I've been working on a web analyzer plugin for WordPress, and I've been paying a lot more attention to web logs than usual. It’s really made it clear how much websites are constantly being attacked. On a daily basis, even if you have a small website, people are likely running scripts to find exploits in plugins or outdated software versions of anything you're running.
I see people hitting 80+ URLs in a row, all of them returning nothing, but they’re searching for specific files from known plugins that might contain vulnerabilities they can exploit.
This really emphasizes two things. First, keep your software updated. I'm looking at web logs, but this applies to operating systems, programs, and anything that runs regularly on your computer should be updated as soon as updates are available. Second, having your own custom-written web software can be a huge security advantage. Most automated scripts targeting common plugins won’t work on you.
The only time you're likely to get hacked is when someone is specifically targeting your website and actively searching for vulnerabilities. Finding exploits, especially in custom code with no public references, usually takes a long time, unless you're really careless and leave obvious issues like SQL injection vulnerabilities exposed.