on the image to get a closer look):

HLeBroking Trading Account as of 8 September 2018

HLeBroking Trading Account as of 8 September 2018

The current market value of the portfolio is RM 53799.86, an increase of 54.03 % from invested capital of RM 35008.

This translates to roughly 9.36 % CAGR (Compound Annual Growth Rate).

Here is the formula to calculate CAGR:

    \[ r = \sqrt[n]{\frac{F}{P}} - 1 \]

It is derived from this formula:

    \[ F = P*(1 + r)^{n} \]

F is the current market value,
P is the invested capital,
r is the rate of return or CAGR,
n is the number of years.

Things to take notes

Based on the screenshot above, we can see that some stocks have done poorly (e.g. HUAYANG -70.09 %, MBSB -54.89 %, TWRREIT -37.25 %) while some stocks have done extraordinarily well (e.g.: SKPRES +315.87 %, MAGNI +206.53 %, NESTLE +116.2 %).

This is consistent with the saying that there are ups and downs in the market, which is absolutely normal and expected. We should have the stomach to withstand the price drop of the companies in our portfolio.

However, even with the ups and downs in the market, the portfolio turns out fine with more than 50 % gain till date. This is due to the fact that the downside is limited but the upside is unlimited.

The most a stock can drop is to zero while there is no limit to how much a stock can grow.

The upside has more than covered for the downside which is the case here.

Another way to interpret the result is that there are more value being created in the market than the value being destroyed in the market. Human is a highly creative living being and there is no limit to how much value can be created. This means there is an infinite value waiting to be released in the market.

In a nutshell, stock market is a favourable game to play.

It gets even better because I haven’t taken into account the dividends paid by these stocks.

Dividends received

Here is the table that shows all the dividends received during these 4.8 years.

Dividend from HLeBroking

DateCompanyCodeTypePayment (RM)
09/01/2017APOLLO6432First and final180
09/01/2018APOLLO6432First and final150
26/12/2014DLADY3026Interim and special110
19/05/2015DLADY3026Interim and special110
18/12/2015DLADY3026Interim and special110
29/12/2016DLADY3026Interim & special110
13/01/2017MAGNI7087Second & special75
12/04/2017MAGNI7087Special and interim90
27/10/2017MAGNI7087Final and special157.5
12/04/2018MAGNI7087Interim and special105
28/02/2014MARCO3514Third interim159.2
15/07/2015MARCO3514First and final39.8
16/06/2016MARCO3514First & final139.3
30/06/2017MARCO3514First and final99.5
13/07/2018MARCO3514First and final99.5
28/05/2015MBSB1171Final and special216
02/12/2016NESTLE4707Second interim70
14/07/2017UOADEV5200First and final225
23/07/2018UOADEV5200First and final225
Dividend received between 20 November 2013 and 8 September 2018

In total, I received RM 8164.53 in dividends from 79 payments throughout this period.

The dividends constitute about 23.32 % (8164.53/35008) of the invested capital. This means about 23.32 % of my capital has been returned to me during this period.

Dividends can further reduce the downside of stock investment since I will never lose all my invested capital.

The average dividend yield is about 4.86 % (8164.53/4.8/35008).

This means the investment is generating an average of RM 141.74 of dividend per month (8164.53/4.8/12).

Taking into account the dividends, the CAGR becomes 12.62 %, a very satisfactory return for me given the minimal effort from me.

Using the rule of 72, the capital will double in about 5.7 years (72/12.62). This is less than a year from now (5.7 – 4.8 = 0.9 year) where my portfolio would have a market value of RM 2 * 35008 (including dividends). However, this is not guaranteed. There is always uncertainty in the market.

Final thoughts

In order to run this experiment, I need to have money that I don’t need. Money, the less you need it now, the more you will have it later.

Let the good companies work for you. Let your money works for you.

Capitalism works. Human is inherently motivated to create value. It is worth to invest in the market.

Finally, ignore day-to-day market price fluctuation since it is not meaningful. Let good companies take care of themselves.

Disclaimer: Don’t follow blindly the portfolio above. Understand what you buy to reduce your risk.

2017 was indeed a Bullish Year in Hindsight

I made a post on a new blogging platform steemit. You can read the post here 2017 was indeed a bullish year in hindsight.

Steemit is a blogging and social networking website on top of the Steem blockchain database. The Steem blockchain produces Steem and Steem Dollars which are tradeable tokens users obtain for posting, discovering, and commenting on interesting content.

What To Do If Your WordPress Site Is Infected By pub2srv.com Adware

This site was infected by adware between end of August 2017 and 26 October 2017.

What happened

I realized something was wrong when I visited my own site this morning and discovered that there were popup and redirection when I clicked on anywhere on the page.

The Evil Adware

The Evil Adware

Also, when I checked the analytics of the site, there were practically no visitors since the beginning of September 2017.

Zero Visitor Since September 2017

Practically Zero Visitor Since September 2017


I run a test using pingdom tool (you can see the scan result by clicking the link) and confirmed that my WordPress site was being infected by adware.

Here are the findings:







Some unknown scripts were being injected into the site.

  • http://deloton.com/apu.php?zoneid=1063894
  • go.pub2srv.com
  • http://go.pushnative.com/notice.php?p=628268&interactive=1&pushup=1
  • go.mobisla.com

Root cause analysis

When I tried to scan my WordPress installation folders on the server for files that contain “pub2srv.com” keyword I found nothing.

The hacker is good at playing hide-and-seek.

With help from Google, it turned out that the malicious code was hidden in multiple files located in the <WordPress installation path>/wp-includes/ folder.

Here is the list of the infected files:

  • wp-feed.php: contains a list of IP addresses
  • wp-vcd.php: contains a compressed malicious installation program
  • class.wp.php: contains SQL injections and cross-site scripting
  • post.php: contains the reference to wp-vcd.php

Here is the sample content of class.wp.php:

The above code is adding/injecting user to the database.

It is also loading content from http://www.aotson.com/codexc.txt which contains the following instructions:

The hacker is able to target specific infected site by changing the path remotely via http://www.aotson.com/codexc.txt Pretty clever and super evil.

It is capable of spreading itself to all the WordPress sites across different domain names that are hosted under my user account.

More detail can be found here: wp-vcd.php malware analysis.

Lesson learnt

It is clear that the root cause was due to me installing untrusted WordPress themes on my site.

The infection occurred at an earlier date than mid-August based on the evidence from the backup that I have.

However, the symptom of unusual slowness and trouble only appeared towards the end of August.


Here is an article on how to remove pub2srv malware to learn more about the adware/malware.

Here is the detail of other people who were also facing the same issue.

I installed the Anti-Malware Security and Brute-Force Firewall plugin and run a scan. 254 files, which were affected, were removed after the scan.

I updated the my WordPress theme to the latest version.

I reinstalled the WordPress version 4.8.2.

I also updated the login password.

I also updated the server user login password just in case.

Final thought

Maintaining a website is similar to maintaining my health. I need to monitor it regularly to avoid temporary death from happening again.

The site is as good as dead for the past two months.

I realized that cyber risk is a real threat that could impact a lot of people. Infected site is capable of spreading virus to innocent visitors and might cause serious damage to them.

It is important to keep the information systems secured so that I will never encounter similar incident again. Here is a self-study guide CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide that contains information on how to maintain security in a world that is surround with cyber risks. Grab a copy if you are interested.