WP Importer is fine, providing the security of the site is in tact – meaning:
- No users with “admin” username
- secure passwords
- user registration disabled
- Salts configured properly in wp-config.php
- Renowned plugins ONLY – lots of plugins can be the cause of a weak link in a sites security, especially if the plugin provides any form of public uploading (in forms, using old versions of Timthumb, etc.)
If a hacker creates and account and imports malicious code, it’s the issue of the being insecure, not WP Importer detecting whether a User is a hacker or not.