Security Posture April 3, 2026 6 min read

The Bot Found Your Window Open

Every small business owner I talk to about security says the same thing.

“Why would anyone come after us?”

It’s a logical question, but it misses the real risk.

They think their data isn’t valuable enough. They think they are too small to be a target. They don’t say or sell anything controversial. They assume this only happens to big companies with big budgets and big databases.

That’s not how any of this works.

I’ve spoken to the FBI after a WordPress exploit exposed customer data on a bank’s CMS server, done post-mortems on an e-commerce platform, and worked with a fan fiction site.

None of these were dark web hacker groups — they were scammers with botnets.

Bots do not pick targets they find easy exploits and climb in.

It Came Back

Bots are persistent, cheap to operate, and can be sophisticated.

In one e-commerce case, we found a Bitcoin miner using most of the server’s resources after monitoring flagged failures. An outdated plugin let the bot in. The dev team thought removing it fixed the problem.

Two weeks later, the bot returned — now running overnight, using fewer resources to stay hidden. We only noticed during routine maintenance.

The company’s dev team was pushing updates nearly daily.

Nobody knew the bot existed.

This wasn’t some complex hack. A bot found an outdated plugin, walked in, and made itself at home. Only after a deep dig into the system did we find how it was persisting and kick it out for good.

I’ve seen this repeatedly over the past 25 years. Security is not a one-time fix.

Most Attacks Are Not Targeted

A third of all internet traffic is automated bots scanning for open windows. Not your business specifically. Just whatever’s exposed. Imperva’s 2025 Bad Bot Report puts non-human traffic at 51%, and credential-stuffing attacks — bots trying stolen passwords across thousands of sites — jumped 40% last year.

That’s not someone picking your house because it looks easy. That’s a bot checking every window on the block.

Verizon’s 2025 DBIR SMB Snapshot shows why. In small business breaches, 99% are financially motivated. Ransomware groups adjust their demands to fit the size of the company they hit. They don’t care if you have 15 employees or 1,500. They care that your WordPress plugin hasn’t been updated since 2020.

The real question is: is your infrastructure visible and vulnerable enough to be discovered?

A 10-person law firm with client financial records is a higher-value find than a 200-person company with nothing sensitive exposed. Even if you hold nothing valuable, attackers will use your resources for their own purposes. The bitcoin miner didn’t steal data. It stole electricity and CPU cycles.

How to Stop Most Bot Attacks

You don’t need advanced threat detection, an AI-powered security platform, or a complicated SIEM service.

Microsoft’s own research puts it plainly: basic cyber hygiene prevents 98% of attacks. It comes down to three things: use MFA, patch software, and reduce exposure.

Most small businesses skip all three.

What Stops Most Bot Attacks

  • Use multi-factor authentication because it blocks automated credential-stuffing attacks. Bots move on when a password alone won’t get them in.
  • Patch your software because bots scan for known vulnerabilities in known software. An outdated plugin is an open invitation.
  • Reduce your exposure because every unused service, open port, and forgotten test environment is discoverable by automated scanners. Turning them off removes the entry point.

Nearly every online service supports MFA. Most people don’t use it. The businesses I work with that make it mandatory see the difference immediately.

Don’t let headlines about MFA bypasses scare you off. Attackers running botnets aren’t master criminals. Cracking MFA isn’t worth their time when the house next door left a window open.

Patching software is a chore. Like many chores, if nobody is assigned to it, it simply doesn’t get done.

The automated scanners hitting your infrastructure aren’t looking for unknown flaws. They’re running through lists of known vulnerabilities in known software. WordPress is a major target, but bots also run generic exploits against anything they find. These are automated attacks. Nobody is sitting around waiting for a hit. When a bot finds one, it calls home, logs the data, and the attacker reviews it later. Failing to patch your systems makes you the easiest window on the block.

Sometimes reducing exposure means turning off unused services. During audits, I often find forgotten test environments or exposed databases — all discoverable by bots.

Locking down services to the right networks, putting admin areas behind extra layers of protection — that reduces your exposure. The bitcoin miner got in through a plugin that hadn’t been updated in over three years. That’s not a sophisticated attack. That’s an unlocked window.

Who’s Watching?

Just like the doorcam you hope catches whoever nabbed your Amazon package, someone needs to be watching your systems. Not just automated alerts — a person who notices that 90% CPU usage for eight hours straight means something is wrong.

A recent survey found 42% of small businesses have no incident response plan at all [verify — secondary source]. Without a plan, monitoring isn’t happening either.

Cost isn’t actually the problem. CISA and NIST both maintain free cybersecurity programs built for businesses exactly this size. The basics don’t require a security specialist or a big budget. They require someone who decides it matters.

Meanwhile, cyber insurers are starting to force the issue. MFA, tested backups, and incident response plans are becoming prerequisites for coverage, not suggestions. The average small business is already paying over $1,600 a year in cyber insurance premiums [verify — secondary source]. That’s the cost of not having your own controls in place.

Questions Worth Asking

  • Do you know what’s actually running on your servers right now — not what should be running?
  • When did someone last look at your infrastructure from the outside, the way a scanner would?
  • If something was quietly using your resources overnight, how would you find out?
  • Which of your software has known vulnerabilities right now?
  • Who’s responsible for security — not who pays for it, who’s actually watching?

Is Your Window Open?

Nobody targeted the e-commerce store with the bitcoin miner. Nobody targeted the fan fiction site. A bot found an outdated plugin and walked in.

You don’t have to be a target to get hacked. You just have to be exposed.

The good news: bots are lazy. They’re looking for quick wins — open windows, unpatched software, default credentials. Basic security hygiene makes you not worth the effort. They’ll move on to the next one.

Jeff Huckaby 25 Years of IT Experience, Founder of rackAID.

Jeff Huckaby · Founder, RackAID

How I use AI in my writing and editing process

25 years in infrastructure and security. I help businesses find out where they're actually vulnerable and how to fix it.