WordPress has a lot going for it, including a flexible, open platform the encourages users to develop plug-ins and themes that make it even better. That same benefit, however, invites more nefarious parties to craft malicious code and slip it into free content. While prevention is always the best option, it doesn't hurt to install a plug-in or two that can detect and alert you to suspicious code.
A guide by Six Revision's Karol K provides a good list of things to keep in mind when searching for the perfect theme or plug-in, but one of the more useful pieces of advice is to grab an add-on such as Theme Authenticity Check or Theme Check. They're designed to scan your WordPress' theme files for eyebrow-raises like obfuscated links hidden in Base64.
If you're happy to stick to the official WordPress repository for new content, you should be OK, but if you don't want to close the door to the excellent freebies outside the walled garden, there are precautions you can take to keep your sites protected.
How to Make Sure You're Not Using a Shady WordPress Theme [Six Revisions]