Archives: Definitions

Expect-CT is [DEPRECATED] The Expect-CT security header was created to enforce the use of certificate transparency. Certificate Transparency (CT) requires all SSL certificates issued, to be logged in a public log so that any unauthorized issuance of certificates can be easily detected. When a certificate is issued the issuer of the certificate sends a “Signed Certificate Timestamp” (SCT) to a publicly available CT log.  If your site sends the Expect-CT header it tells browsers to check if the SCT for your

X-XSS-Protection [DEPRECATED] The X-XSS-Protection security header was created to control the built-in protection against Reflected Cross-Site Scripting (XSS) attacks in web browsers. In the past XSS protection was built into Internet Explorer, Chrome, Edge, and Safari. Firefox never implemented XSS protection. When a browser with built-in and activated XSS protections detected an XSS attack, the browser would remove the unsafe scripts from the page. X-XSS-Protection Options The X-XSS-Protection header has the following options: 0 -> Disable XSS filtering 1 ->

  HSTS means HTTP Strict Transport Security, and makes browsers force your visitors over https. Why do you need this when you already have redirected your site to SSL? HSTS is meant for situations when users are not actually visiting your site, but a site that is pretending to be your site, and therefore does not have a SSL certificate. This fake site won’t have a redirect to SSL! Let’s say a user is in a public place on wifi

Apache is one of the most commonly used open-source web server software. According to W3Techs, roughly one-third of all websites are hosted on an Apache server. The web server handles the communication with the client (usually the browser) to serve the (WordPress) website. Apache is particularly popular with hosting providers offering (shared) hosting solutions for smaller blogs and sites with not too many users. As the W3Techs reports show, Apache is losing popularity to NGINX, Clourflare Server, LiteSpeed and others.

XML-RPC is a mechanism originally implemented into WordPress to publish content without the need to actually login to the backend. It is also used to login to WordPress from devices other than desktop, or the regular wp-admin interface. For example, the WordPress iOS app utilizes XML-RPC to log in to WordPress. As most WordPress site administrators won’t use either of these functions, it is recommended to disable XML-RPC to prevent abuse. XML-RPC is known to be abused for brute-force User