The majority of attacks are not the fault of the server. Having the most up to date scripts does help, but your webmaster needs a little knowledge too.
The first thing you need to do is lock down your site from BAD WEB BOTS that scrape for not only e-mail addresses, but scripts, or other possible holes in your site. The worst of those bots come from Russia and the Ukraine, and a few others. If you're not specifically doing business in those countries, BLOCK THEM.
Your .htaccess file should have SEVERAL notations for bad bots as well as bad ip blocks to deny access to your site. By checking your web logs you can see
who's been scraping your site when you get hits for things that you don't even have.
Check your 404 errors, many of them come from hackers that are looking for holes in your site. Generally you'll have 404 hits for thing like /forgotpassword.php or other strange (usually admin) types of pages. BLOCK THOSE SUCKERS FIRST.
There are several good sites that can give examples on how to block bad bots, and bad ip blocks.
I was hacked several years ago when I didn't know about blocking these idiots. It's time consuming keeping up with all the new ones, but it is well worth the time. Blocking them not only can save your site, but stop a LOT of wasted bandwidth from their bots.
You can block by country, a single ip, a block of ip's, host, or by bot. Since bad bots will completely ignore your robots.txt directives, your best bet is to block them in .htaccess. For example my .htaccess file is over 5000 lines, with many of those lines for multiple blocks.
Again, if you don't do business in a particular country, it won't hurt to block the WHOLE country from accessing your site. You'll save yourself a TON of time blocking specific ips from those countries. NOTE: you can do everything possible to lock down and secure your site, but it doesn't mean your 100% safe, but doing nothing is asking for trouble.