I wrote some #apparmor profiles for it. I would be very careful about plugins. As I'm the #wordpress #debian packager I follow some of the wp security notices. There are a lot about plugins even security ones.
Think about making the system automatically update vs the fact that means your webserver can write files that are executed by it. Same with plugin and themes.
I use my debian package which is not writable and use apparmor to temporarily write deny
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!