You can make the the code read-only (from the web-server's perspective) and have auto update if you use a tool like WP-CLI and a cron job.
I've had a few customer's sites on WP for decades without any hacks. But I also carefully restrict their plug-ins, and disable PHP in any of the upload directories.
I've had a few customer's sites on WP for decades without any hacks. But I also carefully restrict their plug-ins, and disable PHP in any of the upload directories.