In the era of AI-generated attack code, why must website security be re-emphasized?

Since the release of ChatGPT on November 30, 2022, generative AI has rapidly gained popularity in just over two years. From office work, programming to content creation, AI's "usability" has almost become a consensus. However, at the same time, the other side of the technology is being exploited by more and more people.

This is not alarmist talk, but a feeling that has become increasingly clear to me in my actual work over the past two years.

Website security issues are changing from "low probability" to "must be taken seriously"

If we turn back the clock three to five years, many people's understanding of website security was actually simple:
Once a website is built and the server is set up, as long as it's not in a special industry, it's normal to have no problems for years. Attacks, intrusions, and malware infections were not frequent events for most ordinary enterprise websites.

But starting from the past two years, the entire market environment is changing.
Whether it's industry exchanges, customer feedback, or public cases, the frequency of website security issues in the market has increased significantly:

Websites being implanted with illegal content, servers being remotely controlled, sites being hijacked and directly turned into illegal websites, and even traffic attacks and virus attacks occurring simultaneously are no longer rare.

Precisely because of this, I have been repeatedly thinking about a question over the past two years:
Why have attacks suddenly increased?

AI is lowering the threshold for attacks – this is the point where I truly "realized"

It wasn't until I was scrolling through WeChat Channels one time and accidentally saw a segment of Zhou Hongyi talking about AI security that I truly realized the core of the problem.

One of his viewpoints left a deep impression on me:

While AI improves efficiency, it also objectively lowers the technical threshold for attackers.

Today's AI can directly generate executable remote attack code. This means that attackers don't have to be professional hackers, and the trial cost has become extremely low; once successful, they may gain control not only of a single website but also of multiple sites on the entire server. Looking back at the changes in the past two years from this perspective, many issues actually make sense.

Security incidents are not "someone else's problem"

Some people may think that such incidents mostly happen to small sites or platforms with weak protection capabilities. But the reality is not so. On the afternoon of December 5, 2025, the personal website of the well-known programmer Yupi was also infected with malware. If even a personal website with such solid technical background can encounter security problems, it is clear that this is no longer a matter of "knowing technology or not".

Not to mention some large Internet platforms, which have also exposed multiple security incidents in recent years.

An unavoidable reality: security is never 100% guaranteed

In my security practice over the past two years, I have also communicated with many peers from other companies. They are all very experienced in security defense and have given me a lot of practical insights.

The consensus we finally reached is very consistent:
Website security can never promise 100% no problems; we can only minimize risks and improve recovery capabilities.

Even leading Internet companies are no exception. For example, Kuaishou (KS) was forced to close live broadcast rooms across the platform for a certain period of time due to a security incident recently. And the security investment of such companies is often in the unit of "100 million RMB".

So where should ordinary sites focus their efforts?

Against this realistic background, the focus of security construction has become clearer. Backup must be regarded as a bottom-line capability. Defense is important, but rapid recovery often determines the scale of losses. Daily automatic backup of system disks and data disks enables servers to roll back quickly in extreme cases, minimizing the impact.

Rational use of cloud security products can greatly reduce the cost of manual troubleshooting. Whether it's virus detection, anomaly alerts, or path positioning, these mature capabilities are far more efficient than "manual troubleshooting after an incident". For example, I think Alibaba Cloud Security Center (ACS) is very good. Brothers who need to save budget can consider buying the Anti-Virus Edition, which costs 5 CNY/core/month – for a 2-core 4G server, it's only 10 CNY a month. I personally purchased the Flagship Edition, which is more expensive; honestly, it hurt to buy it, after all, it's for multiple servers, not just one.

Of course, vulnerability repair should also be part of daily O&M, not a post-event remedy. Completing repairs during off-peak hours is often the lowest-cost and lowest-risk option.

Why I always refuse to write "100% secure" in contracts

Some customers also hope to specify "ensure 100% no security issues with the website" in the contract during communication. I have always clearly refused this request.

The reason is simple:
There is no upper limit to security defense investment. Even with backups, cloud security, vulnerability repair, and program hardening in place, absolute security cannot be promised. For website building and O&M service providers, the only thing they can truly promise is: once a security issue occurs, respond immediately, handle it immediately, and recover immediately – regardless of working hours, day or night, or even during festivals.

In the AI era, website construction is no longer as simple as "making a page and putting it on a server". Security is becoming a prerequisite for the long-term stable operation of websites. Ignoring security will inevitably lead to problems; taking security seriously can at least control risks within an acceptable range.