I've used Wordpress for a long time, since shortly after it came out. I think they are sincere but there are logic gaps that make me wonder about the kind of brownies they serve at Automattic.
For example, some of their quasi-official support bloggers were suggesting that it didn't matter if someone knew their login name, yet were also suggesting two-factor auth. So perhaps 1.75-factor for them. Wordpress allows a completely unrelated login name for any account, which if done right makes for blithe log reading; the typical attempts --apparently based on stolen office worker/Yahoo logins-- aren't even close.
Interesting that a week after updating to 4.7.2, one host sends a nervous email about making sure I'm updated. This story explains that anomalous behavior.
Just tried the json exploit, have wordfence running but it still prints out. Off to solve that now. Thank you.