Spammers, phishers and other criminals are _always_ out to get _everyone_. It's typically done by robots - if your VPS is insecure, it's a matter of when, not if, and when is usually sooner than you think.
I meant DDOS, nobody cares enough to deny access to your little site unless there is something else which is going on. Other stuff, nothing much to worry about. Just follow best practices: use a password keeper, keep your site updated, disable comments, etc.
The way that typically goes is first your VPS gets exploited somehow and used to serve illegal content, send spam or scan other hosts. Then it gets DDOS-ed by someone who doesn't like the content or attacks initiated from the VPS.
