Really can’t comment on the Scott situation because we don’t know exactly what he was running, we only know what he told us.
A while ago I had a blog which for some unknown reason started firing hundreds of notification emails at once. I couldn’t find any cause so I had to disable all email notifications. It seemed like a bug from one plugin I used on it. And that’s the core of my argument.
Wordpress sites are highly targeted as it is the most used platform on the web. So an attack wouldn’t be a surprise at all, I guess. Maybe it was really a bot or something trying to break into Scott’s sites. We can’t know for sure now, but bots can do everything, literally. If you have a form on your website, or installed a plugin, you can be vulnerable.
So first thing I do to try to avoid this is put the site behind Cloudflare. This way, they absorb part, or most, of the traffic in case of spikes. Second thing is always updating plugins, and third, not using pirated themes or plugins as they may contain backdoors.
These are just general tips. As Cloudways (and Vultr, and DO, and Linode, etc) only provide you with the servers, they won’t always back you up when problems such as this arise.