A key point to note about WhatsApp from a recent webinar I watched is that while the app may appear at first glance to use your 2FA, it does not. A phone number is required to verify your account however no other info eg. passcode is required without setup. The following link will show you how to add a passcode to you account.
Set up info may be found here: WhatsApp FAQ - Using two-step verification
Other security tips here include hiding message details while the phone is locked. This can be found in iOS under ‘settings’>‘notifications’>‘show previews’>‘when unlocked’.
Also check under WhatsApp settings to ensure only the devices you recognise are shown to have logged into your account recently.