"no-one knows that the website exists in any case"
About 18 months ago I registered a domain with the intention of (eventually) hosting my own email server. Within a day or so I was getting SEO and similar spam to the email address I used. I worked out how to "hide" this from whois, but am still getting the emails.
I gave the domain DNS A and MX entries, but I didn't get around to setting up my server until a few weeks ago. For all that time, any connection attempt would have resulted in nowt as the router blocked everything incoming.
Within an hour or so of opening port 25, Postfix was logging multiple attempts to connect from IPs with dodgy credentials. I have no doubt that port 80 would attract the same were it open (and it may be, soon, if I get webmail going). Apart from DNS, the address is not advertised anywhere.
It's not rocket surgery. Keep an eye on domain registrations, add new ones to the list your automated script keeps banging away at. You never know, one day someone might open something you can exploit.
Before I had the fixed IP and the domain the router logged continuous low-level "incoming" activity - mostly trace_route. Someone out there is just iterating through addresses again and again and again and hoping that one day they'll find something open. I dare say that occasionally, they do.
I'm not a time-served sysadmin. In these matters I'm strictly an amateur. I'm relying on good guidance and doing things step-by step to avoid trouble. It does feel a bit like I'm under siege though!