So far hackers have hit 39,000 unique domains. The attacks started after the flaw was reported on Monday by web security firm Sucuri.

Four groups of attackers defaced over 67,000 pages. The number grew to over 100,000 pages the next day and now web security firm WordFence claims the numbers have skyrocketed today to over 1.5 million pages.

It looks like there are 20 hacking groups involved in a "defacement turf war".

Making matters worse, over the weekend Google's Search Console service, formerly known as Google Webmaster, was sending out security alerts to people it shouldn't. Google attempted to send security alerts to all WordPress 4.7.0 and 4.7.1 website owners (vulnerable to the REST API flaw), but some emails reached WordPress 4.7.2 owners. Some of which misinterpreted the email and panicked, fearing their site might lose search engine ranking.

It might be sensible of you have a Wordpress page to upgrade it before the hackers do.