It seems like there’s a lot of ways to go about this that may be overkill, so I’m curious which may avoid that.
Low maintenance in this context is aiming for moderate technical knowledge/setup, lower cost, and portability in case you need to migrate your site and so minimal hassle in that process.
Doesn’t hosted WordPress auto-update at this point?
zero days and all sorts of things don’t get fixed in updates… the fact that the software with the security issue has access to write to disk in a manner that can be executed is also a huge problem