Most of the time, the problem with WordPress and security isn’t going to be themes or plugins, it’s actually how you configure your WordPress installation.
Here are some basic things your need to do to keep your WordPress environment safe:
- Keep your WordPress core up to date
- Keep all your themes and plugins up to date
- A secure login and password (never use “admin” as username and “1234” as your password!)
- Choose a unique database name
- A secure database password. You can use a website like strongpasswordgenerator to create one.
- Changing Authentication Unique Keys and Salts in wp-config.php
- Unique database prefixes (avoid “wp_”)
- Use of permalink structure
Issues may also come from non-reliable and non-secure web hosting company servers, usually the cheap ones.
Additionally, here is a post on WPTuts that may be useful.
You will also find a lot of plugins to improve your security in the WordPress plugin repository.
Please, note that this post is not a complete WordPress security guide but only a few tips to help you to get started.