We love Wordfence and have been benefiting from it for months. We've just had our Wordpress site hacked however, and Wordfence scans did not identify the malicious executable code that was placed on our server, so I thought I'd let you know about it.
The malicious code was placed in a subdirectory in the web root with a leading space like so: " ." or "/%20." (without quotes). Since the leading space means the folder does not show up in usual directory listings (not in sftp for instance), it was quite hard to track down. I'd guess Wordfence is not scanning in such directories.
I hope this helps. Thanks for a fantastic plugin!
Grant