If you are the person who keeps a WordPress site alive — the updates, the backups, the late-night “is the site down?” message — this is the day that turns the panic into a routine.
Who delivers this: Christopher Ross · WordPress trainer for site owners and ops leads · WordPress training delivery since 2007 (broader training practice since 2004) · MA Candidate, Learning and Technology, Royal Roads University
WordPress 301 is the practical day for the person responsible for keeping a WordPress site healthy. By the end of it you will know what the actual attack surface looks like, you will have walked through a real backup-and-restore drill, and you will leave with a written maintenance routine you can hand to anyone who covers for you when you are away.
Who this is for
- Fit. Site owners and operations leads who run the WordPress site at a small business, non-profit, or association and want a calm, defensible routine.
- Fit. Junior agency staff who have inherited a portfolio of client sites and need a sane week-by-week update playbook that does not break things.
- Not fit. Teams who want a compliance checklist to hand to an auditor. This is an operating routine, not a SOC 2 artifact.
- Not fit. People who have never published a post or installed a plugin. Start at 101 first.
Prerequisites: you have admin access to at least one live WordPress site, you know what a plugin is, and you can tell me who your host is. That is the bar.
What you’ll be able to do after
- Describe, in plain language, the realistic ways a WordPress site gets compromised — so you can stop worrying about the wrong things.
- Read your host’s shared-responsibility model honestly, and know what they cover, what you cover, and where the gap sits.
- Run a backup-and-restore drill on a staging copy, because a backup you have never restored is not a backup.
- Apply core, plugin, and theme updates in an order that does not surprise you, with a rollback path you trust.
- Set user roles by least privilege, so the person who writes the newsletter cannot accidentally delete the homepage.
- Run the first thirty minutes of an incident calmly: triage, isolate, communicate, then call for senior help if it is over your head.
What your manager will see different on Monday
- The monthly maintenance runbook sits on one page, on a shared drive, and anyone covering for the site operator can follow it without phoning for help.
- A backup has been restored on staging in the last 90 days — not just taken — so the team actually knows the backups work.
- The admin user list is short, current, and accounted for; the four abandoned admin accounts from past contractors are gone.
- Updates run in a predictable order with a rollback path, and the team stops dreading the “update everything and hope” Friday.
- The first thirty minutes of an incident look calm: triage, isolate, communicate, then call for senior help if it’s over the team’s head.
Curriculum, in four themed blocks
- The real attack surface. Login brute-force, weak passwords, plugin and theme CVEs, abandoned plugins, supply chain. What actually happens to small WordPress sites in the wild, in proportion, with no fear-mongering.
- Hosting, backups, and the restore drill. Why managed hosting matters and what it does not cover. Where backups should live, how often, and the test you have to run before you trust them. The first time you restore a site is going to be on purpose, in this room, not on a bad Tuesday.
- Updates without breakage. Staging when it is worth it, and when a quick before-and-after check is enough. Reading a changelog. Holding back a plugin you do not yet trust. Knowing which updates can wait and which cannot.
- Roles, monitoring, and incidents. User roles by least privilege. The handful of monitoring signals worth watching. Your written runbook for the first thirty minutes of an incident. When to keep going and when to call a senior dev.
Real examples we’ll work through
- A backup-and-restore drill on a staging copy of a real site, end to end, with timing.
- A monthly maintenance routine written for your specific host and plugin stack, that fits on one page.
- A user-role audit of a real site, removing the four admin accounts that nobody at the office can remember creating.
Where this fits in the WordPress training pathway
Shaped for: Site owners, operations leads, and the person responsible for keeping the WordPress site healthy day to day.
Most learners come here from: WordPress Training 101.
From here, the most common next steps:
- WordPress Training 201 — if you also write the content the site publishes.
- WordPress Training 401 — if you are stepping into developer-level work and want the senior track.
The four WordPress courses are role-routed, not strictly sequential — each segments by the work you actually do on a WordPress site rather than by how long you have been around the dashboard. The full training catalogue shows how they sit alongside the Microsoft Office track.
Delivered as part of these service engagements
This course is included in the training scope of the following build and ongoing engagements — either at full public-cohort scope, or as a compressed version tuned to your specific build. The audit-and-build credit policy on the service pages covers the training surface too: training hours already delivered as part of a build credit forward against any larger engagement that follows.
- Owner-Run Unlimited Growth ($17,000+) — full session covering the operations surface and the admin handover.
- Scaled Team Site / WordPress Website Development ($24,000+) — delivered to the platform owner and the operations team.
- Newspaper Regional News ($20,000+) — delivered to the platform owner and ad-ops team, with the paywall and metering surface covered.
- Newspaper National Influencer ($75,000+) — delivered to platform owners, ad ops, subscriber-revenue, and the operations team.
- E-commerce National ($60,000+) — delivered to the platform owner and the fulfilment-and-customer-service teams.
- Learning Post-Secondary ($30,000+) — delivered to platform owners, IT operations, and learner-support leads.
- Maintenance Active ($1,800/mo) — available as an add-on at relationship start — the operations curriculum lines up with the cadence of work in this retainer.
- Maintenance Concierge ($4,000/mo) — included in the half-day relationship-start workshop, tailored to your runbook and on-call procedures.
- SEO Enterprise ($5,000/mo) — delivered to the platform owners and operations leads.
- WordPress Security & Hardening ($1,375+) — delivered as part of the audit-and-remediation tier, tuned to the operator-side hardening practices and the runbook for the next plugin install.
Looking to book the public cohort or a private team session directly, separate from a build engagement? The pricing and booking surface below covers that path.
Format, duration, and pricing
301 runs online only, over Zoom or Google Meet, with the recording sent to your team if you need it. The full-day session is the format most teams book so we can run real backup-and-restore drills end to end; the half-day is a compressed option when your team only has a morning. Pricing is by format, not by group size.
| Format | Investment (CAD) |
|---|---|
| Half-day (3 hours, focused) | $1,495 |
| Full-day (6 hours, comprehensive) | $2,495 |
| Two half-days (split across one week) | $2,795 |
| In-person delivery within Niagara / GTA: add $500/day. Teams larger than 12, custom curriculum, or multi-cohort rollouts — let’s scope it. | |
Currently booking through Q3 2026. Two virtual cohorts per month.
Rate And Review This Content
Be the first to rate this. Submissions are reviewed before they appear.