[thayne]

> I assume then, that the only way a bot could even find my site is to do what the indexers do: brute force try every single possible ipv4 address hoping to hear something back, as my domain should not be known

If your site uses https, they could also get your domain from the certificate transparency logs for the certificate you use.

[eks391]

I didn't think of that, but that makes complete sense, as it is https. I think my info was sold by my registrar as well because solicitors call or email me on occassion because they "accidentally came across my site" and want to provide the design/js/etc help.

[PokestarFan]

You can get around this by grabbing a wildcard certificate and then using a hard-to-guess subdomain.