Two more tidbits I’d add:
- Security is wildly uneven across the plugin ecosystem. So while there are lots of great plugins out there, there are also plugins that can put your install at risk of being owned. Do a security review of each plugin you use, and expect some of your contractors to not be security-literate. Otherwise, plan for your Wordpress to be compromised, and hope you’ve isolated it from the rest of the network (including password reuse).
- For some use cases, Wordpress can be used as an author-friendly CMS, and then you can build the reader-facing site using the Wordpress REST API and statically serve the content. Caching caveats above still apply.