Vulnerable plugins and themes are the leading causes of WordPress compromises.
To ensure the security of your app's code, you should use a web-application firewall, such as CloudFlare or Wordfence. Then, use as few plugins as possible that are well known and highly rated from trusted sources, such as the WordPress plugin repository.
The same guidelines can be applied to using themes with your site.
If you are unsure of the status for a WordPress theme or plugin, Sucuri offers an easy-to-use database listing all of the known vulnerabilities throughout WordPress.
Simply visit https://wpvulndb.com and either browse or search for the plugin or theme you're interested in. Sucuri's WPScan Vulnerability Database will then list any known vulnerabilities and the fixes that have been applied.