Webmasters using WordPress versions 3.5 or lower are currently experiencing a number of hacking incidents. We recommend that you update to the latest version 4.3 or later as soon as possible, but here are some specific vulnerabilities in WordPress 3.5 and earlier
The administrator user ID is “admin
In older versions of WordPress, the initial superuser (administrator) username was fixed to admin to simplify input. This meant that hackers often only needed to guess the password, and a simple password could easily be used to gain administrative privileges.
This is also an important clue to hackers who want to take over administrative privileges, because if the password is mistaken, the user name will appear on the login screen as is.
Vulnerability to embed base64-encoded malicious code in comments
There is a very well-known vulnerability in WordPress 3.5 and below, which allows you to easily embed malicious code in comments. Do you have comments with multiple unintelligible strings of text in your WordPress? Or are there a lot of users adding more and more of them on their own?
If you are seeing a large number of these comments, you should be aware of the possibility of a hacker attack using this vulnerability.
Pingbuck functionality can be used as a springboard for DDos attacks.
WordPress has a feature called pingbuck that notifies you when another blog is linked from yours. WordPress versions 3.5 and below have a vulnerability that allows this feature to be used to send notifications to unauthorized parties. This could provide a springboard for a DDos attack. If you check the server logs, do you see an unusually high number of accesses? In this case, it may be a stepping stone for DDos attacks or spam mails.
This section describes the most dangerous vulnerabilities, but a list of other vulnerabilities can be found here (do not misuse!).
Click here for a WordPress vulnerability assessment that you can inspect from a URL.