Back in my younger years, I owned a forum based around a virtual game, it got hacked by sql injection. Thankfully they never had cPanel access so my database was secure, the account affected wasn't master admin either, so they couldn't view the user tab in admincp, but they did mess up my theme and release it.
I also visited other forums which had the same issue, turns out it was the forum software and several plugins had a vulnerability issue, which was patched up but the so called hackers turn to methods such as ddos.
I have methods to keep the site from getting hacked. I use Cloudflare, I have DDoS protection and also use mod security WAF and config server firewall.
I've never had my site hacked but I will say I have been DDoS before I got protection. I used to run a modding site and it got DDoS a lot. I had a hard time keeping it online as it was always being attacked. Anyways I started using protection ever since then and haven't had any problems since. Someone could take the site down if they wanted but it would take a lot more than your average joe.
Early into my website running, I was hacked, I have to admit it was so stressful, time consuming and utterly devastating as even though I created backups the .zips were corrupted. Needless to say I learnt my lesson.
I remember once I was a victim of hacking. My website was erased, and the hacker leaked all of my details on a public forum. I reported him to the local authorities, and the post got removed, and I've not seen him since. This just shows how important a backup is!