Personally, I run everything behind Cloudflare as well, to mask my actual host IP from the world.
Then I take it one step further, I have a load balancer in AWS that sits in front of my server cluster, so the actual host IPs of my machine are never touched to the public.
WO comes with a lot of built-in security features baked into the Nginx configs already. Rate limiting, etc.
As Portofacil pointed out, it's never a set-it-and-forget-it system. Running your own hosting requires maintenance and attention. Everyday? probably not. Every week? Maybe every other week, if you really don't want to pay attention to it or spend much time on it.
Me personally, I spend every day on it because I use it for our work sites.