End the worry about your insecure code.

Presenting WordPress Security with Confidence: your guide to writing secure WordPress code.

You know WordPress security is important.

After taking this course, you'll know that your code is secure. 🔐

The internet gives so much advice on security, and so much of it is inaccurate, conflicting, or trivial. A lot of it is just there to sell you a product rather than to improve your expertise.

Here are some common security frustrations you've probably experienced:

  • People give conflicting advice about securing WordPress. Some tells you it's crucial you remove the login page, others tell you it's irrelevant. Neither side zooms out and grapples with how to sort truth from fiction.
  • Lots of advice comes from people with something to sell: just buy the author's off-the-shelf security product and you'll be "set" for security. But which product is right, what does it actually do to protect you, and is it really sufficient?
  • Many security concepts are locked behind difficult-to-understand technical terms: like “SQL injection,” “XSS,” “CSRF.” They all seem bad, but what are they?
  • Finally, so much advice is offered abstractly. It's great to know the concepts, but what does the code look like? How do I find code that's insecure?

WordPress Security with Confidence

Take the course wherever works best for you 🔐

WordPress Security with Confidence is a course that solves these problems so that you can learn how to write secure WordPress code and maintain the security of your sites.

And hey – you know when you worry that some other developer will look at your code? When you think they might realize, "Gosh, {your name here} is such a dummy, look how insecure this code is?!"

WordPress Security with Confidence exists to solve this problem: so that you know that you're following all the security best practices, deeply understand WordPress security, and correct common problems that make sites insecure.

This is the course you've always needed: you'll learn WordPress security, and eliminate your worries. We'll quickly pass by the platitudes like "just install this plugin", "just go to this host", and finally understand how to write completely secure WordPress code. No doubts, no worries. 😎

WordPress Security with Confidence: The Comprehensive Security Course for Developers

If you've followed to this point, an obvious question could be to ask what's in the course? In short, a whole bunch of well-sized videos (they're typically around 5 minutes each.)

If you manage websites, we’ve created a full section of this course that contains videos with a full explanation on maintaining and building secure WordPress websites, without needing to touch any PHP. This stuff is really important, and a prerequisite to know that your WordPress site code is secure.

WordPress Security With Confidence

If you're writing PHP that needs to be secure, I'll arm you with all the concepts you need to write it securely. That means tons of detail about acronyms like CSRF, XSS, OWASP, 2FA and others. You'll not only know how to avoid security mistakes in the new code you write, but also how to audit old code for security issues.

You’ll learn quickly, with a carefully-crafted video curriculum covering all the security information you need to know—and nothing you don’t. Take the course at your own pace. Enjoy 90+ easy-to-follow video tutorials and dive into 17 focused chapters. The course breaks down complex security topics into approachable and digestible lessons.

Finally, (because I'm not the only WordPress security expert in the world), the course has interviews with 10 other thought-leaders. They'll cover a lot of topics I'm not an expert on. Like what it's like to have written one of the most cited security vulnerabilities in the WordPress ecosystem. What it's like to write a security plugin that you sell to both WordPress users and developers. What the process is for cleaning up hacked WordPress sites.

You’ve been waiting for the opportunity to feel confident about WordPress security. Now it’s time to gain that confidence. 💪

Everything you need to know about writing secure WordPress code. Clear, Compact and Organized

We’ve designed WordPress Security with Confidence to be your essential companion. We won’t waste your time—instead we explain the detail you need in clear, jargon-free language.

Once you’ve completed the course, you'll understand exactly which parts of WordPress security you've been doing correctly all along, and you'll be able to confidently put the rest right.

The course starts with general security principles, and advances to very specific actionable steps. We discuss code while seeing it, so you'll know what secure and insecure code really looks like. Everything’s easy to find, and right where it should be.

Hello! I'm David Hayes, an expert WordPress developer and teacher 👋

I've been writing WordPress code for more than a decade. I've taught thousands of people how to be confident, caring, and thoughtful WordPress developers.

I've done contract work developing WordPress plugins for dozens and dozens of clients big and small. I'm the co-editor of the leading WordPress development blog WPShout, where I've written hundreds of articles on WordPress development. And, in 2015, I co-wrote the critically acclaimed "learn WordPress development" course Up and Running.

I've never had my code exploited in the wild. I admit some of that is dumb luck. Starting out I made all of the classic mistakes. But I've also learned a ton about how to write secure code for WordPress plugins and themes. I'd love to teach you that in this video course.

As a professional WordPress developer for the last decade, working on WordPress websites—from small to enterprise—at my boutique web agency Press Up Inc, I’m experienced dealing with WordPress security issues at all scales.

I have both the depth of knowledge, and an accessible teaching style needed to ensure you learn WordPress Security, with Confidence.

This is the course you’ve been waiting for...

WordPress Security with Confidence is the course you've always wished you had. No more niggling doubts that your code is vulnerable to CRSFs, or whatever the security vulnerability of the week is. I promise, backed by a 30-day money-back-guarantee, that you'll be happy you bought the course. 😊

Ready to get going? Finally learn how to write secure WordPress code. Kill the worry, once and for all. Start today 🙂

Want a Quick Tour of What's Inside?

What People Say about WordPress Security with Confidence 👏

Here's what past students, readers, and peers have said about WordPress Security with Confidence.

Joe Howard for Security Course

Before I went through WordPress Security with Confidence, I hadn’t seen a truly comprehensive security course for WordPress professionals who need to provide premium security for their clients.

I went from knowing a lot about different areas of WordPress security to having a comprehensive understanding of how to implement security across the entire WordPress ecosystem for any website.

If WordPress security is part of your job, investing in this course is a no-brainer!

Joe Howard
Head Buff at WP Buffs

Josh Pollock (Security)

David is one of the best WordPress tutors, and it’s a real treat to see him tackle the complex world of WordPress security.

For the cost of one year of a premium WordPress security plugin, WordPress Security With Confidence gives you all the knowledge you need to confidently deal with security, forever. I’ve enjoyed David’s writing on WordPress for years, and this new course is no exception.

Josh Pollock
WordPress developer, and co-founder Caldera Forms

Aileen Forbes (Security)

The WordPress Security with Confidence course has been extremely helpful for me! It covers so many things that I half-knew, but which I understand completely after taking the course. I now know exactly where and how to approach tightening up security in my plugins and functions.

Aileen Forbes

Are you ready to join our list of happy customers?

Time to pucharse. Your WordPress Security with Confidence package will include...

WordPress Security with Confidence for Developers
👏 The complete course built just for WordPress developers
🚀 It contains 9 modules on thinking about security of WordPress sites, without code
🖥 AND 8 modules specifically focused on auditing, authoring, and fixing the security of WordPress PHP code
👩‍🔬👨‍💻 Plus 10 interviews with other WordPress security experts, asking good questions and getting smart answers
📹 In all, that's 17 modules, and 90+ video tutorials
⏱ Learn it all at your own pace. Consume it all in a weekend, or make a 17-week learning plan. Your call 😊


30-day money-back guarantee.

We're highly confident you'll love WordPress Security with Confidence and will find it an incredibly valuable and worthwhile course.

If, however, you’re not delighted with your purchase, email us within 30 days and we’ll happily issue a full refund. No questions asked.


Learn from the security experts

WordPress Security with Confidence offers the incredible opportunity to get highly practical security advice directly from the experts.

Watch video interviews with leading WordPress security experts, including the lead of the WordPress Security Team Aaron Campbell, Sucuri CEO Tony Perez, and original author of iThemes Security Chris Wiegman.

Each of the ten interviews runs for roughly half an hour. Each one is packed with valuable security insights and you can hear how the very best people in the business think and deal with WordPress security – and then learn how to apply their practices for yourself.

Meet the WordPress security experts:

Aaron Campbell,
WP Security Lead
Chris Wiegman,
Creator of iThemes Security
Michele Butcher-Jones,
Expert Hack Remediator
Hristo Pandjaron,
WordPress Lead at SiteGround
Adam Warner,
WordPress Evangelist at SiteLock
Tony Perez,
CEO of Sucuri
Meher Bala,
WordPress Freelancer
Ben Gillbanks,
Theme Author
Joe Howard,
CEO of WP Buffs
Julio Potier,
Founder of SecuPress

What will I learn in WordPress Security with Confidence?

The course is built around a carefully crafted curriculum covering everything you need for WordPress Security with Confidence.

With over 17 modules and 90+ individual videos (10 hour runtime), you’ll learn how to think about WordPress security, how to actually secure WordPress, and how to secure and audit code (whether yours, a colleague’s, or a plugin’s).

This edition features the full 17 modules. Here's how the content is organized:

Module 1: Developing a Security Mindset

  • What WordPress security is (4 mins)
  • Layered Security (4 mins)
  • Threat Model (4 mins)

Module 2: Common WordPress Security Myths

  • WordPress Security Myths (21 mins)

Module 3: Personal Security Hygiene

  • Introduction to Personal Security Hygiene (1 min)
  • Secure Passwords (8 mins)
  • Updates (3 mins)
  • Network Security (5 mins)
  • Sharing Data (3 mins)
  • Viruses (4 mins)

Module 4: Site Owner Security Concepts

  • Security Concepts Introduction (1 min)
  • What is WordPress, as it relates to security (4 mins)
  • Infection Types (6 mins)
  • Why Update (6 mins)
  • Good Passwords (5 mins)
  • Principle of Least Privilege (5 mins)
  • Distributed Denial of Service Attacks (4 mins)
  • CAPTCHAs (5 mins)
  • HTTPS (3 mins)
  • Social Engineering (3 mins)
  • Web Application Firewalls (4 mins)
  • Malware Scans (3 mins)
  • Audit Logs (3 mins)
  • Monitoring (2 mins)
  • Security by Obscurity (3 mins)

Module 5: Hardening WordPress: Practical Steps

  • Introduction to “Hardening” (1 min)
  • Disallow File Edit in Admin Area (3 mins)
  • Remove Unused Plugins and Themes (3 mins)
  • Prevent Directory Listings with Blank Indexes (3 mins)
  • Force Admin SSL (3 mins)
  • Lockdown wp-config (4 mins)
  • Remove Readme (4 mins)
  • Set/Verify/Change Salts (3 mins)
  • Block PHP execution in Uploads (Apache) (3 mins)
  • WP-Includes Web-Block (2 mins)
  • Database Passwords (2 mins)
  • Not Plugins and Firewalls (1 min)
  • Change Database Prefix (3 mins)
  • Good Passwords (4 mins)
  • Reputation Monitoring (1 min)
  • Use SFTP (2 mins)
  • Backups (3 mins)
  • Choosing Plugins (4 mins)
  • File Permission (5 mins)
  • No Random Registration (2 mins)
  • (Not) Infrastructure Security (1 min)
  • Turning Off Comments (2 mins)

Module 6: Comparison of WordPress Security Plugins & Services

  • Comparison of WordFence, Sucuri, SiteLock, iThemes, SecuPress, All in One Security, and many more (7 mins)
  • Runthroughs of what it's like to use 11 different security products (11 videos)

Module 7: Collaborating (with Clients)

  • Introduction to Secure Collaboration (2 mins)
  • Sharing Secrets (8 mins)
  • Talking about Security (with clients) (9 mins)
  • Security After Launch (6 mins)

Module 8: Server Security (and what’s beyond)

  • Server Security – Don’t Built Your Own LAMP (8 mins)
  • How To Pick a WordPress Host (10 mins)

Module 9: Site-Owner Security Interviews

  • Tony Perez (Sucuri)
  • Chris Wiegman (iThemes Security)
  • Michele Butcher-Jones (WP Rocket)
  • Meher Bala (freelancer)
  • Joe Howard (WP Buffs)

Module 10: Development Basics –– CSRF, XSS, SQLi

  • SQLi (5 mins)
  • XSS (7 mins)
  • File inclusion (5 mins)
  • User capability (4 mins)
  • Cross-site request forgery (4 mins)
  • Dev basics (7 mins)

Module 11: Examples & Data of WordPress Vulnerabilities

  • Survey of Disclosed Vulnerabilities in WordPress (20 mins)

Module 12: Open Web Application Security Project’s Top 10

  • Introduction (2 mins)
  • Injection (6 mins)
  • Broken Authentication/Session Management (4 mins)
  • Cross-Site Scripting (XSS) (6 mins)
  • Insecure Direct Object References (3 mins)
  • Security Misconfiguration (5 mins)
  • Sensitive Data Exposure (4 mins)
  • Missing Access Control (3 mins)
  • Cross-Site Request Forgery (3 mins)
  • Using Components With Known Vulnerabilities (3 mins)
  • Unvalidated Redirects and Forwards (2 mins)
  • Updating the top 10 list for 2017 (6 mins)

Module 13: Attacking WordPress Vulnerabilities

  • Brute Force Attacks (9 mins)
  • Exploiting an SQL Injection Vulnerability (9 mins)
  • Cross-Site Scripting (XSS) (5 mins)
  • Local File Inclusion (7 mins)

Module 14: Code Audit Checklist

  • WordPress Code Audit Checklist (7 mins)
  • PLUS: A custom checklist to give you the confidence in WordPress code's security

Module 15: Securing An Intentionally Vulnerable Plugin

  • Introduction to an Intentionally Vulnerable Plugin (1 min)
  • Setting Up a Vulnerable Plugin (2 mins)
  • SQLi (10 mins)
  • Cross-Site Scripting (16 mins)
  • Cross-Site Request Forgeries and Nonces (4 mins)
  • User Capabilities (6 mins)
  • Redirects (3 mins)
  • Review (6 mins)

Module 16: Writing New Code Securely (how to make a new plugin, securely)

  • Introduction (3 mins)
  • Plugin header and enqueue (4 mins)
  • Start on JS (3 mins)
  • Basic AJAX (4 mins)
  • Saving and XSS protection (8 mins)
  • CSRF and user cap (7 mins)
  • Conclusion (2 mins)

Module 17: Developer Security Interviews

  • Aaron Campbell (WordPress Security Team)
  • Ben Gillbanks (Pro Theme Design, TimThumb)
  • Hristo Pandjarov (SiteGround)
  • Julio Potier (SecuPress)


Will I always have access to the WordPress Security with Confidence course?

Yes! You’ll always have access to the course, and can take the lessons at your own pace. There’s no expiry date, time limit, or deadline; you can re-take individual lessons as many times as you like, whenever you like. As long as there's an internet, it'll be here for you 🙂

I’m busy. What if I can’t keep up with the course?

When you purchase, you’ll get access to our beautiful course-management website, and from there can watch individual lessons—completely self-paced. If you want to retake any material, it’s always available for you to retake as and when you need.

Is this course right for me?

If you've made it this far, you should know. I think this course is great for anyone who has ever written PHP for WordPress and wondered how secue it was. If you've never written WordPress PHP, I do have something that might be of interest:

WordPress Security for Site-Owners is for WordPress users, power-users, “implementers”, and anyone managing WordPress sites who is not writing their own code. You’ll learn everything you need to know to make a WordPress site secure, without touching the code. Plus, for roughly the price of one year of any premium WordPress security plugin, you will learn everything you need to know, forever.

We want everyone who buys the course to be delighted with their purchase, so do get in touch with us if you’re not sure which version is for you. Furthermore, if you do purchase and decide this isn’t quite the course for you, that’s totally fine! You can just let us know, and we’ll happily give you a full refund.

How does the course website work?

You’ll get to take the course in a purpose-built, beautifully responsive website dedicated to making sure you get the most out of WordPress Security with Confidence.

Each chapter is available with its videos, and you can mark each as complete in order to track progress as you move through the course. You can access the course on any device with a browser, anywhere you have an internet connection – so whether you learn best on desktop, tablet, or mobile, you can get the learning style which matches what works best for you.

Who made this excellent WordPress security course?

Great question! Hi! I’m David Hayes, the author of this excellent course. I’m co-founder of boutique web consultancy Press Up, co-author of WPShout, and co-author of the critically acclaimed WordPress development course Up and Running. I’m a WordPress security expert, lead all of the course’s content, and will be your personal guide through your WordPress development journey.

I’m supported by Fred Meyer and Alex Denning; Fred is my business partner at Press Up, and Alex originally founded WPShout in 2009. Both have a wealth of experience teaching WordPress, and are here to make sure you have the best possible experience.

Do you do bulk or team discounts?

Yes! We’ll happily offer a discount for purchases of five or more. Please contact us for details.

Any other questions?

Get in touch! If you have any queries at all about the course, drop us an email and we’ll happily get back to you. You can email us here.