A few years ago, when I’d open a new client’s server logs, the noise had a recognizable rotation: same botnets, same payloads, predictable timing. You could almost set your watch by them.

Today the noise looks different. Scans are faster, more varied, and increasingly tailored to what the bot finds on the way in. Some of that is genuinely AI. A lot of it is just better automation that’s gotten labeled “AI” because the word sells. Either way, the practical result for a small business website is the same: the window between “vulnerability published” and “your site gets probed for it” is shorter than it used to be.

Here’s what that actually looks like in the work, what’s real, and what’s marketing.

What attackers are actually using AI for

There are three areas where I see real change in client incidents:

Faster reconnaissance. Tools that read your site, identify the CMS, fingerprint plugins, and prioritize known vulnerabilities is work that used to take a human researcher an hour but now happens in seconds. This isn’t strictly LLM-style AI, but the tooling has gotten dramatically more capable, and the line between automated attacks and AI-assisted ones has blurred.

Better phishing. This one is genuinely LLM-driven. Generic “Nigerian prince” emails are giving way to messages that match a company’s tone, reference real projects, and address recipients by name pulled from LinkedIn. For website owners specifically, I’ve seen “your hosting account is suspended” emails that perfectly mimic the real notification…with valid DKIM signatures on look-alike sending domains.

Contact form and comment spam that reads like real inquiries. AI-generated spam that gets past keyword filters and sounds plausible enough to waste a small business owner’s time. More on that in my piece on AI-generated contact form spam.

What’s mostly hype: “AI malware that adapts in real time.” This shows up in vendor marketing constantly. In the actual incidents I respond to the malware families are the same ones I’ve been pulling out of WordPress installs for years. The delivery is faster but the payload isn’t smarter.

Why outdated sites are first in line

The order of operations for an automated attacker hasn’t changed:

1. Scan the internet for sites running known-vulnerable software.
2. Sort the results by exploitability.
3. Run the exploit.

What’s changed is how fast step one happens. A vulnerability disclosed Monday morning shows up in opportunistic scans by Monday afternoon so if your site is running the affected version and you’re not patching weekly, you’re in the window.

That’s the real reason small businesses get hit so often… not because they’re targeted personally, but because they’re running the same WordPress, same plugins, same outdated PHP version as ten thousand other sites, and the scanner doesn’t care which one it lands on. An old plugin, an unsupported theme, an unpatched server…each one is a door that doesn’t need to be picked, just tried.

What actually helps

A few unglamorous things that hold up well against the current threat landscape:

• Patching on a real schedule. Weekly is a reasonable floor for WordPress sites. Critical CVEs warrant same-day attention. The cadence matters more than any individual update.

• A WAF in front of your site. Cloudflare’s free tier, Sucuri, or a server-level CrowdSec setup all cut a meaningful slice of scanning traffic before it touches your application.

• A smaller attack surface. Every plugin you don’t need is one less thing to patch. I’ve audited sites running forty-plus plugins where half were inactive but still on disk which means they’re still scannable and thus still exploitable.

• Real monitoring. Knowing within minutes that a file changed, a new admin account appeared, or your homepage started serving JavaScript you didn’t write.

• Backups you’ve actually tested. Restoring from backup is the difference between a bad afternoon and a bad month.

None of it’s exciting but all of it works. This is what I focus on under security hardening and updates; it’s the boring discipline that closes the window before the scanner finds it.

The honest bottom line

Overall AI has changed the timeline more than the threat model. The exploits are familiar, it’s the the speed that isn’t. The small business sites that get compromised in 2026 are falling to the same categories of issues as in 2020 (outdated software, weak credentials, unmonitored servers, exposed backup files) just faster.

If you maintain your own site, the question worth asking isn’t “do I need AI-powered defense?” It’s: if a critical vulnerability dropped for my CMS tomorrow, how would I find out, and how long would it take me to patch?

If the answer is “I’m not sure,” that’s the gap to close. Most small businesses aren’t ready to recover from a breach, but most don’t need to recover from one if the basics are handled before the scanner shows up.

Related Reading

• The Rise of Automated Attacks: Why Small Businesses Are Prime Targets
  Discover why bots don't need to know your business to take it down.
• Think You're Too Small to Get Hacked? Think Again.
  Break the myth that small sites fly under the radar — they're actually first in line.
• Your Contact Form Is Still Getting Spam in 2026 — Here's Why, and What Works Better
  Contact form spam has changed. Learn why reCAPTCHA, honeypots, and blacklists miss many modern bots, and what layered defenses work better in practice.
• Why Multi-Layer Website Security Isn’t Optional Anymore
  A clear, non-technical explanation of the four layers of modern website protection—and why businesses of all sizes need them to stay safe, online, and trusted.