Dave Hurwitz is, as he repeatedly tells us, the "Executive Editor of ClassicsToday.com". Classicstoday is an excellent classical music resource (and I'll refer to it hereafter as ct.com) and is worth your time to investigate their reviews and critiques. Unfortunately, a lot of their content is behind a paywall: meaning, sign up with credit card details and the like, to reveal all. I have no problem with the 'pay to view' proposition ...but it behoves a site that takes your money and your credit card details to demonstrate that they care about security and preservation of personally identifiable information -and ct.com does none of those things.
You can assess a website's security standards in a number of ways. Me: I check the Mozilla Observatory and SecurityHeaders.
If you do that for this website (i.e., absolutelybaching.com), you'll see this:
And:
And A+ and B+ security ratings are really rather good! Of the top million sites the Observatory monitors, 610,000 or so are grade F; 110,000 or so are grade D. A vanishingly small proportion of websites are anything but (and it's fiendishly difficult to get anything higher than a B for a WordPress site, given the way WordPress works).
So, how does ct.com (which is a WordPress site at heart) fare on this test:
And:
Grade Fs all round. Which is pretty pathetic and means no-one on their end has paid the slightest attention to securing their website -and that your credit card and other personal details are a target waiting to be hacked.
I cancelled my Classics Today subscription when I saw this result. I did ask them about it before doing so, and their response was 'we'll look into it, small business, don't have dedicated staff, etc etc'. That was two years ago. Time's up: they don't know how to secure a website, period. And they're collecting people's personally identifiable information and credit card details whilst being severely, technically incompetent. They deserve a call-out.
I just tried posting a warning about this state of affairs to Dave Hurwitz's YouTube channel (which is an excellent classical music resource), but it got deleted every time I posted... which is why I'm posting here. If they can't do the very minimum of securing their website, no matter the quality of their music critiques: they don't deserve your money.
Security headers are less significant — and more nuanced — than scanning tools like these make them out to be, but so-called "managed" hosting platforms like WP Engine should really be doing more — i.e. anything whatsoever — to protect clients like Dave from themselves.
For what it is worth, WordPress natively sends x-frame-options:sameorigin headers when answering /wp-admin/ requests, so the administrative areas of the site would earn a much more respectable D than the front-facing half. Haha.