PHP warnings are just warnings, they are not code loop holes that you can hack into.
If there is a PHP fatal error or parse error or syntax error, your site will not load.
Your site is probably hacked into via wp-login.php using what we call brute force attack. It can also be brute force attack via xmlrpc. Both are WordPress core features and not part of our theme. After the hacker has gain entry into your site, he can put up malicious code into any of the files on your website, that’s why you need a clean up by experts.
We are no website security expert. You should hire an expert such as https://sucuri.net/ to clean up your site and use their website fire wall service.
https://sucuri.net/ will be able to analyze and provide you a report of how your website was attacked and provide preventive suggestions.
Until then, it’s not fair to say that our product is unsafe.