Agreed, but don't host your own wordpress unless you're planning to run a botnet. Everyone I know who's hosted their own wordpress in the past two decades has eventually regretted it.
I upvoted this because it's also my experience. It's so frequent that I've stopped telling people when I discover their Wordpress is hacked, because half the time they don't care (!), and the rest of the time they beg me to help them fix it for free - instead of paying one of the many WordPress consultants who specialize in fixing hacked WordPress sites.
The most common hack I've seen is one where the admin doesn't even know, because it redirects some visits to their site that have Google in the referrer. Because they rarely Google themselves while logged out of WordPress, they never know every page on their site is redirecting to MyCoolMalwareDroppr.
I don't self-host Wordpress, my blog is a static site made with Jekyll and served by Nginx. A static site ages well.
That said I self-host other services, like Matomo or FreshRSS (also PHP apps that need a database).
The secret is in setting up auto-update policies. All the self-hosted services I host are in Docker and auto-updated [1] even if that means they can break.
Have been doing this for some time and worked great thus far, but granted self-hosting stuff is a continued investment, you can't just leave that server there to bit rot.
