[TimTheTinker]

WordPress is highly complex... it has plugin extension points, convolutes HTML building into application logic, and regularly has new security vulnerabilities discovered and exploited.

A guy I know runs a blog for his non-profit on WordPress. At one point he asked me for help because pages were loading extremely slowly. It turned out the blog had been hacked and was being used to host gigabytes of junk pages with SEO boosting links to really trashy websites.

I used to recommend WordPress wholeheartedly for self-hosted blogs, but these days I strongly prefer something that doesn't have any back-end code that the site owner has to maintain and/or update -- a static site generator, a JAMStack-based blog, etc. Or consider using someone else's hosted blog platform (someone you really trust to host a secure platform).