A glossary of website security terms in plain English. No jargon required to understand the threats your site faces.
Common terms
WAF (Web Application Firewall) — a filter that inspects HTTP traffic and blocks malicious requests before they reach your server.
Malware — short for “malicious software.” Includes viruses, backdoors, crypto miners, SEO spam injectors, and any other code that runs on your site without permission.
SQL Injection — an attack that inserts malicious SQL code into a query, typically to read, modify, or destroy database contents.
Cross-Site Scripting (XSS) — an attack that injects malicious JavaScript into pages, typically to steal session cookies or hijack admin accounts.
Brute-force attack — repeated login attempts trying many password combinations until one works.
CVE (Common Vulnerabilities and Exposures) — the public catalog of known security vulnerabilities. Each entry has a unique ID like CVE-2026-3041.
Zero-day — a vulnerability that is being actively exploited before the vendor has released a fix.
Virtual patch — a firewall rule that blocks exploits of a specific vulnerability before the underlying software has been patched.
DDoS — Distributed Denial-of-Service. An attack that overwhelms a site with traffic from many sources to make it unavailable.
Backdoor — hidden code planted on a compromised site that gives the attacker future access, even after the original entry point is fixed.
SEO spam — content injected into a compromised site to manipulate search engine rankings, typically for pharmaceuticals, gambling, or counterfeit goods.
Going deeper
Each term above links to a longer article in our Knowledge Base when you click through. For research-level depth, check our Research Labs.