The short answer is: generally hackers are not after your site in particular. I’ll explain what is behind the many instances of insignificant sites being hacked, and I conclude with a real-life example of why security is important– even if your site doesn’t seem like a likely target.
Most hacking is not targeted, so you don’t have to be a big business or have a website that gets a lot of traffic in order to get caught in the crossfire. Instead, hackers use automated tools to rapidly search many, many sites for a weak spot that will allow them to exploit your site or the resources of the server that your site lives on.
Usually, this weak spot is an plugin that has a security vulnerability. Once they know about this flaw, the race is on and many bad actors may be searching far and wide for any site with this plugin installed. Of course, there’s good guys too– the original authors of the flawed software may release an update that fixes the problem right away. But you still need to install the update to protect your site! So if you don’t monitor your site and keep up with the latest security news, you might get hacked.
If your site is hacked, they can do things like redirect your website to nefarious sites, insert ads into your legitimate content, or even use your server resources as part of a “bot” network for their own purposes.
For example, last year, a client whose site I manage made use of a plugin that had a previously unknown security vulnerability. A rogue security researcher publicized this vulnerability without giving a heads-up to the original author. Of course, the result was hooligans hacking sites left and right, not for monetary gain (this time) but for “pranks”. But because I monitor security news, I was able to apply the needed update to my client’s site within an hour or so of the published report. My client was not affected.
Unfortunately, these so-called pranks had serious consequences for other site owners. In one security forum, an anonymous site owner who runs a niche website with a modest following reported that he had sent out a major email campaign– not knowing he had just been hacked. Hundreds of his readers clicked a link to his site, only to be redirected to very unsavory sites instead. As a result, the mailing list that had been his livelihood was decimated. His only recourse was to let the readers know via the website, after it was restored, that the problem had been a result of hacking– but the damage was done.
The lesson is clear: any site can be a target, and the stakes are high.