It is well worth having your WordPress installation on auto-update.
I got caught out still having Ver 4.7.1 for a week after version 4.7.2 came out, and my site was breached twice, firstly with an unauthorized post about weight loss and then by a Bala Sniper Hack. WordPress 4.7.1 and other recent earlier versions turned out to have several security issues that allowed unauthorized access.
Luckily I have my site monitored by Securi, so was made aware of the breach immediately and took action to fix the problem. At present I’m only using the free version but have in the past used their paid services to restore the site from a very corrupt state. Being semi-retired now and keeping costs down, I’m only using their monitoring services but that is tremendously useful – to be advised immediately your site has a problem gives you a good chance of preventing a major attack.
There are of course many other ways to secure your sites and I’m going to talk about it a bit more in the near future.