What actually happens to small business sites
The threat model people imagine is a person deciding to attack them. The real one is a script that has never heard of them.
Automated scanning, constantly
Bots sweep the internet for known vulnerabilities in common software. A plugin advisory gets published, and exploitation of unpatched installs begins almost immediately, at scale, everywhere. The window between a patch existing and your site being probed for it is short. This is why "we will update it next quarter" is a decision, not a delay.
Credential attacks
Automated login attempts using passwords leaked from unrelated breaches. This works because the same password gets reused. If your site admin password is your email password, one breach at a company you have forgotten about is your site.
Your site as someone else's infrastructure
The goal is usually not to deface you. It is to use you quietly: host spam pages under your domain, send mail from your reputation, serve something to your visitors. A compromised site often looks completely normal to its owner for months. The first sign is frequently Google flagging you, and by then your domain reputation is already damaged, which hurts your email deliverability too.
The way in that is not the site
Your domain registrar account, your DNS, your hosting login, your email. Take over the registrar account and the site is irrelevant: they own where it points. This is why two-factor on the registrar and the host matters at least as much as anything on the site itself, and it is almost always the last thing anyone secures.