Is your website secure? What the threat looks like in the age of AI

There is no hacker staring at your clinic. That is the good news. The bad news is that none is needed. Attacks on small websites are automated: bots scan the internet around the clock for sites with known holes, and when they find one, they exploit it without a human involved. Your site does not get chosen. It gets found.

AI did not invent that problem, but it has made it cheaper. The security vendors’ reports point to two trends: the path from “known vulnerability” to “automated attack” is getting shorter, and AI-assisted phishing is getting more convincing, because the content of your site can be used as raw material for emails that sound like you. These are documented trends, not guarantees, but the direction is clear.

That is not a reason to panic. It is a reason to know how your site is actually set up.

The short answer: the threat to small websites is automated attacks on known, unpatched software, not targeted hackers. Your site is exposed if it runs on a CMS and plugins nobody updates, on shared hosting nobody watches. If it is set up with few moving parts and updates as somebody’s actual job, most of that threat is not relevant to you.

Where older setups are exposed

The security vendors’ annual reports consistently point to the same pattern: break-ins on small websites rarely happen through sophisticated attacks. They happen through known holes in software that was never updated. Four places where it typically goes wrong:

A CMS that never gets updated

Many small websites are built in WordPress, delivered by an agency or a freelancer, and never touched again. WordPress can absolutely be run securely. The problem is not the system, it is the ownership: once the project is delivered and paid, there is often nobody whose job it is to keep it updated. A CMS without updates gets less secure every month that passes.

Plugins: much of your site is someone else’s code

A typical WordPress site runs a double-digit number of plugins: contact form, booking, SEO, gallery, backup. Every plugin is code written by a third party with its own maintainer, its own pace, and its own risk of being abandoned. Your site’s security is, in practice, the sum of all those dependencies. More moving parts, bigger attack surface.

Shared hosting on budget web hotels

Cheap shared hosting, often resold through intermediaries, packs many customers’ sites onto the same servers. If the server runs an old PHP version, so does your site. And in poorly isolated environments, a neighbour’s compromised site can become your problem. You can do everything right and still live in the wrong place.

A login that faces the internet

A CMS means an admin page with a username and password, reachable from anywhere in the world. Bots find it, and bots try to break it, every day, automatically. Without strong passwords, two-factor authentication, and someone paying attention, it is a matter of time and luck.

What a smaller attack surface looks like

The opposite of all this is not a more expensive subscription on the same parts. It is fewer parts.

A static website has no database, no admin login, and no plugins to update. There is simply less to break into. Combined with modern hosting where isolation and HTTPS are the default and updates are somebody’s actual job, the four classic holes largely disappear. Not because static sites are magic, but because security scales with how little you leave standing out. It is not risk-free: your domain and DNS can still be hijacked, dependencies can be compromised when the site is built, and the hosting account itself is only as secure as its login. But it is a shorter list, and one you can actually keep an eye on.

That is how we build ourselves. But the point here is not our product. The point is that you should know which category your site is in.

Five questions for whoever looks after your website

1. When were the site and its plugins last updated, and whose responsibility is it that it happens?
2. How many plugins does the site run on, and are they all still maintained by their developers?
3. What server software does the hosting run, and how many other customers share it?
4. How would we find out if the site were compromised?
5. What happens to the site if the agreement stops tomorrow?

If your supplier can answer all five clearly, you are probably in good hands, whatever the technology. If they cannot, asking again is not an attack on them. It is your business standing on that domain.