What people don’t realize when it comes to security threats to their websites; it’s not web servers being attacked. (though it’s not to say that they aren’t vulnerable.) But what is being attacked is the actual code of the website. There are some pretty old tricks like SQL Injection and Cross Site Scripting that allow attackers to do all sorts of creative things. One of the most common attacks is to dump the contents of a database table that shouldn’t be seen.
For example you should be able to enter credit card numbers, social insurance numbers, health card numbers, driver’s licenses, and password into certain websites but a visitor to that website shouldn’t be able to ask the web application to show all of the values that have been entered by all users. Another way is when an attacker injects code onto a popular news website that loads another malicious website so that when the news page loads malware loads as well. The end user essentially doesn’t have to interact at all to get malware installed on their system, (this is known as a drive-by download.)
The first thing to do is have your website assessed. Assessing the situation is a critical step to know where you are vulnerable so that you can take appropriate actions. Automated tools can be a great way to crawl through all those pages looking for problems. Once you have an idea where the vulnerabilities are, you need to plug them up.