WPS is a network security standard to create a secure wireless home network. It was created in order to allow end users to add devices to the network without entering long passwords.
After you press the button on the router, you can easily connect to it by also clicking the WPS Push Button on your phone. Once the router recognizes the device, it securely transmits the data needed to associate with the access point to the phone.
From a non-technical standpoint, this seems very simple, but there are various vulnerabilities that can be exploited in this wireless standard.
If anyone gets physical access to your router and connects with WPS, you can recover the actual passphrase from it. Using a rooted Android phone and a password recovery app, you can select a network and view the passphrase.
Another big vulnerability is the ability for hackers to remotely brute force the WPS pin needed to connect. This is due to the fact that a WPS pin has only 8 numbers, and defines the number of possibilities there are to try.
By using an external Wi-Fi card and a Linux distro such as Kali-Linux, you can easily setup tools such as Reaver and High Touch WPS Breaker (HTWPS). These two tools take advantage of unsecured routers with old firmware to brute force the WPA key.
After typing 01, the software will return a list of networks that are open to the attack. Due to the fact that many manufacturers ship routers with this enabled, the list is often very long.
In the image above, you see the PIN that has been returned. By using a tool called Bully, Kali Linux can retrieve the original password.
As you can see, WPS compromises security in exchange for convenience. A good security practice would be to disable this setting in your router settings page. This will block the hardware button from functioning and keep you safe from attacks.