Security-aware folk are unlikely to be affected by this
a) the target site having comments enabled - check
b) the site admin being oblivious enough to click a dodgy link, however the attacker presents it to them. - uncheck.
I do a who is on source IP and based on the results block the IP or a subnet.
Anyone that admins a Wordpress site and does click on links within a spam comment shouldn't own a computer let alone admin a Wordpress install.
I updated anyway.