Website Security & Maintenance Checklist for Mumbai Businesses (2026)

A website goes down at 2 a.m. A plugin gets hacked. Google flags your site as "unsafe." By the time you notice, you've already lost a day of enquiries. Website maintenance services exist to stop exactly this — backups, security patching, uptime monitoring, and speed checks running on a schedule, whether you're watching or not. This checklist gives Mumbai business owners the exact 8-point system we run on client sites every month.
Most Indian SMB websites get built once and then left alone for years. That's how a ₹1.5 lakh website ends up losing rankings, failing SSL checks, or getting quietly blacklisted by Google — not because the build was bad, but because nobody maintained it. If you want a website that keeps generating enquiries in 2026 instead of quietly decaying, work through this checklist.
Why Website Maintenance Isn't Optional Anymore
Website maintenance is the ongoing process of updating, securing, monitoring, and optimising a live website so it keeps working, ranking, and converting after launch. Google's Search Central guidance names outdated software and unpatched CMS platforms as a leading cause of site compromise. A compromised site typically loses its search rankings within days of being flagged.
WordPress alone powers over 40% of the web, according to W3Techs' 2026 CMS usage data. That scale makes it a constant target for automated bots scanning for outdated plugins. Run WordPress, Shopify, or a custom-built CMS for your Mumbai business — the attack surface is the same. Any unpatched component is an open door.
The cost of neglect is rarely a dramatic hack. It's slower: a plugin conflict that breaks your enquiry form for three weeks before anyone notices, or an expired SSL certificate flashing a "Not Secure" warning right as a visitor tries to fill out your contact form. Both kill conversions long before anyone calls it a security issue. A slow, unmaintained site drags down conversions the same way — see our guide on Core Web Vitals for business owners if speed is part of the problem too.
1. Automated Backups — Daily, Off-Server, Tested
A working backup strategy means your site can be restored to a clean state within minutes, not rebuilt from scratch over a week. Prateeksha runs daily automated backups for every maintenance client, stored off-server on a separate provider. A backup sitting on the same compromised server isn't a backup at all.
- Schedule full-site backups (files + database) at least once every 24 hours.
- Store backups on a separate storage provider (S3, Backblaze, or a different hosting account) — never the same server as the live site.
- Keep a minimum 30-day rolling history so you can restore to a date before an issue was introduced, not just the last snapshot.
- Test-restore a backup at least once a quarter. An untested backup is a guess, not a safety net.
For an average Mumbai business site on shared or cloud hosting, backup storage typically adds ₹300–800/month depending on site size. That's a fraction of what one day of downtime costs a service business relying on enquiries.
2. SSL Certificate — Valid, Auto-Renewing, Full-Site
An SSL certificate encrypts data between your visitor's browser and your server. Its absence is one of the fastest ways to lose a lead's trust. Chrome and most modern browsers mark any non-HTTPS page as "Not Secure" right in the address bar — visible before a visitor reads a single word of your homepage.
- Confirm your certificate covers the full domain, including any subdomains (e.g. blog.yourdomain.com, cms.yourdomain.com).
- Set auto-renewal through Let's Encrypt or your hosting provider — manually renewed certificates are the single most common cause of surprise SSL expiry.
- Check for mixed-content warnings (HTTP resources loading on an HTTPS page), which still trigger browser security flags even with a valid certificate.
- Verify your certificate at least monthly using a free checker like SSL Labs. Don't wait for a customer to report the warning.
Most reputable Indian hosts — Hostinger, Cloudways, AWS Lightsail — now bundle free Let's Encrypt SSL. There's rarely a reason to run an unencrypted business site in 2026.
3. Plugin, Theme, and Dependency Updates
Outdated plugins and unpatched dependencies are the entry point for most website compromises. Sucuri's annual Website Threat Research report consistently attributes the majority of hacked WordPress sites to outdated components rather than weak passwords. A maintenance routine has to treat updates as a scheduled task, not a "whenever I remember" one.
- Check for CMS core, theme, and plugin updates weekly — not monthly.
- Apply security patches within 48 hours of release; these are almost always released in response to an active vulnerability.
- Test major version updates on a staging copy of the site before pushing to production, to catch plugin conflicts before customers see them.
- Remove any plugin or theme you're no longer actively using — an inactive plugin is still a vulnerability if it's still installed.
Custom-coded sites (Laravel, Next.js, or similar) aren't exempt. Server-side package dependencies — Composer, npm — carry the same risk and need the same weekly review cycle.
4. Uptime Monitoring — Alerts Within Minutes, Not Hours
Uptime monitoring pings your website every few minutes and alerts you the moment it goes offline, so you can act before customers notice. Without it, most businesses find out their site is down from a customer's WhatsApp message, hours after it actually failed.
- Set check intervals of 1–5 minutes, not the default 30-minute interval many free tools use.
- Route alerts to WhatsApp or SMS, not just email — email delays during an outage are common when your mail server shares infrastructure with the affected site.
- Monitor your enquiry form endpoint specifically, not just the homepage — a site that loads but has a broken form still fails silently.
- Track average response time alongside uptime; a site that's "up" but takes 8 seconds to respond is still losing visitors.
Every minute of downtime on a lead-generation website is a minute where a paid ad click, a Google search result, or a WhatsApp referral hits a dead end. It never converts.
5. Malware Scanning and Blacklist Checks
Malware scanning checks your website's files and database for injected code, spam links, or redirect scripts that hackers use to hijack traffic or damage your rankings. Google's Safe Browsing system blacklists compromised sites automatically. Recovery from a "This site may harm your computer" warning can take days even after the malware is gone.
- Run automated malware scans at least weekly using a tool like Sucuri SiteCheck, Wordfence, or your hosting provider's built-in scanner.
- Check Google Search Console's Security Issues report monthly — this is where Google notifies you directly if your site has been flagged.
- Scan for unauthorised admin users or unfamiliar file changes, a common sign of a compromised login.
- If flagged, request a Google review only after confirming the malware is fully removed — a premature review request can extend the blacklist period.
Not sure if your current site is being maintained properly?
Get a free website health check quote6. Speed and Core Web Vitals Checks
Page speed directly affects both search rankings and conversion rates. Google's own Core Web Vitals data shows sites loading in under 2.5 seconds see meaningfully higher engagement than slower pages. A maintenance routine that ignores speed lets a fast, well-optimised launch slowly degrade as images, plugins, and third-party scripts pile up.
- Run a PageSpeed Insights or GTmetrix check monthly and track Largest Contentful Paint (LCP), Interaction to Next Paint (INP), and Cumulative Layout Shift (CLS).
- Compress and resize images before upload — this remains the single biggest speed win on most Indian SMB sites, which often carry unoptimised phone-camera images.
- Audit third-party scripts (chat widgets, tracking pixels, font loaders) quarterly — each one adds load time even when it isn't visibly broken.
- Enable caching and a CDN if your hosting doesn't include one by default.
If your site has slowed down since launch, that's usually a maintenance gap, not a design flaw. See our website speed optimisation service for a full technical audit.
7. Broken Link and 404 Checks
Broken links quietly damage both user trust and SEO, and they accumulate faster than most business owners expect. A renamed product page, a deleted blog post, or a changed URL structure can all leave dead links behind. A monthly broken-link check catches these before Google's crawler does.
- Crawl your full site monthly for internal 404 errors using Screaming Frog, Ahrefs, or a similar crawler.
- Check outbound links to external sites too — these break even when you haven't touched your own site, since the target page moved or shut down.
- Set up 301 redirects for any page you rename or remove, so old bookmarks and search results still resolve correctly.
- Review Google Search Console's Coverage report for crawl errors Google has already found.
8. Hosting, Compliance, and Renewal Tracking
Website maintenance also covers the administrative side that's easy to lose track of: domain renewal, hosting renewal, and — for Indian businesses — data handling aligned with the Digital Personal Data Protection (DPDP) Act, 2023. A lapsed domain or hosting plan can take a site fully offline with no warning beyond an email most owners never see.
- Set domain and hosting renewal reminders at least 30 days before expiry, ideally with auto-renewal enabled on a valid payment method.
- Keep hosting on servers physically located in India, or with clear data-residency terms, if you collect customer data through enquiry forms — this matters under DPDP Act expectations for Indian businesses.
- Document who has admin access to your CMS, hosting panel, and domain registrar. Access sprawl is a common cause of "nobody knows the password" emergencies.
- Review your privacy policy and cookie consent banner annually as data protection rules in India continue to evolve.
What Website Maintenance Actually Costs in Mumbai
Website maintenance in Mumbai typically runs between ₹3,000 and ₹15,000 per month, depending on site complexity, hosting, and how much of this checklist is included. A basic plan usually covers backups and uptime monitoring only. A complete plan covers all 8 items above plus a monthly report.
| Maintenance Level | Typical Monthly Cost (INR) | What's Included |
|---|---|---|
| Basic | ₹3,000 – ₹5,000 | Backups, uptime monitoring only |
| Standard | ₹5,000 – ₹9,000 | Backups, SSL checks, plugin updates, malware scans |
| Complete | ₹9,000 – ₹15,000 | All 8 checklist items + speed audits + monthly report + priority support |
A single ransomware incident or blacklist recovery can cost far more than a year of complete maintenance. That's true both in direct recovery fees and in lost enquiries while the site is down or flagged.
Want a website that stays fast, secure, and online without you having to think about it?
Talk to us about ongoing website maintenanceFrequently Asked Questions
How often should a business website be backed up?
A business website should be backed up at least once every 24 hours, with backups stored off-server on a separate provider. Sites that update frequently — ecommerce stores, blogs with daily posts — benefit from more frequent or even real-time backups.
What does website maintenance include?
Website maintenance includes automated backups, SSL certificate management, plugin and software updates, uptime monitoring, malware scanning, speed and Core Web Vitals checks, broken-link audits, and hosting/domain renewal tracking. A complete maintenance plan covers all eight areas on a recurring schedule, not just when something breaks.
How much does website maintenance cost in Mumbai?
Website maintenance in Mumbai typically costs between ₹3,000 and ₹15,000 per month, depending on how many services are included. Basic plans cover only backups and uptime monitoring, while complete plans add security scanning, speed audits, and monthly reporting.
Can I maintain my own website instead of hiring a service?
You can maintain your own website if you have the technical skill and time to run weekly update checks, monthly security scans, and backup tests consistently. Most Mumbai business owners outsource this instead, because a missed update cycle is exactly when sites get compromised — and doing it properly every week rarely fits around running the actual business.
What happens if my website gets hacked or blacklisted by Google?
If your website gets hacked or blacklisted, Google typically removes it from search results and shows visitors a security warning until the issue is resolved and a review is requested. Recovery can take anywhere from a few days to several weeks, depending on how fast the malware is removed and how current your backups are — which is why daily backups and weekly scans matter more than any single fix after the fact.