Understanding WordPress Security Terminology

Why Security Terms Matter

Understanding security terminology helps you evaluate threats, communicate with security professionals, and make informed decisions about protecting your WordPress site. This glossary covers essential terms you will encounter in WordPress security discussions.

Attack Types

Brute Force Attack

An automated attack that systematically tries many password combinations to guess the correct credentials. Protection includes limiting login attempts and using strong passwords.

SQL Injection (SQLi)

An attack that inserts malicious SQL code through user input fields to manipulate database queries. Can lead to data theft, modification, or deletion.

Cross-Site Scripting (XSS)

Injection of malicious scripts into web pages viewed by other users. Can steal cookies, redirect users, or modify page content.

Cross-Site Request Forgery (CSRF)

Tricks authenticated users into performing unintended actions. Protected against using nonces in WordPress.

DDoS (Distributed Denial of Service)

Overwhelming a server with traffic from multiple sources to make it unavailable. Mitigated with CDNs and rate limiting.

Man-in-the-Middle (MitM)

Intercepting communication between two parties. Prevented by using HTTPS encryption.

Phishing

Fraudulent attempts to obtain sensitive information by impersonating trusted entities. Often uses fake login pages.

Malware Types

Webshell

A script uploaded to a server that provides attackers with remote command execution capabilities. Often disguised as image files.

Backdoor

Hidden code that allows attackers to maintain access even after the primary vulnerability is patched.

Malware

Malicious software designed to damage, disrupt, or gain unauthorized access. Includes viruses, trojans, and ransomware.

Spam Injection

Insertion of spam content or links into a website, often for SEO manipulation or malware distribution.

Cryptominer

Malicious script that uses visitor or server resources to mine cryptocurrency without permission.

Security Measures

Two-Factor Authentication (2FA)

Requiring a second verification method beyond password, such as a code from an app or SMS.

Web Application Firewall (WAF)

Security layer that filters and monitors HTTP traffic between the internet and your application.

SSL/TLS Certificate

Digital certificate enabling HTTPS encryption between browser and server, protecting data in transit.

HSTS (HTTP Strict Transport Security)

Header that tells browsers to only connect via HTTPS, preventing downgrade attacks.

CAPTCHA

Test to distinguish humans from bots, often used on login forms and comments.

Rate Limiting

Restricting the number of requests from a single source in a given time period.

IP Blacklisting

Blocking specific IP addresses known to be malicious.

IP Whitelisting

Allowing access only from specified trusted IP addresses.

Vulnerabilities

Zero-Day

A vulnerability that is unknown to the software vendor and has no patch available.

CVE (Common Vulnerabilities and Exposures)

Standardized identifier for known security vulnerabilities.

CVSS (Common Vulnerability Scoring System)

Numerical score (0-10) indicating vulnerability severity.

Privilege Escalation

Exploiting a vulnerability to gain higher access levels than intended.

Remote Code Execution (RCE)

Vulnerability allowing attackers to run arbitrary code on the server.

WordPress-Specific Terms

Nonce

Number used once - WordPress security token to verify request authenticity and prevent CSRF attacks.

Capabilities

Specific permissions assigned to user roles determining what actions they can perform.

Salts

Random strings in wp-config.php used to enhance cookie and password security.

wp-config.php

Core configuration file containing database credentials, security keys, and important settings.

XML-RPC

Protocol for remote WordPress access, often exploited for brute force amplification attacks.

REST API

Interface for programmatic WordPress access, requires proper authentication and access controls.

Encryption Terms

Hashing

One-way conversion of data into fixed-length string. Used for password storage.

Encryption

Reversible conversion of data into unreadable format using a key.

HTTPS

HTTP over SSL/TLS - encrypted web communication.

Base64 Encoding

Not encryption - simply converts binary to text. Often misused by attackers to obscure malicious code.

Response Terms

Incident Response

Organized approach to addressing and managing security breach aftermath.

Forensics

Investigation of security incidents to understand what happened and how.

Remediation

Actions taken to fix vulnerabilities and remove threats after detection.

Patch

Software update that fixes a security vulnerability.

Conclusion

Understanding security terminology enables better protection decisions and clearer communication with security professionals. Continue learning as new terms emerge with evolving threats and technologies.