When you think of malicious hacking, you probably think of big sites being targeted. Cases like the massive security breach at Target spring to mind, or the alleged Russian hacking of the DNC this past election season. But did you know that attackers don’t only target major websites? That, actually, little sites are being bombarded every day?

The web security company SiteLock recently released a study that exposed the myth behind “security by obscurity,” or the idea that you’re safe from cyber attacks just because you’re small. In fact, they found that exactly the opposite was the case: Small websites are being attacked multiple times per day. It’s a war zone out there, guys!

Here are some takeaways from the SiteLock study.

1. No one is too small to attack.

SiteLock found that sites, on average, experience 22 attacks per day. That adds up to more than 8,000 attacks per year. And contrary to what you might expect, only 1 percent of those sites are ecommerce sites. The rest are blogs, small business sites, and non-profits.

2. Attackers are after more than you realize.

Sure, usernames and passwords are a common target. But that’s not the only information that attackers are searching for when they hit a site. They could also be looking to steal resources like bandwidth or website traffic. They could be seeking other types of customer data. And yes, of course, they might be going after email addresses. Unfortunately, that means that pretty much any site is potentially useful to a cyber criminal.

3. They love the comments section.

You know that comments section you’ve been carefully building and curating in order to create a robust community on your blog? Yeah — attackers love that.

According to the study, 21 percent of hacked blogs are infected with spam; 21 percent have traffic stolen; and 6 percent have resources stolen. Spam can be found in those comments sections, where backlinks and other random content send people to garbage sites. Stolen traffic happens when attackers literally reroute users away from the site they’re trying to access. And resource theft is when attackers steal things like bandwidth.

Even sketchier? Only 7 percent of attacks involve website defacement, which means that the vast majority are undetectable. That’s part of their plan: They don’t want you to know that they’re there, because that limits how much — and how long — they can steal from you.

4. SMBs and non-profits are at risk.

Because so many small and medium sized businesses (SMBs) create a website and then don’t properly manage it, they’re a great target for attackers who run shell programs. Shell programs get between the user and the website and can be used to collect sensitive information about website visitors. SiteLock found that 39 percent of SMB websites were infected with shell programs.

As for non-profits, the only question you have to answer is: Where does the money come from? That’s right — donors. Attackers use backdoor files to gain access to donor information, including credit card info and email addresses. The SiteLock study found that 73 percent of non-profit sites were infected with backdoor files. So don’t rely on the idea that your site is “too small” for criminals to target. SiteLock recommend doing regular scans for spam and malware, setting up a web application firewall, and back your site up frequently. A little bit of vigilance goes a long way when you’re dealing with cyber criminals.