Website Security Essentials
Every Chennai Business
Owner Must Know

SSL (Secure Sockets Layer) encrypts the connection between a visitor's browser and your website server. Without it, every piece of data submitted through your website - contact forms, login details, payment information - travels across the internet unencrypted and readable by anyone who intercepts it. In 2026, a website without SSL displays a "Not Secure" warning in Chrome that deters visitors and suppresses Google rankings. SSL is not optional and has not been optional since Google's 2018 security policy update.

Most Indian hosting providers now include a free Let's Encrypt SSL certificate with hosting plans. Having an SSL certificate installed is the starting point, not the finish line. What most Chennai businesses and their developers miss:

• HTTP to HTTPS redirect is not automatic: Simply installing an SSL certificate does not redirect all traffic to the secure version. Without a 301 redirect from http:// to https://, some visitors will still access the insecure version of your site. Verify by typing your domain with http:// explicitly and confirming it redirects to https://.
• Mixed content warnings persist after SSL installation: If your website loads any assets (images, scripts, stylesheets) via http:// links, the browser marks the page as insecure even with an SSL certificate installed. Verify by checking the browser padlock for any "Not Secure" sub-components.
• SSL expiry causes immediate Chrome blocking: Free Let's Encrypt certificates expire every 90 days. Most Indian hosting providers offer auto-renewal, but a failed renewal results in Chrome displaying a "Your connection is not private" error page to every visitor - which functions identically to a security block in terms of traffic impact. Verify your certificate expiry date and renewal status in your hosting control panel.
• SSL does not protect against malware on the server: A common misunderstanding among Chennai business owners is that SSL means their website is secure. SSL protects data in transit. It does nothing to protect against malware injected into server files, SQL injection through forms, or brute force login attacks. All seven remaining essentials address these threats.

A backup is only useful if it is clean, recent, stored separately from the compromised server, and restorable in under an hour. Most Indian business websites meet zero of these four criteria. Understanding why requires understanding how Indian shared hosting backup services typically work - and where they fail.

The Indian shared hosting backup problem:

• Backup stored on the same server as the live site: Hostgator India, BigRock, and most budget Indian hosting providers' included backup services store backup copies on the same physical server as your live website. If the server is compromised or the hosting provider has a system failure, both your live site and the backup are affected simultaneously. You need a backup stored in a completely different location.
• Backup frequency is daily at best, weekly is common: A weekly backup means that any content, product listings, or orders added in the last 7 days is lost when you restore. For an eCommerce store, a week of lost order data can represent Rs 50,000 to Rs 5,00,000 in unrecoverable revenue.
• Backups include already-infected files: If your site was infected 3 days before you discovered it, your daily backup from yesterday is also infected. You need a backup from before the infection - which means having a rolling archive of at least 30 days.

The correct setup for Indian business websites: Install UpdraftPlus (free tier), configure daily automated backups of both files and database, and set Google Drive as the remote destination (free up to 15GB). Set retention to 30 days. Verify the first backup ran correctly by checking your Google Drive. This is the same configuration BYB Traction implements on every WordPress website we build before any other work begins.

A security plugin installed but never configured is theatre, not protection. Wordfence Security, the most widely used WordPress security plugin for Indian websites, requires specific configuration to provide meaningful protection rather than the false confidence of having it installed. The default settings on Wordfence are not optimal for Indian business websites on shared hosting.

Wordfence configuration for Indian business websites:

• Enable the Web Application Firewall in Extended Protection mode: Wordfence's WAF runs in "Basic WordPress Protection" by default, which only scans PHP traffic. Extended Protection mode (configured through the Wordfence .htaccess modification) scans all traffic before WordPress loads, blocking significantly more attack patterns. Instructions are in the Wordfence dashboard under Firewall - Manage WAF.
• Schedule weekly malware scans: Wordfence's default scan schedule is triggered when you log in to WordPress. An Indian business owner who logs in monthly is running monthly scans at best. Set a scheduled weekly scan that runs automatically regardless of admin activity.
• Configure login attempt limiting: Set "Lock out after X login failures" to 5 attempts for a 1-hour lockout. This blocks the automated brute-force bot attacks that probe wp-login.php thousands of times per day on every WordPress installation in India.
• Enable real-time IP blocklist: Wordfence maintains a list of known malicious IPs. The free tier receives this list in near real-time. Enable it in Wordfence settings under Firewall - All Firewall Options.
• Set up email alerts for critical events: Configure Wordfence to email you immediately when malware is found, when a file is modified in WordPress core, or when an admin user logs in from a new location. Early detection is the difference between a contained incident and a full breach.

According to WPScan's vulnerability data, over 90% of WordPress security vulnerabilities are in plugins and themes rather than WordPress core. When a plugin vulnerability is discovered and the developer releases a patch, the vulnerability details become public knowledge within 24 to 48 hours of the patch release. Every WordPress installation in the world running the outdated version of that plugin becomes an active target for automated scanners that probe for the known vulnerability. The time between "patch released publicly" and "Indian business website attacked for the known vulnerability" can be hours, not days.

The update discipline Indian business websites must follow:

• Update WordPress core and all plugins within 7 days of a security release: A security release (marked with a shield icon in the WordPress dashboard) should be treated as urgent. Set a recurring weekly calendar reminder to check WordPress dashboard for available updates if auto-update is not enabled.
• Enable automatic minor version updates for WordPress core: WordPress automatically installs minor security updates (e.g., 6.4.1 to 6.4.2) by default. Verify this is enabled and not disabled by your theme or a plugin in wp-config.php.
• Audit and delete unused plugins immediately: An inactive plugin that is not deleted still contains vulnerable code that automated scanners can exploit. The rule is simple: if you are not actively using a plugin, delete it entirely - not just deactivate it. Deactivated plugins remain in the file system and remain exploitable.
• Check plugin update frequency before installing: In the WordPress plugin directory, the "Last updated" date is visible before installation. Any plugin not updated in over 12 months is a security liability. Plugins not updated in over 24 months should not be installed on any production website regardless of their rating.

Every WordPress website in the world has an admin login page at /wp-admin/ and /wp-login.php by default. Automated bots continuously probe these URLs on every IP address on the internet, attempting to guess username and password combinations using lists of common credentials. This is not a hypothetical risk. If you check Wordfence's login attempt reports after installing it, you will typically see hundreds to thousands of blocked login attempts within the first week - on a completely unknown website that has received no marketing whatsoever. Indian websites are specifically targeted because many were built with the default admin username "admin" and passwords like "password123" or the business name.

Two mandatory admin login protections:

• Change the admin login URL: Use a plugin like WPS Hide Login to move your login page from /wp-login.php to a custom URL like /yourbrandname-access/. Bots probing the default URL will receive a 404 error rather than reaching the login form. This eliminates the vast majority of automated login attacks without any performance cost.
• Enable two-factor authentication (2FA) for all admin accounts: Wordfence includes 2FA for free in its security tools. Every WordPress admin user should have 2FA enabled. Even if a password is compromised through phishing or data breach, the attacker cannot access the admin panel without the second factor from a physical device. This is particularly important for Indian businesses whose admin credentials may have been exposed in the numerous Indian database leaks of 2024 and 2025.
• Rename the default admin username: If your WordPress admin account username is "admin" - which it is by default - create a new admin account with a unique username, transfer all posts and settings to the new account, and delete the "admin" account. Attackers use "admin" as the first username in every login attack.
• Use strong, unique passwords: A password like "Decor@Corner#2024" looks strong but contains a business name and year that attackers use in targeted attacks. Use a randomly generated 16-character password from a password manager.

Wordfence's WAF operates at the application level - it intercepts malicious requests after they reach your hosting server. A network-level WAF intercepts attacks before they reach your server at all. Cloudflare's free tier provides this network-level protection for every Indian website regardless of hosting provider, at zero cost, with the added benefit of dramatically improving page load speed for Indian visitors by serving content from Cloudflare's edge nodes geographically close to the request.

What Cloudflare free tier provides for Indian websites:

• DDoS protection: Distributed Denial of Service attacks flood a website with traffic to make it unavailable. This is increasingly used against Indian business websites by competitors and extortionists. Cloudflare's free tier absorbs DDoS traffic before it reaches your hosting server.
• Bot protection: Cloudflare identifies and blocks known malicious bots, scrapers, and automated attackers before they reach your WordPress installation. This reduces server load and security risk simultaneously.
• SSL termination: Cloudflare provides its own SSL layer, adding an additional encryption tier between visitors and your server.
• Speed improvement for Indian visitors: As covered in detail in BYB Traction's guide to page speed and Google rankings, Cloudflare serves cached assets from its nearest edge node to the Indian visitor - dramatically reducing TTFB for visitors across Chennai, Coimbatore, Hyderabad, and other Indian cities. Security and performance improvement from one free service.
• Under Attack Mode: When a website comes under active attack, enabling Cloudflare's "Under Attack Mode" adds a JavaScript challenge screen that blocks automated bots while allowing genuine visitors through. This can be enabled and disabled in minutes from the Cloudflare dashboard.

Setup is 30 minutes for any Indian website: Go to cloudflare.com, add your domain, change your domain's nameservers at your registrar to Cloudflare's nameservers, and Cloudflare proxies all traffic to your website within 24 to 48 hours. Every Indian business website should have this configured. There is no cost and significant security benefit.

India's Digital Personal Data Protection (DPDP) Act 2023 is the most significant development in Indian website security and compliance since the IT Act 2000. The DPDP Rules were officially notified on November 13, 2025. The Act is partially in effect now, with full compliance enforcement applying from May 13, 2027. The penalties are substantial: up to Rs 250 crore per violation for serious breaches involving large volumes of personal data, and Rs 200 crore for failure to notify the Data Protection Board of India about a personal data breach.

What the DPDP Act means for every Chennai business website:

Every Indian website that collects personal data from visitors - which includes any website with a contact form (name, phone number, email), a subscription form, an enquiry form, a checkout form, or analytics tracking via Google Analytics 4 - is a "Data Fiduciary" under the DPDP Act. Data Fiduciaries have specific obligations:

• Informed consent before collection: Visitors must be informed of what personal data is being collected and for what purpose before you collect it. A contact form that simply asks for name and phone number without explaining that the data will be used to contact the enquirer is not compliant. A clear privacy policy and a consent checkbox linked to it satisfies this requirement for most Indian SME websites.
• Cookie consent for tracking: Analytics cookies (Google Analytics), advertising cookies (Meta Pixel, Google Ads), and any third-party tracking must not be set without the visitor's consent. Install CookieYes or Complianz and configure it to block these cookies until consent is given. This is the same requirement as GDPR for European visitors, now applicable to Indian visitors on Indian websites.
• Privacy Policy page: Every Indian website must have a publicly accessible privacy policy that names the data being collected, how it is used, how long it is retained, and how visitors can request deletion. This is not optional under DPDP and is also required by Google Ads and Meta Ads to run advertising.
• Breach notification to Data Protection Board: If personal data is exposed by a security breach, the DPDP Act requires notification to the Data Protection Board of India. The Rules specify that all breaches must be reported "irrespective of their gravity." The penalty for failing to report is Rs 200 crore per instance.
• Data retention limits: Personal data collected through website forms cannot be retained indefinitely. Implement a process to delete form submissions and CRM contacts that are no longer needed for the purpose for which they were collected.

India's CERT-In (Computer Emergency Response Team) issued mandatory cyber incident reporting guidelines in April 2022 that require all Indian organisations - including small businesses - to report cybersecurity incidents to CERT-In within 6 hours of discovery. This includes website breaches, data theft, malware infections, and ransomware attacks. Most Chennai business owners are not aware of this requirement. Most do not know what CERT-In is. This guide includes it because legal compliance and commercial recovery are both served by having a response plan before an incident occurs rather than figuring it out in real time.

The first 6-hour incident response for a hacked Chennai business website:

• Hour 1 - Contain: Take the website offline immediately if possible (maintenance mode or hosting suspension). This prevents the hack from spreading, stops visitors from encountering malware, and prevents Google from detecting more infected pages. Contact your hosting provider to alert them and request an emergency backup of the current (infected) state for forensics.
• Hour 2 - Change all credentials: Change all WordPress admin passwords, hosting account passwords, FTP credentials, database passwords, and any API keys stored in wp-config.php. Revoke and regenerate any third-party API access tokens. Do this before cleaning the infection, because re-infection after cleaning via compromised credentials is the most common reason cleaned Indian websites are hacked again within days.
• Hour 3 - Identify the entry point: Run Wordfence's malware scan on the backup copy of infected files. Check server access logs for the IP and request pattern that preceded the injection. Check the date of modified files to establish when the infection occurred. This determines whether your clean backup is genuinely clean.
• Hour 4 - Restore from verified clean backup: Restore from a backup that predates the infection date identified in Hour 3. Verify the restored version is clean by running another Wordfence scan before bringing it back online.
• Hour 5 - CERT-In notification: Report the incident at cert-in.org.in. The report requires: the incident type, when it was discovered, affected systems, preliminary analysis of impact, and contact information. This is legally required within 6 hours of discovery for Indian organisations.
• Hour 6 - Notify affected parties: If personal data was exposed during the breach, the DPDP Act requires notification to the Data Protection Board of India. If you collect customer data, assess what was potentially accessible and prepare a notification to affected individuals. If you run Google Ads or Meta Ads, review attribution data to confirm whether the campaign was affected.