In 2025, CERT-In (India's national cybersecurity agency) reported that cyberattacks on Indian businesses increased by 67% year-over-year. WordPress websites — the most popular website platform in India — are a primary target.
The uncomfortable truth: if your WordPress site is hacked, the consequences for an Indian small business can be devastating. You may lose years of SEO rankings when Google blacklists your domain. You may lose customer trust when they see your defaced site. You may face data breach liabilities under India's DPDP Act. And you'll face significant costs to clean up and restore a compromised website.
The encouraging truth: the vast majority of WordPress hacks are entirely preventable. Most breaches happen because of easily avoidable mistakes — outdated plugins, weak passwords, no security plugin, or cheap hosting with poor server security.
This guide walks you through every security measure an Indian small business should implement to make their WordPress website significantly harder to attack — and to recover quickly if the worst does happen.
Reality check on WordPress security — WordPress itself is a very secure platform. The WordPress core development team releases security patches rapidly and maintains a strong security record. The vast majority of WordPress breaches come from vulnerable plugins and themes, weak passwords, and poor hosting security — not from WordPress itself. This means security is almost entirely in your control.
| 90,000+ WordPress sites attacked per minute globally | 43% Of websites run WordPress (major target) | 90% Of hacked WP sites had outdated plugins | 67% Rise in cyberattacks on Indian businesses (2025) |
|---|
Table of Contents
Understanding the Threat Landscape for Indian WordPress Sites
Security Foundation — 7 Non-Negotiable First Steps
Install and Configure a WordPress Security Plugin
Secure Your WordPress Login
Protect Against Common Attacks
Server-Level Security
Backup Strategy for Indian Businesses
India-Specific Security Considerations
How to Respond if Your WordPress Site is Hacked
WordPress Security Checklist
Frequently Asked Questions
1. Understanding the Threat Landscape for Indian WordPress Sites
Before implementing security measures, it helps to understand what you're defending against. The most common attacks on Indian WordPress websites in 2026:
Brute Force Attacks
Automated bots attempt thousands of username/password combinations per minute at your WordPress login page (yourdomain.com/wp-login.php). If you use a weak password or the default 'admin' username, this attack has a reasonable chance of succeeding. These attacks happen to virtually every WordPress site — it's not personal, it's automated.
Outdated Plugin Vulnerabilities
When a security researcher discovers a vulnerability in a WordPress plugin, they typically disclose it to the plugin developer, who releases a patch. But between the vulnerability being discovered and every WordPress user updating the plugin, there's a window where malicious actors actively scan the internet for vulnerable sites. This is why same-day plugin updates matter.
SQL Injection
Attackers attempt to inject malicious code into your database through vulnerable form fields or URL parameters. A successful SQL injection can expose all your customer data, let attackers modify your content, or take complete control of your database.
Cross-Site Scripting (XSS)
Malicious scripts are injected into your web pages and executed in visitors' browsers. These can steal login cookies, redirect users to malicious sites, or display fraudulent content on your site.
Data Harvesting and DPDP Compliance Risks
India's Digital Personal Data Protection (DPDP) Act 2023 creates legal obligations for businesses that collect personal data online. A compromised WordPress site that leaks customer data doesn't just damage reputation — it may create regulatory liability. Proper security is now also a compliance matter for Indian businesses.
2. Security Foundation — 7 Non-Negotiable First Steps
Implement all seven of these immediately if you haven't already. They cost nothing and address the most common attack vectors:
Step 1: Update Everything — Today
Go to Dashboard > Updates. Update WordPress core, all plugins, and all themes. This single action closes more security vulnerabilities than anything else. Set a calendar reminder to do this every week.
Step 2: Delete Unused Plugins and Themes
Every installed plugin or theme — even if deactivated — is a potential entry point for attackers. Go to Plugins > Installed Plugins. Deactivate and delete anything you're not actively using. Do the same for Themes — keep only your active theme plus one default theme as a fallback.
Step 3: Change the Default Admin Username
If your main WordPress admin account is named 'admin', change it immediately. 'Admin' is the first username that every brute force tool tries. Create a new admin user with a different username, log in as that new user, and delete the old 'admin' account. Transfer all posts/pages to the new account when prompted.
Step 4: Use Strong, Unique Passwords
Every WordPress user account — especially admin accounts — should use a long, complex, unique password. Use a password manager (Bitwarden is free and excellent) to generate and store passwords. A strong WordPress password should be at least 16 characters, combining upper/lowercase letters, numbers, and symbols. Never reuse passwords across different sites.
Step 5: Enable HTTPS (SSL)
If your site isn't on HTTPS yet, this is your most urgent security task. An SSL certificate encrypts all data transmitted between your server and visitors' browsers — including form submissions, login credentials, and payment details. Get a free Let's Encrypt SSL certificate through your hosting provider (most Indian hosts provide this in cPanel).
Step 6: Set Up Automated Backups to an Off-Site Location
A good backup is your ultimate security safety net. Install UpdraftPlus (free), configure it to back up your complete site (files + database) daily, and store the backups in Google Drive or Dropbox — not on your hosting server. If your site is compromised, you need a clean, off-site backup to restore from.
Step 7: Verify Your Hosting Security
The security of your WordPress site is partially determined by your hosting provider's server security. Check that your host: keeps server software (PHP, Apache/Nginx/LiteSpeed, MySQL) updated, provides a web application firewall (WAF), offers malware scanning, and isolates accounts so one compromised site doesn't affect others on the same server. These are standard on reputable Indian hosts.
3. Install and Configure a WordPress Security Plugin
A dedicated security plugin adds multiple layers of protection: a firewall that blocks malicious traffic, malware scanning, login protection, and alerting. Here are the best options for Indian WordPress sites:
| Plugin | Key Features | Cost | Best For |
|---|---|---|---|
| Wordfence Security | Firewall, malware scanner, login protection, real-time threat intelligence | Free core / ₹7,000+/yr premium | Most Indian WordPress sites — the free version is complete |
| Sucuri Security | Activity auditing, file integrity monitoring, security hardening, CDN/firewall | Free / $199+/yr premium | Businesses needing CDN-level WAF |
| iThemes Security | Brute force protection, file change detection, 2FA, database backup | Free / ₹8,000+/yr | complete all-in-one approach |
| All-In-One WP Security | Firewall, login lockdown, file monitoring, DB security — user-friendly | Free | Budget-conscious businesses new to security |
Our recommendation for most Indian small businesses: Install Wordfence (free version). After installation:
**Go to Wordfence > Firewall: **Set to 'Extended Protection' (requires adding Wordfence to wp-config.php — Wordfence guides you through this).
**Go to Wordfence > Scan: **Run a full scan immediately. Review and address any identified issues.
**Go to Wordfence > Login Security: **Enable two-factor authentication (2FA) for all admin users.
**Set up email alerts: **Configure Wordfence to email you immediately if malware is found or if a user is blocked after failed login attempts.
4. Secure Your WordPress Login
The WordPress login page is the most attacked element of any WordPress site. Here's how to lock it down:
Change the Login URL
By default, every WordPress site's login page is at yourdomain.com/wp-login.php. Bots scan for this URL and attempt brute force attacks 24/7. Use WPS Hide Login (free plugin) to change your login URL to something non-obvious, like yourdomain.com/staff-portal or yourdomain.com/secure-access. This alone eliminates the vast majority of automated brute force attacks.
Enable Two-Factor Authentication (2FA)
2FA requires users to enter a time-sensitive code from an authenticator app (Google Authenticator, Authy) in addition to their password. Even if an attacker obtains your password, they cannot log in without your phone. Enable 2FA for all admin-level WordPress users via Wordfence or the WP 2FA plugin.
Limit Login Attempts
WordPress, by default, allows unlimited login attempts. Limit Login Attempts Reloaded (free plugin) blocks an IP address after a set number of failed attempts (typically 3–5). This makes brute force attacks impractical. Wordfence does this automatically as part of its protection.
Disable XML-RPC if Not Needed
WordPress's XML-RPC feature (a remote publishing protocol) is a common attack vector for brute force attacks and DDoS amplification. If you don't use it (most businesses don't), disable it. Add this to your .htaccess file or use the Disable XML-RPC plugin.
5. Protect Against Common Attacks
Enable WordPress Firewall
A WordPress application firewall filters incoming traffic and blocks requests that match known attack patterns (SQL injection attempts, XSS, bad bots, and more). Wordfence and Sucuri both include a WAF in their free versions. For maximum protection, consider a DNS-level WAF through Cloudflare's free tier.
Protect the wp-config.php File
wp-config.php contains your database credentials and security keys. Block direct access to it by adding these lines to your .htaccess file:
Place the following in your .htaccess, above the WordPress rules:
order allow,deny
deny from all
Disable File Editing in the Dashboard
WordPress allows admins to edit theme and plugin files directly through the Dashboard (Appearance > Theme Editor). This is a security risk — if an attacker gains admin access, they can inject malicious code. Disable this by adding to wp-config.php:
define('DISALLOW_FILE_EDIT', true);
Protect Against Comment Spam and Bot Traffic
Install Akismet (official WordPress spam protection plugin — free for personal sites, ₹600+/month for business) to filter comment spam. Malicious comment spam can be used for SEO spam injection and in extreme cases for XSS attacks. Enable CAPTCHA (Google reCAPTCHA v3) on all public-facing forms via the Simple Cloudflare Turnstile or WPForms plugin.
6. Server-Level Security
While some of these are handled by your hosting provider, it's worth understanding and verifying:
| PHP version | Ensure you're on PHP 8.2+. Older PHP versions have known vulnerabilities. Check in cPanel > Select PHP Version. |
|---|---|
| File permissions | WordPress files should be 644 and directories 755. The wp-config.php file should be 600. Incorrect permissions are a common vulnerability. |
| Database prefix | The default WordPress database table prefix is 'wp_'. Change it during installation to something like 'aapt84_'. SQL injection attacks often assume the default prefix. |
| Error display | Disable PHP error display in wp-config.php: define('WP_DEBUG_DISPLAY', false). Visible PHP errors leak code information to attackers. |
| Server firewall | Your host's server-level firewall (separate from the WordPress WAF) should be active. Verify with your hosting provider. |
7. Backup Strategy for Indian Businesses
Backups are not just a maintenance task — they're your disaster recovery plan. For an Indian business, here is the backup strategy we recommend:
The 3-2-1 Backup Rule for WordPress India
3 copies of your data: the live site, plus two backups
2 different storage media: e.g. your hosting server + a cloud service
1 off-site copy: stored completely separately from your web host (Google Drive, Dropbox, Amazon S3)
Backup Frequency Recommendations
| Basic informational site | Daily automated backup, retain 30 days, off-site storage |
|---|---|
| Lead generation site | Daily automated backup, retain 60 days, off-site + local copy |
| E-commerce / WooCommerce | Daily or real-time backup, retain 90 days, multiple off-site locations |
| High-transaction site | Real-time or hourly backup — consider BlogVault for managed backups |
For the implementation: Install UpdraftPlus, set backup schedule to daily, configure remote storage to Google Drive (free up to 15GB), set retention to 30 copies. Test the restore process on a staging site at least once a quarter.
8. India-Specific Security Considerations
DPDP Act Compliance
India's Digital Personal Data Protection (DPDP) Act 2023 requires businesses to protect personal data collected online. For WordPress site owners, key obligations include: having a clear privacy policy, obtaining explicit consent for data collection, implementing appropriate security measures (this entire guide), and having a process for data breach notification. Consult a legal professional for full DPDP compliance advice.
Payment Data Security
If you accept payments on your WordPress/WooCommerce site, never store raw payment card data on your server. Always use PCI-compliant payment gateways (Razorpay, Paytm, CCAvenue) that handle card data on their servers. Ensure your payment gateway integration uses their hosted payment page or iframe — not a custom form that transmits card data through your server.
GST Data Protection
Many Indian e-commerce and B2B WordPress sites collect GST numbers, PAN details, and company registration information from clients. This data should be stored encrypted in your database and access should be restricted to necessary personnel only.
9. How to Respond if Your WordPress Site is Hacked
Despite all precautions, a breach can happen. If you suspect your site has been compromised, here's the response procedure:
**Stay calm and act quickly: **Time matters. The longer a compromised site runs, the more damage (SEO blacklisting, further data exposure, spread to visitors).
**Put the site in maintenance mode: **Immediately prevent visitors from accessing a potentially dangerous site. Use a 'Coming Soon' page or contact your host to temporarily disable the site.
**Alert your hosting provider: **Most reputable Indian hosting providers have security response teams. Notify them immediately — they can help identify the breach vector and may have server-level tools to assist.
**Restore from clean backup: **Ideally, restore from your most recent clean backup (before the compromise). This is the fastest and most reliable recovery method.
**If no clean backup is available — full malware clean: **Use Wordfence or hire a professional WordPress security specialist to identify and remove all malicious code, backdoors, and infected files. This is complex work — do not attempt it without expertise.
**Change all passwords: **Reset passwords for all WordPress admin users, your hosting account, cPanel, FTP, and any connected email accounts.
**Identify and fix the vulnerability: **Determine how the attacker got in (usually outdated plugin). Remove the vulnerability before relaunching.
**Submit for Google review: **If Google blacklisted your site (showing 'This site may be hacked' in search results), submit a reconsideration request in Google Search Console > Security Issues after the site is clean.
10. WordPress Security Checklist — Quick Reference
| Security Task | How Often | Status |
|---|---|---|
| Update WordPress core | Weekly | ☐ |
| Update all plugins | Weekly | ☐ |
| Update themes | Weekly | ☐ |
| Check uptime monitoring alerts | Daily | ☐ |
| Review Wordfence security scan | Weekly | ☐ |
| Review login attempt logs | Weekly | ☐ |
| Run full malware scan | Monthly | ☐ |
| Verify backups are completing | Weekly | ☐ |
| Test restore from backup | Quarterly | ☐ |
| Review admin user accounts | Monthly | ☐ |
| Check SSL certificate expiry | Monthly | ☐ |
| Review installed plugins (prune unused) | Quarterly | ☐ |
| Check Google Search Console security | Monthly | ☐ |
| Update PHP version if needed | Annually | ☐ |
| Review hosting security features | Annually | ☐ |
Frequently Asked Questions
How do I know if my WordPress site has been hacked? Signs include: Google showing 'This site may be hacked' in search results, your hosting provider suspending your account, new admin users you didn't create, your homepage redirecting to another site, visitors reporting seeing strange content, or Wordfence alerting you to malware in a scan. Check Google Search Console > Security Issues monthly as a proactive measure.
Does WordPress get hacked a lot in India? WordPress sites globally — and in India — are frequent targets because they're the most popular platform. However, being targeted doesn't mean being hacked. The vast majority of successful WordPress hacks exploit known, patched vulnerabilities in outdated plugins. Sites that keep plugins updated, use strong passwords, and have a security plugin installed are statistically much less likely to be compromised.
How much does it cost to fix a hacked WordPress site in India? Professional WordPress malware removal in India typically costs ₹5,000–₹25,000 for a standard clean-up. If significant data has been lost or the site requires a full rebuild, costs can be significantly higher. This is why a monthly maintenance and backup plan (₹3,999–₹8,000/month) is almost always more cost-effective than dealing with a hack recovery.
Is Wordfence free enough for a small Indian business? Yes — Wordfence's free tier is very complete. It includes the firewall, malware scanner, login protection, and 2FA. The paid version adds real-time threat intelligence (rather than 30-day-delayed definitions) and advanced firewall rules. For most small Indian businesses, the free version provides sufficient protection when combined with the other steps in this guide.
Do I need to worry about WordPress security if my site doesn't take payments? Yes, absolutely. Payment data theft is only one type of attack. Hackers also target WordPress sites for: SEO spam (injecting hidden links to sell pharma or gambling sites — destroying your Google rankings), email spam (using your server to send millions of spam emails), DDoS participation (using your server as part of a botnet), and ransomware. Any WordPress site on the internet is a potential target, regardless of whether it takes payments.
Is Your WordPress Site Secure Against 2026's Threats? — Aapta Solutions provides complete WordPress security management for Indian businesses — including Wordfence Pro, daily scans, firewall management, and guaranteed 24-hour response to security incidents. 👉 Get Your Free WordPress Security Audit → aapta.in/wordpress-maintenance-services/
Need help with this?
Our team has 19+ years of experience and can help you implement everything discussed in this article.
Book a Discovery Call