That seems like a people problem and not a tech problem. You can simply not allow clients to install plugins and strip other such capabilities.

It sounds like you've yet to experience having clients. The decision-making authority generally flows quite differently from what you imagine here. The nature of the decision-making authority is what leads the parent commenter to conclude they can't set clients up with WordPress in the first place (because if they tried to tell the clients "no you can't do that" the client would do so anyway and/or switch to a new vendor do be able to do so).

Yep. This was my experience with WordPress as an employee. The marketing team was very loud about needing admin access to the WordPress instance, installed a file manager plugin, and that file manager plugin was shortly used to start serving malware from our domain.

Guess who got to clean it up? It wasn't the marketing team.

Yes, it's a people problem, not a technical problem. But I arrived at the same solution to the people problem as OP: don't set up a WordPress instance for someone who isn't capable of maintaining security themselves.

> It sounds like you've yet to experience having clients.

No, my experience has been the exact opposite. Our clients don't want to fiddle around themselves. They don't care whether their site/app is made with Wordpress or Laravel or Nodejs or w/e as long as it works well and is tailored to their needs. We also explain why this is more robust, flexible and efficient for all parties involved.

> because if they tried to tell the clients "no you can't do that" the client would do so anyway and/or switch to a new vendor do be able to do so

If they did that we've lost them and they lost us. It's just not how we work.

However it's the other way around, many clients we've had moved away from solutions that were too malleable and unstable/slow/hard to maintain etc.