>
>If you haven't, check out DVWA. There's a lot of LAMP sites out there with all the standard security, yet wide open via unexpected command execution or injection exploits that haven't led to catastrophe because (so far) hackers aren't motivated to visit/aware of the site. IMHO you need significant resources and expertise in 2018 to dare expose a bespoke website to the wild.

One of the principles of controllership is that the cost of protecting an asset should be proportional to the value of the asset. (You don't use a B52 bomber to guard a piggy bank, and you don't use a BB gun to guard Fort Knox)

To handle the issues you raise we could expend "significant resources and expertise" or we could minimize the impact on the business that a potential attack might cause.