This is a personal opinion, i find the online scanners useless, used many of them long time ago when i was learning sql injection, i was just a teenager willing to try every tool he hears about.
But lets assume for a second that the scanners are real, would you trust the website owner? How would you be sure that he's not saving the vulnerabilities in a log file so later he can attack you?
Want a tool? Look for sql ninja, very well known sql injection testing tool, but would you be able to use it? Lets say you follow a tutorial and you did install it and run it, would you understand the output? And assuming you understood, would you be able to fix it?
I can give you hundreds of tools. few run on windows, the majority on linux, like metasploit and you could use many exploits. But it's not about the tools, it never was, that's why they are called tools in the first place.
Besides if you manage to "secure" wordpress, are you sure that no one can "hack" you? Are you sure that your server is "secure"?
In the past, if you wanted to teach your kid sql injection, you'd say: "son, attack that wordpress site", I don't know about now, but they should have fixed it.
I never used wordpress, never will. I did a simple search for plugins, i think
this is more than enough for you, at least for now. there are hundreds other plugins which are the easy way to secure the site.
I personally do not think that hackers are the ones who are going to take down your site, what you really need to worry about is cpu and ram usage, wordpress and joomla are hungry beasts.