Our site got hacked by a guy who tagged our blog with "hacked by muhmademad", which seems to have a few hundred thousand results as of a minute ago.

Even large institutions and websites have been hit: Harvard, MIT, glennbeck.com, and many more.

Make sure to update to 4.7.2 if you are running a Wordpress install of 4.7.0 or 4.7.1. There's a REST vulnerability that allows someone to bypass authorization to update or post.

Question: Was the new REST API turned on automatically?

I don't use Wordpress, but if the answer is yes then it is completely dumb to increase the attack surface like that.

The new REST API is turned on automatically as of version 4.7.0.

My site was hit, as far as hacks go this one wasn't too bad. They defaced the last post, the solution was to revert to an earlier revision and upgrade WP to version 4.7.2.

If we would have had auto updates enabled then this attack would have been prevented. So the takeway from this is make sure that auto updates are enabled.

Why did you disable auto-updates?

Because updates occasionally break my site

Only security updates (v0.0.X) install automatically. Version change updates (vX.Y.0) always require a site owner to explicitly install them.

If you are doing things in WordPress that break with a security patch, you need to re-examine what it is you're doing.

Wordpress is used for more than 25% of internet sites. That also means that is the CMS most hacked :)

Fortunately the WP and its community is working hard to fix the problems asap and make new release.

The major problem is that people doesn't update the cms. I really recommend the auto-updated and a good management of all plugins versions. If you are a delveoper and you are taking care of several wp sites, there are many plugin that can help you to manage the WP and plugins versions for a large number of sites.