The downside to Wordpress's philosophy is they keep adding attack surface, and enabling it by default. Does everybody remember all the holes which have been found in their XML RPC?
And then one day I saw in the logs a whole new facility being hammered, the wp-json path. Enabled by default, and handing out lots of details on our installation and accounts.
Simplistic security, i.e., not much security at all.
This is a family server