And don't use too many plug-ins without having checked their code.
While this is 110% solid advice, it's really hard for most people to do this. Very few people, and even few programmers, are qualified to actually determine security vulnerabilities. It's not easy.
Could I do it? Yes. How long would it take me? FOREVER!
I understand enough to track down issues. But I'll never actually do it because it's simply far too time consuming.
There's the actual code itself, which is relatively simple to check for things like SQL injection, etc.
Then there's the checking of the actual PHP methods, and so on down the line. NIGHTMARE!!!
My rule of thumb here is to use only commonly used plug-ins with a record of security. I have to blindly trust them because checking is too expensive for me.