If it's a shared host..So multiple websites running on the IP address and the attacker is interested in attacking one of the websites on that IP but all are affected. Then that could be.. (And as you say the hosting provider should have notified the users). There'd be a lot of limitations on what a person whose website is on a shared host, can do to protect it 'cos they don't run it. And the hosting provider makes all the decisions, so all they can do is ask the hosting provider and hope. But if it's a dedicated host, eg a virtual machine running just the one website, then i'm sure there'd be way more flexibility in terms of protections, that the user whose dedicated host it is, can do.
We are on a VM. Back in the early early days we were on a shared host. Could literally see other sites users. Then we went to our own dedicated server for a while. Now VM is good enough. Speaking of which, we just passed 25 years. Scary time flies. The server seems to be in decent shape today.
I think I might want to take back my suggestion on cloud fare. cloud fare asks people "verifying you are a human". click here I don't like it. badminton central will not be the same if it keeps asking people that.
I think AWS maybe better than cloud fare.. https://aws.amazon.com/getting-started/projects/host-static-website/services-costs/ I don't know how their free tier works?? https://aws.amazon.com/free/?all-free-tier.sort-by=item.additionalFields.SortRank&all-free-tier.sort-order=asc&awsf.Free Tier Types=*all&awsf.Free Tier Categories=*all I have not investigated other options such as Google Cloud, Microsoft Azure or Oracle Cloud. Some or all of them might have free tiers.