If you are running wordpress, and you are not completely stupid, you have automatic updates enabled. In this case, your wordpress just updated itself to 4.7.2, because of a critical bug in the WordPress REST API.
Hanno Böck has an opinion piece over at golem.de (german language) about why WordPress is still the most secure CMS. He explains how WordPress structurally separates local site modifications from the core, and how this enables them to provide an automatic update procedure – which you should enable. Joomla, Typo3 and Drupal should change and copy that invention.
If you are running WordPress, you would also like to install the plugins such as WordFence, Google Authenticator (for 2FA), Security Ninja (for a quick security audit) or similar. A general overview of hardening a WordPress installation can be found in the Codex.
EDIT: Over at Wordfence, they have an article about login vs. XMLRPC attacks on WordPress installations, with some statistics.