Security is no longer something only large companies worry about. The majority of attacks are automated bots scanning for any site with a known weakness — outdated software, weak passwords, or missing protections.
The basics go a long way: an SSL certificate, a web application firewall, regular updates, hardened logins and off-site backups. Together they block the vast majority of automated attacks and give you a fast recovery path if anything slips through.
The cost of prevention is tiny compared to the cost of a hacked site: lost traffic, lost trust, and the scramble to clean up.