I was just yesterday considering how secure Wordpress is and whether to run it as a blog separately from the main website (in a chroot/vm or on a totally different hardware).
It is known that most recent vulnerabilities were in third-party plug-ins and Wordpress has become much more secure than in it's early days. However, I am still hesitated to run one piece of open-sourced software which can work out as most likely the only remotely exploitable way to get in. Apache2 is the second one, but I can't recall it having remotely exploitable bugs in the last decade with it's default configuration.
It is known that most recent vulnerabilities were in third-party plug-ins and Wordpress has become much more secure than in it's early days. However, I am still hesitated to run one piece of open-sourced software which can work out as most likely the only remotely exploitable way to get in. Apache2 is the second one, but I can't recall it having remotely exploitable bugs in the last decade with it's default configuration.