As someone who has coded multiple forums for fun and private usage, I can say that there are some potential benefits but they are likely not worth it in the long run unless you really do want to do it as a learning experience. It is a good learning experience though and can teach you every aspect of web development from database administration to sever side development to client development. Using one in my portfolio helped me to get my current job.
The short answer: flexibility and immunity to canned exploits are pros, but the shocking amount of code to write is a big con, and what you write isn't likely to be very secure either.
Long answer:
The forums I run now are focused on play by post RPGs, so I used the opportunity to add code to help with that. In particular, it has the ability to insert die rolls for the different systems my group uses as BBCode tags. That's not a great example, since there are certainly ways you could find canned solutions that would work (or just use Roll20 or the like), but I liked the fact that it fit seamlessly with the rest of the forums and it was code that I could modify myself.
I was also able to add other features that we found useful over time, such as the ability to embed modal windows (largely just popup windows if you're not familiar with the term), which would compile down to a link in the post that when clicked would present the window containing BBCode markup content. We used that to keep track of things like initiative order in combat. We later realized that it was a pain to stick something like that in the GM's signature, so we then added info bar areas at the tops and bottoms of threads that the GMs could edit, which could in turn hold links to the initiative windows or any other information.
Other features I added that I stole from other websites were automatically updating threads and a dynamic "who's looking at this page" indicator. So, you can tell that someone else is viewing a thread and if they post, edit or delete something on the page you're looking at it automatically loads it for you using AJAX. It also flashes the tab title when that happens, so if you're looking at something else you have an indicator that someone posted in a thread you're watching. Theoretically annoying, but it works for us.
So, it's nice to be able to add features like that directly to the website and to have an intimate understanding of how it works. The downside is that it's quite a lot of code. I'm a professional web developer who has done this kind of thing before, and to go from nothing to a functional forum took me about six weeks of working on it in my spare time, if I recall. Numerous bugs were found that have been fixed over the ensuing months. The BBCode parser is hundreds of lines of PHP and the compiler is much more. The [dice] tag compiler alone is over a thousand lines long because of the game systems it has to support now. The AngularJS (client portion) code is also gigantic and a mess since I didn't really know how to use Angular well. I know much better now, but can't be bothered to gut and replace it for a second time.
Using WordPress or another canned solution is going to cut weeks and weeks or months of time out.
Now... I mentioned canned exploits above, and using custom code helps there, but it comes with caveats.
WordPress is an absolute exploit magnet. I get hits against my public IP address (I don't even have a domain for it!) where bots are scanning for wp-admin so they can attempt to exploit bugs and either upload malicious content or spam me. My code is all custom, so exploits like that don't work. Any prebuilt forum or CMS is going to have this problem to some degree, but the free ones are worse because more people use them, and the more people that use them, the more valuable they are as hacking targets.
If you're very careful to stay up to date and secure these things as the authors instruct then they're usually not that bad, but it's still usually a constant hassle to deal with bot registrations and spam.
That said, the caveat is that unless you're a security expert anything you write is probably going to be riddled with security problems. I know for an absolute fact that my code is exploitable. The backend is written to be reasonably secure and should be immune to things like SQL injection, but the REST API it uses is only secured in the most basic manner. The big issue is the client code, which intentionally breaks AngularJS's protection to keep you from dumping raw HTML into templates. That means that people could in theory do all kinds of nasty things, like embed malicious image tags. For my little RP group I don't really care, but for a public website it would be a problem that would require me to completely redo the way that BBCode is compiled and cached on the server side.