Dan, since you’re in the WordPress space, there are several pieces in place there. Akismet and other anti-spam tools can still be used to filter webmentions just like any other comment/response on your site.
If you moderate your responses on your site, the webmention plugin has an “approve & always allow” function as well as domain allow-listing for people you know and trust.
It also bears saying: there’s also nothing that says you have to display webmentions on your site either, you can use them simply as notifications on your back end.
In my experience, I’ve also seen people strip active links, scripts, etc. out of their received webmentions as a security precaution. I believe that the WordPress suite of IndieWeb plugins does this by default.
If you need/want to go further, you could work on implementing the Vouch extension of Webmention. Any additional ideas or brainstorming you’ve got to help mitigate these sorts of harms is most welcome.
For the record, for Webmention to work as a protocol, it requires a link to your site to actually appear on a public web page–something neither trackback/pingback required and made them even easier/cheaper to game.