If it was that vulnerable, I don’t think it’d still be around. You face this using anything third party addition with any software. Also, Wordfence sends you a “vulnerability” email even if it’s just a plug-in that needs updated. I’ve been using Wordpress and Wordfence since 2011.