You absolutely can't rely on the free version of WordFence. It should also be the last line of defense to handle anything that can't get caught by the server WAF.

I recently cleaned a WordPress site (that I now get to manage) of some malware that had multiple redundant persistence layers and the attacker had whitelisted the folders in the WordFence scan. Was actually kind of handy as a checklist to see if I'd missed anything.

What WordFence did manage to do was email an alert that there had been an unauthorised admin login as their admin password had been compromised.