Maybe it depends on how it has implemented WPS. That button/protocol was developed for lazy people who did not want to be bothered keying in security passwords. There is a massive security exploit that can only be fixed by disabling the feature completely. You need to turn this feature off in the main router. Unfortunately there are repeater devices that have been designed for lazy people only and there is no way to manually configure the setting needed other than with these buttons/pins.
If you can disable the WPS feature both in your router and the repeater and then go in and configure the SSID and key manually. You may also have to configure WDS settings depending on the brand and model of your your router.
Now if you never put a password/key in the main router and the wireless connection is not secured then the repeated connection also is wide open. This is a completely different issue. The problem with the WPS buttons/pins is that they allow people to obtain the keys even when you have used the best encryption options on the devices.