While this is 110% solid advice, it's really hard for most people to do this. Very few people, and even few programmers, are qualified to actually determine security vulnerabilities. It's not easy.
-Renegade
You would not believe how many plugins have known security vulnerabilities, unpatched by their developer, and reported on the plugin's pages on wordpress.org. A little time researching the plugins you are using and any you are thinking of adding, can go far, even if you don't know any PHP.
I have uncovered a ton of them while auditing the security of other people's websites and looking for replacements for those vulnerable plugins.
For example, stay away from SMTP plugins, unless you want your email address and its password displayed in the generated HTML code of your site, in plain text, or stored in plain text in your database. They are
all vulnerable. I have not found a single SMTP plugin yet, that isn't.
Do yourself a favor and either handle the sending of mail through your web host, or if that is disabled by your host,
change hosting companies. If you are running your own server, don't be lazy. Set it up right, instead of funneling the mail sent from your site through your personal email account with a vulnerable plugin. And if you don't know how to set it up right, pay for hosting and save yourself the headaches.
And yes, I have reported them all to wordpress.org, and nothing has been done about them. They are all still available and still vulnerable.