I always get plugins and themes from www.remarpro.com, or from established commercial providers.
That’s an excellent start.
are there any plugins or themes with known security holes?
None that are available from WPORG, no. If a security issue is found in a WPORG hosted theme or plugin (and, lets face it, that does happen sometimes), the developer in question is immediately notified and, if necessary, the resource withdrawn until an updated, patched, version has been submitted by the developer. A standard upgrade notice then goes out to all sites that have used the plugin or theme.
If you do come across an issue with a plugin where you can prove that there is a security issue, please contact plugins [at] www.remarpro.com with all of the necessary details and they’ll look into it asap. Never, ever, post about it here – for exactly the reasons you state above. We don’t want to publicise security holes to the wrong people.
There are theme sites that we would never recommend because we have grave misgivings about the themes that they do offer – including issues like encoded scripts that could be doing almost anything on your site. When we come across people using themes from these sites, we do our best to persuade them to use another theme but, beyond that, there is very little we can do.
I had a site hacked because I had a copy of phpMyAdmin on it which I’d not updated for a year or so
That’s a very common situation. This is why we keep pushing people to keep everything updated – WordPress core, plugins & themes. Even on sites that you feel aren’t being actively used. A server is often only as secure as its weakest installed application.
When investigating a hack on your own site, try to enlist the support of your hosts to see if, between you, you can figure out where the the hacker got in and, therefore, where the security hole might be. It does vary, so there’s not a lot we can offer in terms of general advice – other than the fact that paranoia & suspicion are often very useful traits. :-/
