Sql injection to get information/gain access, cross site scripting attacks, some service that you forgot to lock down, etc... The bad guys can be extremely smart and motivated.
Yes, what weaksauce said. The bad guys are so good at being bad now it's amazing. Even the smallest, lowest traffic, lowest value little tiny nothing seemingly useless WordPress site will be found and used.
