[TekMol]

My first question here would be: What is the attack vector you are worried about? If your wordpress instance is taken over, what is the problem? That the intruder gains access to data they should not have? Or that they will use your machine in some way that would harm you?

[BjornW]

There are multiple attack vectors I can think of, although most can be mitigated using other security measures. I don't want to rely on audits only off course. To give you an example: using the WordPress environment as a stepping stone to gain more access, running client-side software without out permission (stealing data from visitors, our resources e.g. crypto miners), defacement/fake-news, etc.

[TekMol]

My reply to this would be that this is very broad.

In my experience, if you really want to make your infrastructure more secure, you need to explicitely define what it is you want to avoid.

Taking your first point: You say "using the WordPress environment as a stepping stone to gain more access". What type of stepping stone would this be? How can malicious JS on the WP instance escalate its privileges?

[andris9]

npm with wordpress usually means front-end code, so one possible issue is attackers sneaking in stuff like credit card number stealing scripts etc. So it is more like protecting end users and less protecting the server/system.

[TekMol]

The security concept behind credit cards is insane. Who thinks that a number which you hand over to everyone you buy from is a secret?

Shouldn't this be fixed at the root by handling payments via PayPal or Crypto?

[PeterisP]

It would have similar security risks if your frontend is compromised, for example, it could make the users pay their cryptocurrency payments to an attacker-controlled address.