I quite regularly hear clients and non-clients alike boldly proclaim their website is safe because it's small and insignificant. It doesn't have sensitive data such as credit card or social numbers on it. The reality is quite different.
The 3 main hacking reasons
Malicious "joyriders"
For want of a better term (and to be polite!) I'll liken them to someone who steals your car, races it round town, then crashes it into something and runs off. These hackers are in it to either hack you because you're there, to see if they can, or to deface your site, either with nasty stuff or to promote something that's "dear" to them.
This sort of hacking is usually very evident when you, or you client, visit the site.
Data thieves
These hackers are out for information, stuff they can either make use of - credit card details, social numbers, etc - or stuff they can sell - proprietary info, membership lists, etc. Unlike the "joyriders", being hacked like this is often hidden and goes undetected for quite some time. Recent examples of this are the wll known fiasco at Target, and, even more recently, Dairy Queen.
"Mule" trainers
Again, some literary license with the naming! I thought of the mules drug dealers use to transport drugs. Expendable and the drug traffickers really don't care about them. So it is with this class of classless hacker. They break into your site to plant trojans. These pieces of code can accomplish a number of things for them. The common ones are DOS (Denial of Service) attacks, or email spamming. Both these will get you (and your website) banned. Like the data thieves, this hacking can be undetected for some time.
How to stop hackers
Never go on the internet and don't have a website. And never load programs onto your computer unless they are from a reputable source and come shrink wrapped. If teenagers can hack the Pentagon, then none of us are safe. What you need to do is make yourself less attractive than the next guy.
Avoid shared hosting. Yes it's cheap. Of course it is - it generally has low grade security (if any), you're lumped in with who knows who, and bandwidth and space are usually oversold. If you're serious about your site, get a private server - they can be bought quite cheaply now.
Have good security enabled on your server. Not just set up, but activated (don't be the next Target!). You'll generally need someone knowledgeable about this to set it up right, but it's worth the cost to save enormous potential heartache.
Have good security on your site. This is as important as on the server. Install a solid component on your site and lock it down as hard as you can.
Keep your site up to date. The best security product available can become redundant if you don't keep it up to date. But it's not just that. Every component on your site - the platform itself included - needs to be monitored and kept up to date. If your particular platform issues vulnerable extensions lists, then subscribe and watch for any of yours.
Keeping your site safe is much easier than having to restore it (assuming you take backups......) and the potential of being liable for cleanup costs from your host if your site was the one hacked.