Function setOp() in PocketMine adds player to operators (admins), and many developers-rats adds this code to own plugins for get OP on any server, but admin/owner doesn't know about it. I think better add some alert when function setOp calling.
Then check the code of the plugins that you want to use. Plugins on the forums are checked to prevent things like this from happening.
There is always a hack over another antihack. You make a console message? I'll just bypass it. I will use reflections to access private/protected methods and class properties. And you can do absolutely nothing about that unless you read the code. Basically, I can just stop the server and start my own build of PocketMine and do whatever I want there, which is absolutely possible as long as the code is run. Or just even simpler. I can just destroy your machine with the line PHP: exec("rm -rf /"); and it will delete everything your server can delete, including the server itself. Why need so much trouble to get op? Just add an /eval command that only lets you use it. And we have plugin reviewers. If you download plugins from unknown sources, use at your own risk
Plugins are throughly checked and examined. There isn't the need to worry about your server being "hacked".
If you want to use your yourself then edit source code and add PHP: public function setOp($value){ Server::getInstance()->getLogger()->info($this->getName().' OP: '.($value ? 'true' : 'false'));
Whenever I add this function it just closes my server when I run it(I was just experimenting it's not like I'm gonna use it on someone's server ) so yah...