Your site will never be 100% immune to hacking simply because you installed this or any other security plugin.
Yes, this plugin (and many other similar security plugins) will greatly mitigate the risk of being hacked via the obvious methods, but no security plugin will protect your site completely from intrusion or hacking.
If you thought otherwise, you’ve probably been somehow misled.
So can you tell me the possibilities of how the hackers hacked such site with these above features enabled?
A very common cause of hacks is when people download and install tainted themes or plugins. For example sometimes people download themes or plugins which already contain malicious code/backdoors etc inside them and once the plugin/theme is activated on the site the malware spreads throughout their filesystem.
A lot of this stuff occurs when people want a particular theme/plugin which may cost money to buy, but instead they find it for free on some dodgy site which is not affiliated with the plugin author.
Another common mistake people make is to not keep their core wordpress and also their plugins/themes constantly updated to the latest versions.
There are also many other possible ways you can be hacked which no plugin can fully protect you from. For example, hackers getting into your web server outside of the wordpress environment. (cpanel, ftp etc).
There are many possible ways that your site may have got hacked….too many to list here. It would be prudent to spend some time doing research for your own benefit.