In January 2026, CERT-In reported that cyberattacks on Indian websites increased 78% compared to the previous year, with small and medium businesses accounting for over 60% of compromised sites. The average cost of a website breach for an Indian SMB now exceeds ₹8 lakh when you factor in lost revenue, customer trust damage, and recovery expenses. Most of these attacks weren't sophisticated—they exploited basic security gaps that take less than a day to fix. If you're running a business website in India, this guide covers exactly what you need to secure it properly.
Why Indian Websites Are Being Hacked at Record Rates
Indian websites have become prime targets for three interconnected reasons. First, the rapid digitization push—particularly post-2020—brought millions of businesses online without proportional investment in security. A Jaipur garment exporter or Pune manufacturing unit that quickly built a website to capture online orders rarely budgeted for ongoing security maintenance. Attackers know this, and automated bots constantly scan Indian IP ranges for vulnerable WordPress installations, exposed admin panels, and outdated plugins.
Second, the economics work in attackers' favour. Compromising an Indian SMB website provides access to customer databases worth selling on dark web markets, server resources for crypto mining, or a launching pad for phishing attacks targeting that business's clients. A hacked Bengaluru consultancy website might be used to send convincing invoice fraud emails to their corporate clients, multiplying the damage exponentially.
Third, shared hosting concentrations create cascade vulnerabilities. When one site on a shared server gets compromised, attackers often pivot to neighbouring sites. Many Indian hosting providers pack hundreds of sites onto single servers with inadequate isolation. A vulnerable WordPress blog belonging to a Chennai restaurant can become the entry point that compromises thirty other businesses on the same server—including that fintech startup paying ten times more for their hosting plan.
SSL Certificates: Types, Cost, and Why Free Let's Encrypt Is Fine for Most
SSL certificates encrypt data between your visitor's browser and your server. Without one, login credentials, contact form submissions, and payment details travel as plain text—readable by anyone monitoring the network. Google Chrome displays "Not Secure" warnings for HTTP sites, immediately damaging visitor trust.
Certificate Types Explained
Domain Validation (DV) certificates verify only that you control the domain. They're issued within minutes and display the padlock icon. Organization Validation (OV) certificates require business documentation verification and display your company name in certificate details. Extended Validation (EV) certificates involve rigorous vetting and historically showed a green address bar—though modern browsers have largely removed this visual distinction.
The Cost Reality
Let's Encrypt provides free DV certificates that auto-renew every 90 days. For 95% of Indian SMB websites—including e-commerce stores—this is completely sufficient. The encryption strength is identical to paid certificates. Paid DV certificates from vendors like Comodo or DigiCert typically cost ₹800–₹3,000 annually with slightly longer validity periods and warranty coverage you'll likely never use. OV and EV certificates range from ₹8,000–₹50,000 annually and make sense primarily for banks, insurance companies, or large enterprises where the additional trust indicators matter for high-value transactions.
Most quality hosting providers—including those we recommend for website development projects—offer one-click Let's Encrypt installation. If your host charges extra for SSL, consider switching providers.
WordPress Hardening: 10 Steps Every Site Should Take
WordPress powers over 43% of websites globally and an even higher percentage of Indian SMB sites. Its popularity makes it a constant target. These ten steps address the vulnerabilities attackers most commonly exploit.
Core Security Measures
1. Keep everything updated. WordPress core, themes, and plugins should run their latest versions. Enable auto-updates for minor releases. Check weekly for major updates that require manual review. A single outdated plugin with a known vulnerability is often the only opening an attacker needs.
2. Delete unused themes and plugins. That theme you tested last year and deactivated? It can still be exploited if it contains vulnerabilities. Remove anything you're not actively using.
3. Use strong, unique admin credentials. Your username shouldn't be "admin"—change it. Passwords should exceed 16 characters with mixed types. Use a password manager rather than memorable (and guessable) combinations.
4. Install a security plugin. Wordfence or Sucuri Security provide firewall protection, malware scanning, and login security features. The free tiers handle most SMB needs; premium versions add real-time threat intelligence and priority support.
5. Change the default login URL. Moving wp-admin and wp-login.php to custom URLs stops most automated brute force attacks. Plugins like WPS Hide Login accomplish this with one setting change.
Advanced Protections
6. Disable file editing in the dashboard. Add define('DISALLOW_FILE_EDIT', true); to wp-config.php. If attackers gain admin access, they can no longer inject malicious code through the built-in editor.
7. Limit login attempts. After five failed attempts, block that IP for an hour. This stops brute force attacks from cycling through password combinations indefinitely.
8. Implement XML-RPC restrictions. Unless you specifically need remote publishing capabilities, disable XML-RPC or restrict it to specific IPs. It's a common attack vector for DDoS and brute force attempts.
9. Set correct file permissions. Directories should be 755, files should be 644, and wp-config.php should be 600 or 640. Incorrect permissions allow attackers to modify files they shouldn't access.
10. Add security headers. Configure Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options headers to prevent clickjacking, content injection, and MIME-type attacks.
Hosting Security: Shared vs. VPS vs. Managed Hosting Comparison
Your hosting environment determines your security baseline. The cheapest option rarely provides adequate protection.
Shared Hosting Limitations
Shared hosting places your site alongside hundreds of others on one server. Security depends entirely on your provider's isolation measures—and many budget Indian hosts cut corners here. If a neighbouring site gets compromised and the provider hasn't properly containerized accounts, attackers can access your files. Shared hosting works for brochure sites with minimal traffic and no sensitive data collection. For anything else, the ₹200/month savings isn't worth the risk.
VPS and Cloud Hosting
Virtual Private Servers provide dedicated resources and isolated environments. You're responsible for server-level security—firewalls, software updates, intrusion detection. This suits technically capable teams or businesses working with developers who handle maintenance. Monthly costs typically run ₹1,500–₹8,000 for configurations appropriate to Indian SMB needs. AWS, DigitalOcean, and Linode offer Indian data centre options that improve site speed for domestic visitors while meeting data localization preferences.
Managed WordPress Hosting
Managed hosting handles server security for you—automatic updates, malware scanning, firewall configuration, and expert support when issues arise. Providers like Cloudways, Rocket.net, and Kinsta specialise in WordPress and catch threats before they impact your site. Expect to pay ₹2,500–₹15,000 monthly depending on traffic levels. For businesses focused on running their operations rather than managing servers, this is typically the right investment.
Backup Strategy: The 3-2-1 Rule for Websites
Backups are your recovery guarantee when everything else fails. The 3-2-1 rule provides a framework that actually works.
Keep three copies of your website: the live site plus two backups. Store those backups on two different media types—your hosting server plus an external service like Amazon S3, Google Cloud Storage, or even a local drive. Keep one backup offsite, geographically separated from your primary hosting location. If your Delhi-hosted site and its server-based backups are both compromised, your offsite copy in Mumbai or Singapore remains accessible.
For WordPress sites, plugins like UpdraftPlus or BackupBuddy automate daily or weekly backups to cloud storage. Monthly cost for cloud storage ranges from ₹100–₹500 for most SMB sites. Managed hosting typically includes automated backups with 14–30 day retention.
Test your backups quarterly. A backup that won't restore correctly is worthless. Download a recent backup, set up a staging environment, and verify everything works before you actually need it.
User Authentication: Strong Passwords, 2FA, and Login Rate Limiting
Weak authentication causes more breaches than sophisticated exploits. A Nagpur retailer using "shop@123" as their WordPress password is practically inviting account takeover.
Password Requirements Worth Enforcing
Require minimum 12-character passwords combining uppercase, lowercase, numbers, and symbols. Block common passwords using plugins that check against breach databases. Force password changes every 90–180 days for admin accounts. Provide team members with a password manager—Bitwarden's free tier works well for small teams—so complexity doesn't lead to written-down passwords stuck to monitors.
Two-Factor Authentication Implementation
2FA adds a second verification layer beyond passwords. Even if attackers obtain credentials through phishing or data breaches, they can't access accounts without the second factor. For WordPress, plugins like Wordfence or Google Authenticator integrate easily. Require 2FA for all admin and editor accounts—no exceptions. Time-based one-time passwords (TOTP) through authenticator apps are more secure than SMS codes, which can be intercepted through SIM-swapping attacks increasingly common in Indian metro areas.
Rate Limiting and Account Lockout
Configure your security plugin to block IPs after five failed login attempts within ten minutes. Temporarily ban repeat offenders for 24 hours. Permanently ban IPs showing consistent attack patterns. These measures cost attackers time and make brute forcing impractical while rarely affecting legitimate users who simply mistype passwords occasionally.
PCI DSS Basics for E-Commerce Sites Processing Indian Cards
If your website accepts credit or debit card payments—even through gateways like Razorpay or Paytm—PCI DSS compliance applies. The Payment Card Industry Data Security Standard exists to protect cardholder data from theft.
Most Indian SMB e-commerce sites use hosted payment pages where customers enter card details on the gateway's secure servers, not yours. This significantly reduces your compliance burden—you're handling SAQ A or SAQ A-EP rather than the full PCI DSS requirements that apply to businesses storing card data directly.
Your Key Responsibilities
Even with hosted payment pages, you must: maintain a secure website with current SSL/TLS, implement firewalls and access controls, regularly update all software, maintain security policies your team follows, and partner only with PCI-compliant payment processors and hosting providers. Document these practices and review them quarterly.
Razorpay, PayU, and CCAvenue handle the heavy PCI lifting for card data processing. Your job is ensuring attackers can't compromise your site to inject fake payment forms or redirect customers to phishing pages that capture their card details.
What to Do When Your Site Is Hacked: Incident Response Checklist
Discovery hits hard. You notice defaced pages, spam redirects, customer complaints about phishing emails, or your hosting provider suspends your account. Here's the sequence that minimises damage.
Immediate Actions (First Hour)
Take the site offline immediately—better a maintenance page than actively serving malware to your customers. Change all passwords: WordPress admin, hosting control panel, FTP, database, and any connected services. Revoke all active sessions to log out any attackers currently connected. Notify your hosting provider; they may have server-level logs showing the attack vector and can isolate your account to prevent spread.
Investigation and Recovery
Scan your entire installation with Wordfence, Sucuri, or similar tools. Download your files and database for offline forensic analysis if needed. Compare current files against clean copies from before the compromise to identify all modifications. Restore from your most recent clean backup—verify it predates the attack by checking file modification timestamps and database entries.
Post-Recovery Hardening
Identify how attackers got in. Check access logs for suspicious login activity. Review recently modified files. Examine installed plugins against vulnerability databases. Whatever the entry point was, close it before bringing the site back online. Update everything, reset all credentials again with stronger alternatives, and consider whether your current hosting provides adequate security.
Notify affected customers if any personal data was potentially exposed. Indian law requires reasonable breach notification, and proactive communication preserves trust better than customers discovering problems independently.
Secure Your Business Website Properly
Website security isn't a one-time project—it's ongoing maintenance that protects your revenue, reputation, and customer relationships. The measures outlined here address vulnerabilities that account for the vast majority of SMB website compromises in India. Most require modest time investments rather than significant budgets.
If you'd prefer expert implementation rather than handling security configuration yourself, our team builds and maintains websites with these protections baked in from the start. Contact us to discuss your website's security requirements and get a straightforward assessment of what you actually need—no unnecessary add-ons, no scare tactics, just practical protection appropriate to your business.