I don't agree. WAFs usually add more attack surface than they remove.

https://www.macchaffee.com/blog/2023/wafs/

Of course, Wordpress is basically undefendable, so I'd never ever host it on a machine that has anything else of value (including e.g. db credentials that give access to much more than the public content on the WP installation).