Chykalophia Docs
Security

Security terms, explained simply

Plain-English definitions for every security term you might encounter — from 2FA and brute force to VPN and zero-day.

securityreferencebeginner

Security comes with its own vocabulary. This glossary explains every term you're likely to encounter — in plain English, in alphabetical order.

Quick summary

Use this page as a reference. If you encounter a security term you don't recognize elsewhere in these guides, look it up here. Every definition is written for non-technical readers.

A

2FA (Two-Factor Authentication) A login method that requires two proofs of identity: typically your password plus a code from your phone. Much harder to break than a password alone. Also called MFA (multi-factor authentication). See Two-factor authentication, explained.

Access control Rules that determine who can access what. For example, a WordPress "Editor" can edit posts but not install plugins — that is access control. Giving people only the access they need is a key security principle.

Account takeover When an attacker successfully logs into your account. Usually happens through stolen passwords, phishing, or credential stuffing.

Authenticator app A phone app that generates time-sensitive 6-digit codes used for two-factor authentication. More secure than receiving codes by SMS. Examples: Authy, Google Authenticator, Microsoft Authenticator. See Using an authenticator app.

B

Backdoor Hidden code or a hidden account that lets an attacker access a system even after the original entry point is closed. A key reason why a full professional cleanup is needed after a website hack — not just surface cleaning.

Backup codes One-time codes provided when you set up 2FA. Used to regain access if you lose your phone. Must be saved somewhere safe.

Brute force attack An automated attack that tries millions of password combinations until it finds the right one. Defended against by: long passwords, limiting login attempts, and account lockouts.

BEC (Business Email Compromise) A scam where attackers impersonate a trusted person (CEO, supplier, lawyer) to trick you into transferring money or sharing credentials. One of the most financially costly types of cybercrime. See Business email compromise explained.

C

CAPTCHA A challenge (like "click all the traffic lights") that distinguishes humans from automated bots. Used to protect login forms and contact forms from automated attacks.

Certificate (SSL/TLS certificate) A digital file that authenticates your website's identity and enables HTTPS encryption. Issued by a Certificate Authority. See SSL & HTTPS, explained.

Credential stuffing An attack where stolen username/password pairs from one breach are automatically tested against other sites. Works because people reuse passwords. The main reason every account should have a unique password.

CCPA California Consumer Privacy Act. A US state law giving California residents rights over their personal data. See Data privacy basics for your business.

Cryptography / encryption The process of scrambling data so only authorized parties can read it. HTTPS uses encryption. Your hard drive encryption uses it. Your password manager uses it.

D

Data breach When personal or confidential data is accessed without authorization. Can affect websites, apps, or any system storing data. If your email or password appears in a breach, it may be used in a credential stuffing attack.

DDoS (Distributed Denial of Service) An attack that floods a website with traffic from many computers at once, making it inaccessible to real visitors. Usually addressed at the hosting/CDN level, not by the site owner directly.

DKIM (DomainKeys Identified Mail) An email authentication method that adds a digital signature to emails sent from your domain. Helps receiving servers verify your emails are genuine. See Email DNS records.

DMARC A policy that tells email servers what to do when an email fails SPF or DKIM checks. Helps prevent your domain from being used to send phishing emails. See DMARC records.

DNSSEC Domain Name System Security Extensions. Adds cryptographic protection to DNS lookups, preventing attackers from redirecting your domain to a fake server.

Domain hijacking When an attacker gains control of your domain name — usually through compromising your domain registrar account. Can redirect your website and email. See Securing your domain name.

E

End-to-end encryption Encryption where only the sender and receiver can read the message. Not even the service provider can access the content. Used by WhatsApp, Signal, and good password managers.

Exploit A piece of code or a technique that takes advantage of a security vulnerability to cause unintended behavior.

F

Firewall Software or hardware that monitors and controls incoming and outgoing network traffic. Blocks known malicious traffic before it reaches your system. Security plugins like Wordfence include a web application firewall (WAF).

Phishing A fraudulent message — usually email, but also text or phone call — designed to trick you into revealing credentials or taking a harmful action. See How to recognize phishing attempts.

G

GDPR (General Data Protection Regulation) The EU's main data privacy law. Applies to any organization collecting data from EU residents, regardless of where the organization is based. See Data privacy basics for your business.

H

HTTPS HyperText Transfer Protocol Secure. The version of the web protocol that includes encryption. Your website's address should start with https://. See SSL & HTTPS, explained.

Hardware security key A physical USB or NFC device (like a YubiKey) used as a second factor for authentication. The strongest form of 2FA — immune to phishing because it communicates directly with the browser.

I

Identity theft When someone uses another person's personal information fraudulently — to open accounts, make purchases, or commit other fraud.

IP address A numerical label assigned to every device on a network. Websites can see your IP address when you visit them. Some security tools block IP addresses associated with attacks.

K

Keylogger Malware that records everything you type — including passwords — and sends it to an attacker.

M

Malware Malicious software — any code designed to damage, disrupt, or gain unauthorized access. Types include viruses, ransomware, spyware, and adware. See Malware & your website explained.

MFA (Multi-Factor Authentication) The same concept as 2FA — requiring multiple proofs of identity to log in. The terms are often used interchangeably, though MFA can include more than two factors.

Man-in-the-middle attack An attack where someone intercepts communication between two parties — for example, on an insecure network. HTTPS protects against this for website traffic.

N

Nulled plugin / theme A premium (paid) plugin or theme distributed for free, illegally, often with malware added. Never install nulled software.

P

Passkey A new login method that replaces passwords. Uses your device's biometrics (Face ID, fingerprint) or PIN to authenticate. More secure than passwords and immune to phishing. See Passkeys, explained.

Password manager Software that generates, stores, and fills in strong, unique passwords. You unlock it with one master password. See Why you need a password manager.

Patch A software update that fixes a known security vulnerability. Keeping software patched (up to date) is the most effective defense against most attacks.

Phishing See "F" above. Worth repeating: the most common way business accounts are compromised. See How to recognize phishing attempts.

PII (Personally Identifiable Information) Any information that can identify a specific person: name, email, phone number, address, IP address. You are legally responsible for protecting PII you collect.

R

Ransomware Malware that encrypts your files and demands payment for the decryption key. Good backups are the best protection.

Registrar lock (Domain lock) A setting at your domain registrar that prevents unauthorized domain transfers. Should always be enabled. See Securing your domain name.

S

Session hijacking Stealing an active login session — so an attacker can use your account without your username or password. Using HTTPS and secure, fresh session tokens defends against this.

SIM swapping A social engineering attack where an attacker convinces your phone carrier to transfer your phone number to their SIM card. Used to intercept SMS 2FA codes. Using an authenticator app instead of SMS avoids this.

Smishing SMS phishing — a phishing attack delivered via text message.

Social engineering Manipulating people into taking actions or revealing information. Most cyberattacks involve social engineering at some stage: tricking someone into clicking a link, sharing a code, or sending a transfer.

SPF (Sender Policy Framework) A DNS record that specifies which mail servers are allowed to send email from your domain. Helps prevent email spoofing. See SPF records, explained.

SQL injection An attack where malicious code is inserted into a database query — exploiting a website vulnerability to extract, modify, or delete data. Security plugins and regular updates defend against this.

SSL (Secure Sockets Layer) The technology behind HTTPS encryption. Modern implementations actually use TLS (Transport Layer Security), but "SSL" is still used colloquially. See SSL & HTTPS, explained.

T

TLS (Transport Layer Security) The modern, updated successor to SSL. What actually powers HTTPS today. The terms SSL and TLS are used interchangeably in everyday conversation.

Two-factor authentication (2FA) See "A" above.

V

VPN (Virtual Private Network) Software that encrypts your internet traffic and routes it through a server, making your connection private. Most useful on public Wi-Fi.

Vishing Voice phishing — a phishing attack conducted over a phone call.

Vulnerability A weakness in software or a system that could be exploited by an attacker. Fixed by patches and updates.

W

WAF (Web Application Firewall) A firewall specifically designed for web applications. Inspects incoming HTTP traffic and blocks malicious requests. Included in security plugins like Wordfence.

WHOIS A public database listing who owns each domain name. You can look up any domain to see registration details. Privacy protection hides personal details. See Securing your domain name.

Z

Zero-day A vulnerability that is unknown to the software vendor — or for which no patch yet exists. "Zero days" because there have been zero days for the vendor to fix it. Once discovered and disclosed, vendors typically release a patch quickly. Keeping software updated means you get that patch as soon as it's available.

Need a hand?

If you're stuck, email support@chykalophia.com and we'll help. Include your website address and a screenshot if you can.

Learn more

Your business security checklist

Everything you need to secure your business online, on one page — work through it section by section and tick off each item.

Risk & resilience

What to do when things go wrong — calm, step-by-step guides for every website and account emergency.

On this page

ABCDEFGHIKMNPRSTVWZRelated guidesLearn more
Security terms, explained simply | Chykalophia Docs