Your site is likely to be attacked by known, old exploits, unless you’re a spy site. Don’t be relieved. You still have to protect your site against all those old threats, and the probabilities are way too great that something evil’s going to work.
Fortunately, truly rigorous auditing can keep you certain that your site is protected against the known threats.
If you wrote the code, you know all too well that you’re letting visitors run it. If the site uses a database, users are touching it, directly or indirectly. What goes into the database is entirely your responsibility. Consider cross-site scripting, for instance: do you know how to prevent or detect it?
Tamper Data is a simple tool for (you guessed it) tampering with the data your browser sends to a web server (and vice-versa). Here’s an outdated example for the sake of simplicity:
This exploit won’t work in most places any more, but it’s a good illustration of how and why people will tamper with your site.
Your server, your database and your site’s security
Do you host your own site, or is it hosted?
How many sites are hosted on the same server as yours?
What programming languages and platforms does it support?
How many open ports and opportunities for interaction does it offer?
A lot depends on properly sanitizing input that comes from the client to your server and database. Different languages have different techniques (like Perl’s “taint” system), but if you fail to use them your site can be vulnerable to Cross-Site Scripting (XSS).
Assignment: XSS Me
Watch this video, install this Firefox Add-on and unleash it on your own site or your test sites:
The platform you’ve built on, whether high-level like WordPress or much lower-level like CodeIgniter, will have its own security issues and require monitoring and patching.
And the same interactivity that attracts users and builds your following dramatically increases your risk.
The risk isn’t just yours: your users are taking a risk trusting you with any information, and simply by coming to your site. Injected code, for instance, can both steal data and infect visitors’ computers.