I think the black hats already knew.
Part of my job involves administrating wordpress instances (I know, *shudder*, but clients demand it, and pay good money for it).
Anyway, for a long time it seemed impossible to actually secure the bastard. No matter how up to date wordpress was, hackers somehow managed to compromise it and inject random snippets of PHP code in random areas. These snippets would connect to their server and pull in more php files with legit sounding names, spawn remote shells, and then they set up a complete environment, with redirects etc... (interesting tit bit, they primarily wrote their nasty in Perl, the PHP was just used to load up and get the reverse shell).
Cleverly, they only redirected if the referrer was a search engine. If you went to the site directly it worked as normal, but if you go via a search engine, it would do all kinds of nasty. As me and the clients went directly to the site, we didn't notice for a while until we got emails from site visitors mentioning the site was hacked.
In the end, I gave up. I disabled exec/eval in php, and set the wordpress directories to read only. This stopped the break ins in their tracks.
As most of the "content" in wordpress is held in MySQL, turns out you can set the whole thing read-only when in production. Only the auto-updates and plugin install need write to the actual directory, so I have a script to "lock" and "unlock" wordpress directories when the clients want to update/install plugins.
Does mean I no longer run the latest wordpress (because the auto-update can't work when the directory is locked), but illogically, it hasn't been hacked since, which has given me (as the sysadmin) some lovely peace and quiet.
Only thing I have to care about now is SQL injection vulns, but thankfully that hasn't happened in the years I had hosted wordpress, and if it does, I have regular backups of the DB (hourly dump to ZFS, then snapshot).