I once had a job as a Web Server admin combined with being the Solaris systems admin for a large online retailer. It lasted a year (2005-2006) and then I bailed. I would never be a Web admin ever again. Maybe it was just that place, but it was brutal. They had no capacity planning and did not know how much traffic they could take and I was there like a month and marketing decided to place a link to their sites (six of them) on the MSN home page for Halloween. That did what marketing wanted. It got traffic. Site went down, then up, then down, then up. The company bought new web and database servers and they had to be setup and installed over three days.
More recently (2014-2021), I ran my own web and mail servers at home and hosted three sites. One of them commercial. I had a static IP which cost $150 per month for their SOHO plan (I'm in the US). I ran Pound as the reverse proxy and nginx as the web server both using FreeBSD. My mail server started on Plan 9, then I moved it to ArcaOS (OS/2), and then finally moved it to OpenBSD using OpenSMTPD. For my firewall I started with OpenBSD and pf, and when they changed the syntax of pf I switched to FreeBSD and ipf.
I had a hardware failure and shut it down in 2021 and moved to a dynamic IP. I haven't ran a web server since. I don't know about using anything hosted, but running your own isn't difficult. The biggest threats were the constant attempts on the mail server and seeing if PHP/WordPress was in use (they were not).
If one was to use WordPress then I would never recommend hosting it yourself and to hire a dedicated WordPress hosting service. They would have the security in place.