I used a lot of free wordpress template and plug-ins. They are good. But in some situations, especially, the templates and plug-ins are not from wordpress.org. They are from some random websites. You have to be very careful. You have to check them very carefully. I will do a code review for that.
There is a common technique, they will use. The page will detect the user agent string. If you use a normal browser, they will deliver a normal content. When the search indexing engine visit them, they will deliver the spammer content. To check that, you can use the fetch as google in Webmaster tools for checking. If you are a power user, you can use some browser plug-ins to change your agent user agent string to be a indexing engine.