Learn
Plain-English security, one finding at a time.
Every Vantyris scan produces findings with a plain-English explanation, a concrete fix, and an ownership hint. The articles below go further: the why behind each finding, the common gotchas, the references your developer or web host will recognise. Written for the business owner who runs the site, not for the security engineer.
Email authentication: SPF, DKIM, DMARC, BIMI, MTA-STS. The single highest-impact area for most small businesses, because it's where impersonation happens.
- 2026-04-01
DMARC p=none does not stop phishing. Here's what to do instead.
DMARC p=none does NOT block phishing. It only collects reports. Here's what p=none actually does, when you can safely move to p=quarantine, and the exact DNS record to use.
- 2026-05-01
What is DMARC, and why every business with a domain needs one.
DMARC stops attackers from sending email pretending to be from your domain. Here's what it does, why every business with a domain needs it, and the one DNS record to add.
- 2026-06-06
SPF records, explained: the first line of defence against email spoofing.
SPF lists which servers are allowed to send email for your domain. Without it, attackers can spoof your address. Here's the one TXT record to add and the common gotchas.
- 2026-04-29
DKIM: the cryptographic signature that completes your email authentication trio.
DKIM adds a tamper-proof signature to every outgoing email so receiving servers can verify it's really from you. Here's how it works and the one DNS record to add.
- 2026-05-13
MTA-STS: forcing TLS on every email destined for your inbox.
MTA-STS forces servers sending to your domain to use TLS, preventing downgrade attacks on inbound mail. Modern best practice, low adoption, one DNS record + one HTTPS file.
- 2026-06-07
BIMI: putting your brand logo next to your sender name in Gmail and beyond.
BIMI puts your verified logo next to your sender name in major inboxes. Requires DMARC at quarantine or stricter, a VMC certificate, and one DNS record.
TLS
Transport security: HTTPS, certificate management, TLS protocol versions. The padlock in your visitor's browser, explained.
- 2026-04-19
HTTPS for small business: how to enable it in 15 minutes.
Chrome shows a 'Not secure' warning to every visitor of an HTTP-only site. Here's how to enable HTTPS in 15 minutes with a free Let's Encrypt certificate.
- 2026-04-18
TLS 1.0 and 1.1: turn them off. Here's why and how.
TLS 1.0 (1999) and TLS 1.1 (2006) are deprecated and removed from modern browsers. Here's why your server should only offer TLS 1.2 and 1.3, and the one-line fix.
- 2026-05-20
Your TLS certificate has expired. Here's how to restore the site fast.
An expired TLS certificate blocks every visitor with a full-screen browser warning. Here's how to renew immediately and prevent it happening again.
- 2026-05-25
Short HSTS max-age: what it really means, and how to extend it safely.
A short HSTS max-age narrows the protection window but rarely means your site is being downgraded. Here's what HSTS actually does, when a short max-age matters, and the Cloudflare / Nginx / Apache snippet to fix it without breaking anything.
Headers
HTTP response headers that tell the browser how to protect your visitors. CSP, HSTS, X-Frame-Options, and the supporting cast.
- 2026-06-10
HSTS: the security header that locks HTTPS on for good.
HSTS tells browsers to always use HTTPS for your domain, blocking downgrade attacks. Here's the header to add, the max-age to start with, and the gotcha to avoid.
- 2026-05-12
Content Security Policy: the header that stops most XSS attacks dead.
CSP blocks injected scripts and other attacks that XSS protections miss. Here's how to enable a useful policy without breaking your site.
- 2026-05-19
X-Frame-Options and frame-ancestors: the anti-clickjacking header.
X-Frame-Options tells browsers not to render your site inside someone else's frame. Without it, attackers can overlay invisible UI on top of your site. Here's the header to add.
- 2026-05-03
SameSite + Secure cookies: the two attributes every session cookie needs.
Cookies without SameSite + Secure flags can be stolen by malicious sites or intercepted on hostile Wi-Fi. Two attributes, every cookie, no excuses. Here's how to set them.
- 2026-05-06
Permissions-Policy: explicitly disabling browser features your site doesn't use.
Permissions-Policy lets you disable camera, microphone, geolocation, FLoC, and other browser features your site doesn't need. One header, defensive by default.
- 2026-06-16
X-Content-Type-Options: nosniff. The one-line defensive header.
X-Content-Type-Options: nosniff tells the browser not to guess what your file is. Stops a class of XSS attacks where a server serves the wrong content-type. Five-minute fix.
DNS
DNS records that protect your domain: CAA for certificate issuance, DNSSEC, MX hygiene, and the basics.
- 2026-06-15
CAA records: the DNS entry that decides who can issue your TLS certificates.
A CAA record limits which certificate authorities can issue certificates for your domain. Without one, any CA in the world can issue a cert for you. Here's how to set one up.
- 2026-06-05
DNSSEC: cryptographic signing for your DNS, explained plainly.
DNSSEC cryptographically signs your DNS records so attackers can't poison the answer. It's overkill for most small sites, brilliant for some. Here's how to decide.
Ports
What's reachable on your server, and what shouldn't be.
- 2026-06-08
WordPress REST API user enumeration: what it leaks, and the exact fix.
Your WordPress site's /wp-json/wp/v2/users endpoint returns the public user slugs for any account that has authored content. Here's what attackers do with that list, and the exact code snippet to drop into functions.php to close it.
- 2026-04-09
RDP on the public internet: the single biggest ransomware vector for UK small businesses.
Remote Desktop on the public internet is the #1 ransomware vector for UK SMEs. Here's how to find out if you have one open, and the cheap way to close it.
Reputation
Whether your domain is flagged by Google Safe Browsing or sitting on a Spamhaus / SURBL list. Even clean sites end up on these, and it quietly costs you email deliverability.
- 2026-05-15
Google Safe Browsing: how it flags sites and how to clear yours.
Safe Browsing flags sites for malware, phishing, or unwanted software. Even clean sites get listed when a subdomain is compromised. Here's how to check, how to recover, and what re-flagging looks like.
- 2026-06-21
DNS-based blocklists: the silent reason your emails land in spam.
RBLs (real-time blocklists) decide whether your email lands in inbox or spam. Even clean sites get listed by association. Here's how the major lists work and how to delist.
Supply chain
Every third-party script your site loads is a supply-chain risk. Subresource Integrity, suspicious CDN flagging, and the lightweight surface a regulator notices first.
- 2026-05-11
Subresource Integrity: the third-party script defence most sites skip.
If you load scripts from a CDN, Subresource Integrity verifies the script hasn't been swapped. One attribute on every script tag. Here's why it matters and the exact syntax.
Privacy
Pre-consent trackers, cookie banners, the IAB TCF signal. The UK-GDPR + ePrivacy basics a visitor or regulator would spot without opening DevTools.
- 2026-04-15
UK cookie consent: the ICO rule most sites ignore.
Most cookie banners on UK sites don't meet the ICO's 'consent before tracking' rule. Here's what the rule actually says, what compliant looks like, and how to test yours.
Vulnerabilities
Known software vulnerabilities affecting your stack.
- 2026-04-09
What a passive security scan can and cannot prove about your site.
Vantyris scans your site from outside, the way an attacker would. That covers a lot, but not everything. Here's what passive external scanning can prove with confidence, what it can only flag for confirmation, and how to read findings that fall into the gap.
Want to scan your own site against everything above?
Vantyris runs the same checks the articles describe, then writes you a report you can hand to your web host. Free teaser, no signup. Verified scan from €10.
Run a free check →