On around May 13 someone subverted my weblog to serve pharmacy ads. Annoying, but not otherwise a big deal, given regular backups. This hack was more clever than prior incidents Took me longer to find and remove the problem.
I expect WordPress to be insecure. Looked at the source code early on. Like most PHP applications, the potential attack surface is very large.
Will be a bit before things are entirely in order. (Ick. Using a stock WordPress theme.)