Elegantthemes is a good wordpress club.
Woothemes is nice too.
Regarding hacking, image based hacking is generally due to a permissions issue where you have a 777 permissions image on your box, and you share it with other people.
I might be wrong, but this is always how I have seen this issue.
In a shared hosting environment, say 20 or more clients can be hosted on one server, you also share one ip address and one filesystem (hard drive setup). Because you or any of the other 20 people are potentially listed on google, malicious scanning by 'hackers' is happening all the time, often for the intent of virus/malware distribution. These so called hackers generally operate through automated internet spiders.... using whats known as reverse DNS. Lets say the spider bumps into you, or any one of the say 20+ web sites hosted on your server. Because all of the sites are linked, all the web sites will be scanned one by one.
Heres the problem, if any user on the site can be penetrated through a vulnerability, this can cause a problem for other users. So lets say your site was actually secure, but one of the other users on your server was hacked because they had a 2+ year old version of wordpress or joomla. IF you have permission 777 on any files on the system, you are liable to be hacked too. Permission 777 means any user on that filesystem are able to access other users files, and through writing to an image hack the system.
You might immediately assume, "well is shared hosting bad then". No, not really.. most of the internet uses shared hosting. The problem is that hosts often dont help people who are using joomla or wordpress understand how to effectively setup the CMS so it is secure.
Setting up wordpress is often difficult because the host isnt properly configured for wordpress, forcing the user to use 777, and inherently one day become a potential victim to this problem.
If you have been hacked. unfortunately you will need to allocate some time correcting the situation. This automated computer software now has your password, your database password, and other. Even if you fix the problem, dont forget to change every password, or face the potential of an automated attack further down the line.
A time effective way to handle the situation is just write a 2 minute email to the host and see how they can help you regarding ensuring you dont use 777, instead the convention 755, and are still able to write files to the filesystem using common CMS like wordpress or joomla.
I'm not sure how this board feels about referring to other boards but web hosting talk is a great forum, in fact the US version is the world's largest forum for discussion on hosting issues, if not security. Please let me know if i made a mistake by mentioning another board.
All the best.