WordPress runs a huge portion of the web, which makes every WordPress site a constant target for automated attacks. Securing one properly means covering the hosting environment, the WordPress install itself, authentication, file permissions, the database, the network layer, and the routines that keep it all looked after over time. No single plugin does that job.
This guide is a reference to the main areas worth covering. Each section answers a specific question and links through to the full chapter in the handbook. The same fundamentals apply whether you run one site or a hundred.
The full edition is a thirteen-chapter book, delivered as a live web-based reader rather than a static PDF or video course. That choice is deliberate: WordPress and the threats around it change, and the book is updated as they do.
How to secure a WordPress site
WordPress security starts with the core install. Disable file editing from the dashboard in wp-config.php. Rotate the security keys. Lock down what users can do through the admin.
None of that is exotic. It is a checklist of small configuration changes that close off the routes attackers actually use, things like editing files through the theme editor, reading database credentials from a misconfigured file, or exploiting a known vulnerability in an out of date install.
The handbook walks through each change, with the exact configuration.
WordPress login security and 2FA
Most WordPress compromises start at the login page. Weak passwords, credentials leaked in third party breaches, and automated brute force attempts all hit wp-login.php. That makes authentication the highest value area to tighten first.
The baseline is strong passwords, two factor authentication, and a limit on failed login attempts. After that, moving the login URL off wp-login.php, disabling XML-RPC if nothing legitimate needs it, and closing the user endpoint on the REST API.
Chapter 3 covers all of this, including which plugins do the job well and which tend to cause more problems than they fix.
WordPress file permissions
File permissions are a common source of confusion on WordPress sites. Get them wrong and either WordPress can't write its own uploads, or worse, any process on the server can overwrite your core files.
The correct setup is strict. Directories at 755, files at 644, wp-config.php at 640 or tighter. Ownership separated so the web server user is not the file owner. And uploads configured so PHP inside them cannot execute.
Chapter 4 has the exact permissions, the commands to set them, and a routine for checking they have not drifted.
WordPress database security
Your database is where everything lives, posts, users, password hashes, session tokens, and anything else your site stores. Securing it is about more than changing the default wp_ table prefix, though that does help against the laziest scanners.
The real work happens at the MySQL level. A dedicated database user limited to the privileges your site actually needs. Connections restricted to localhost where you can. Encrypted backups. A MySQL configuration that does not hand anything away unnecessarily.
Chapter 5 covers it from the WordPress layer down to the MySQL config.
WordPress SSL and HTTPS setup
HTTPS is a baseline requirement. Without it, logins travel in plain text. Sessions are vulnerable to hijacking. Browsers flag the site to visitors as insecure. Let's Encrypt has made the certificate itself free, but getting the rest of the configuration right still matters.
HTTPS is more than the certificate. HSTS, security headers like Content-Security-Policy and X-Frame-Options, mixed content handling, and a sensible TLS configuration all feed into whether it is actually secure.
Chapter 6 covers certificate setup, the headers that matter, and the ongoing checks that keep HTTPS working.
WordPress firewall configuration
A firewall sits in front of WordPress and stops known bad traffic before it ever reaches PHP. That can mean a plugin like Wordfence running inside WordPress, a server level tool like Fail2Ban, or a cloud layer like Cloudflare. Each covers a different slice of the problem.
Good firewall setup is layered. Cloudflare at the edge for volumetric traffic and known bad IPs. Fail2Ban at the server for failed logins and repeated abuse. Wordfence inside WordPress for application level exploit patterns.
Chapter 7 covers all three layers, which tools to use for each, and how to set them up without locking yourself or legitimate users out.
WordPress backup strategy
Backups only count if you have tested the restore. Most WordPress backup setups fail at exactly the moment you need them, usually through incomplete database dumps, missing files, corruption from writes during the backup itself, or off site copies that never actually made it to their destination.
The 3-2-1 rule is the shortest useful summary. Three copies of your data. Two different storage types. One copy off site. Tested restores on a schedule. Retention long enough to recover from a compromise you did not notice for a week.
Chapter 11 covers backup strategy, the tools worth using, off site storage options, and the restore testing that decides whether any of this is worth anything.
WordPress maintenance checklist
Security is ongoing work. Every WordPress site needs regular attention, updates to core and plugins, a skim of the logs, a look over the user list, and the occasional cull of plugins and themes that have quietly accumulated.
A sensible routine has a weekly cadence (update core and plugins, skim logs), a monthly one (audit permissions, test a backup restore, review users), and a quarterly one (prune plugins and themes, review dependencies, check SSL and DNS).
Chapter 12 has the full workflow, including staging environments, update processes, and how to make the checks repeatable across multiple sites.
Is this a WordPress security book, PDF, or course?
It's a book, structured the way a handbook is structured, with thirteen chapters working from the hosting environment up through the WordPress install, authentication, files, the database, the network layer, and maintenance. It reads like a book and is organised like one.
It's delivered as a web-based reader rather than a PDF download. The reason is practical: WordPress and the threats around it change, and a PDF written this year is stale next year. A web reader stays current with the platform. Paid readers get every update for the lifetime of the book at no additional cost.
It is not a video course. There are no lessons to sit through, no quizzes, no completion certificate. It's a reference you read on the topics you need, the way you'd read any other technical book.
Get the free WordPress Security Checklist
The security checks I'd run through on any WordPress site, delivered straight to your inbox.
Get the WordPress security book
All 13 chapters, kept up to date. Single payment, access for life.
Buy Protect My WP for £19