No. There's no such thing as a website too small to be a target.
That surprises people. The thinking goes something like, "we're a local business, we're not a bank, why would anyone bother with us?"
It's a fair assumption. It's also out of date.
The thing coming for your website isn't a person who sized you up and decided you were worth the effort. It's a bot. And bots don't care how big you are.
They scan the entire internet, all day, looking for one thing. An opening. An outdated plugin, a weak password, a setting someone forgot to lock down.
When they find one, they walk in. It's never personal.
The attack isn't aimed at you. It's aimed at whatever's unlocked.
In 2026 this got faster. The same automation everyone's excited about <cough>AI</cough> is being pointed at finding unpatched weaknesses in hours instead of weeks. A gap that used to sit quietly for a month now gets found over a weekend.
This is why "we're too small to worry about it" becomes the riskiest position to hold.
Not because your business is a prize. Because an unattended website is an easy door, and easy doors get tried first.
The good news is the fix isn't dramatic. Most of what keeps a small site safe is unglamorous and ongoing. Software stays current. Passwords are real. Backups exist and actually work. Someone is paying attention.
None of that requires fear. It just requires that the site isn't left completely alone.
A website doesn't get safer by being small. It gets safer by being looked after.
