See also: Router malware: Fact or fiction? http://www.csoonline.com/article/2599652/data-protection/router-malware-fact-or-fiction.html
That's why it's always a good idea to disable the routers PIN. WPS is indeed insecure by design. A terrible idea.