I just installed Wordfence today and ran a scan for the first time on a clients site. It did find the right problems in 3 places but not all of them.
This site was infected with some poorly written base64 code injected with obfuscated links in the index.php files in 3 places sending statistics to a site in Norway but it did not find more of them throughout the site in places like footer.php files
Wordfence found 3 of them but there were many more.
FYI: The free Sucuri scan did not find any of them!