open menu icon
close menu icon
Why Your DIY Website Is Being Attacked
feature icon

Today I’m going to explain why DIY websites are far more exposed to attacks than most people realise, even when nobody knows they exist.

I recently tested this myself. I registered two brand new domain names, put up very simple websites, and didn’t tell a single person about them. No links, no promotion, nothing.

Within 24 hours, the server logs were full of activity.

Not visitors —  attacks .

People (or more accurately, automated bots) were probing the sites looking for:

  • WordPress admin logins

  • AWS credentials

  • Common file paths like  /wp-admin/config/backup

  • Known vulnerabilities in plugins and scripts

If any of those had existed and were not properly secured, the sites would have been compromised almost immediately.

That’s the bit most people miss:  you don’t need to be visible to be targeted .

What’s actually happening

There are automated systems constantly scanning the internet. They don’t care who you are — they just look for weaknesses.

When you launch a DIY site, especially using common tools, you’re dropping something new into an environment where:

  • Thousands of bots are scanning every minute

  • Known weaknesses are tested automatically

  • No human needs to “find” your site

So even a quiet, brand new website is treated the same as a busy one.

Where DIY websites go wrong

If you’re building your own site, here are the common risks I see:

1. Default setups are left unchanged

Most DIY platforms install with predictable settings.

That means:

  • Admin URLs are standard ( /wp-admin )

  • Default usernames like “admin” are used

  • No login protection is added

Bots know all of this already.

Action you can take now:

  • Change default usernames

  • Use strong passwords (not reused anywhere else)

  • Limit login attempts

2. Plugins and themes become weak points

This is a big one with WordPress.

Each plugin or theme you install:

  • Adds more code

  • Introduces potential vulnerabilities

  • Needs ongoing updates

If one is outdated, it can be enough to break the whole site.

Action you can take now:

  • Remove anything you’re not using

  • Only install well-supported plugins

  • Keep everything updated weekly

3. No proper backups

Many DIY sites have either:

  • No backups

  • Or backups stored on the same server

If the site is compromised, the backup often goes with it.

Action you can take now:

  • Set up automatic daily backups

  • Store them off-site (not on the same hosting account)

4. Poor hosting security

Cheap hosting often means:

  • Shared environments

  • Minimal protection

  • Slow or no response to threats

You might be secure — but someone else on the same server isn’t.

Action you can take now:

  • Avoid the cheapest hosting options

  • Look for providers that include firewall and malware protection

5. Sensitive files left exposed

This is exactly what those bots were looking for on my test sites.

Things like:

  • Configuration files

  • Backup files

  • Old versions of the site

If exposed, they can give full access.

Action you can take now:

  • Never leave backups in public folders

  • Remove unused files

  • Use proper file permissions

Why “flat” sites are safer than WordPress

A flat site (simple HTML/CSS, no database) has a much smaller attack surface.

That means:

  • No login system to break into

  • No plugins to exploit

  • No database to access

  • Far fewer moving parts

WordPress, on the other hand:

  • Is widely used (so heavily targeted)

  • Relies on plugins

  • Requires constant maintenance

It’s not that WordPress is “bad” — it just needs to be managed properly.

A flat site removes most of the risk by design.

Personal little known trick

Block what you don’t use.

If your site doesn’t need:

  • /wp-admin

  • /xmlrpc.php

  • Or any login area

You can block access to those completely at server level.

Most people never do this, but it instantly removes a huge number of attack attempts.

Another personal little known trick

Watch your logs (even briefly).

You don’t need to understand everything — just look.

If you see:

  • Repeated login attempts

  • Requests for strange file paths

  • Lots of 404 errors in patterns

That’s bots scanning your site.

It’s a quick reality check that this is happening constantly.

Why getting help early matters

Security isn’t something you bolt on later.

If your site is set up properly from the start:

  • Risks are reduced straight away

  • You avoid costly clean-ups

  • You don’t lose data or reputation

Fixing a hacked site is always harder than securing it in the first place.

Final thought

If there’s one thing you should do now, it’s this:

Make sure your site isn’t running on default settings — that alone stops a large number of basic attacks.