The bad guys generally don't bother browsing Wordpress code to find vulnerabilities. It's tiresome to do, especially since a lot of good guys are doing the same thing and patching the obvious bugs.
Instead they use automated attacks to test any website directly for the most common errors. Understand that this is not limited to Wordpress. The types of vulnerabilities they test for are universal: password brute force, directory permissions, code injection, XSS, etc.
Sometimes one of these tests works, a site gets hacked, and then the developer has to a) recognize the site has been hacked, b) diagnose the problem, c) patch the hole, and d) recover the site.
For open-source projects like WordPress, the developer can then contribute the patch back to the community, and everyone else can pre-emptively fix their sites, even if they haven't been hacked yet. Bad guys also get these patches, and add automated attacks based on them. These are often what you see in WP logs, but such attacks are easily defeated by simply applying patches when they come out.
For custom-developed sites, you the developer must do all those steps by yourself, and yes that means you probably won't know about vulnerabilities until they are exploited.
Instead they use automated attacks to test any website directly for the most common errors. Understand that this is not limited to Wordpress. The types of vulnerabilities they test for are universal: password brute force, directory permissions, code injection, XSS, etc.
Sometimes one of these tests works, a site gets hacked, and then the developer has to a) recognize the site has been hacked, b) diagnose the problem, c) patch the hole, and d) recover the site.
For open-source projects like WordPress, the developer can then contribute the patch back to the community, and everyone else can pre-emptively fix their sites, even if they haven't been hacked yet. Bad guys also get these patches, and add automated attacks based on them. These are often what you see in WP logs, but such attacks are easily defeated by simply applying patches when they come out.
For custom-developed sites, you the developer must do all those steps by yourself, and yes that means you probably won't know about vulnerabilities until they are exploited.