Website Security Guide for Mumbai Businesses
12-Point Checklist to Protect Your Site

Every business website must run on HTTPS. Google marks HTTP sites as "Not Secure" in Chrome — killing visitor trust instantly. Free SSL is available through Let's Encrypt or included with most hosting plans. If your site still shows HTTP, fix this today.

60% of WordPress hacks exploit outdated plugins or themes. Enable automatic updates for WordPress core, all plugins, and your theme. Check for updates weekly. Every update notification is a security patch waiting to be applied.

A WAF sits between your website and the internet, blocking malicious traffic before it reaches your server. Cloudflare's free plan includes a basic WAF. For WordPress sites, Wordfence provides a free plugin-based WAF that blocks known attack patterns in real time.

Use a 20+ character password generated by a password manager (Bitwarden, 1Password) for your hosting, cPanel, WordPress admin, and domain registrar. Enable two-factor authentication (2FA) on every service. Brute force attacks automatically try common passwords — a strong unique password makes them pointless.

Every WordPress site's admin login is at /wp-admin by default. Bots scan millions of sites daily for this URL. Change it to a custom URL (like /company-login) using a security plugin. This alone stops the vast majority of automated brute force attacks before they begin.

A recent backup is your ultimate recovery tool after any attack. Configure automated daily backups stored in a separate location (Google Drive, Amazon S3) — never only on the same server as your website. Test your backup restoration process at least once every 3 months. An untested backup is not a backup.

Add HTTP security headers to block clickjacking, MIME-type sniffing, and information leakage: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Content-Security-Policy. These can be set in your .htaccess file and take effect immediately. Tools like SecurityHeaders.com grade your current header configuration for free.

By default, WordPress allows unlimited login attempts — making brute force attacks possible. Install a plugin like "Limit Login Attempts Reloaded" to block an IP after 3–5 failed attempts for 24 hours. This stops automated credential stuffing attacks completely.

Correct file permissions prevent attackers who gain server access from modifying your files. Recommended permissions: directories at 755, files at 644, wp-config.php at 600. Your hosting control panel or a security plugin can check and correct these in minutes.

WordPress's XML-RPC interface is a common attack vector for DDoS amplification attacks. Unless you use the WordPress mobile app or Jetpack's remote publishing, disable XML-RPC using a plugin or .htaccess rule. Most Mumbai business websites never need it.

Set up free uptime monitoring at UptimeRobot.com — get an SMS or email alert within 5 minutes of your site going down. Schedule weekly automated malware scans using Sucuri SiteCheck (free) or a security plugin. Early detection means faster recovery and less damage.

Deactivated plugins and themes are still on your server and still exploitable if they contain vulnerabilities. Delete every theme and plugin you are not actively using. The fewer plugins you run, the smaller your attack surface.