@4
It's a big deal when someone hacks you, puts you in a botnet, and then you get banned from your VPS provider. Almost a true story in my case, but fortunately we stopped short of the banning (and then I left anyway because they didn't have cloud-level firewalls, but eh). If your provider also has an API and your server has access to that API (which is sometimes the default) then they can issue API requests to buy more servers on your credit card, and install whatever they want to them. Them getting as far as your personal machine isn't the concern.
You can scan the entire IPV4 address space in about 4 hours with automated vulnerability finding tools, which since IPV6 isn't widespread yet means you can scan the entire internet in about 4 hours with automated vulnerability finding tools. People do do this, looking for things like WordPress installations, open SSH ports, databases without passwords, etc. A full analysis of the internet will take more than 4 hours, but it's still quite a regular thing to have your server get hit by something automated poking around looking for something new to bring into someone else's DDOS botnet,
And WordPress is PHP plus a database plus a bunch of other things, all of which are potential security holes on their own, then Wordpress itself, which becomes a security hole once a month on average, and you probably don't know how to configure any of this for maximum security either. SO basically you're doing the equivalent of waving a giant neon sign labeled hack me, or taking a bloody chunk of meat out in the ocean where there's sharks, or something. Once you're in a botnet the server is usually a lost cause, because once a hacker gets in a little they'll use that to get themselves in so tightly that you think you removed them but haha not really.
By contrast, just Nginx without PHP even installed is pretty secure, especially if whatever VPS provider you're using has firewalling functionality and you can block off everything but port 80 and port 443 on their side (trying to do firewalling on Linux itself is often less secure since you want to leave SSH open if you want to be able to turn it off, and very much harder to get right). There's very little surface area when the server can *literally* only serve files, whereas with WordPress the server figuratively only serves files but in the process you gave it 20 other capabilities because Wordpress is a giant PHP monster that's been hacked on by anyone and everyone who wants it to maybe do a thing for 20 years.
My BlogTwitter: @ajhicks1992