Close all ports outside except HTTP(S), install security updates on the web server, PHP, base and the rest of the stack.
It is not necessary to touch the core - if the site does not have any severe vulnerabilities and the operation of the components is normally configured from unprivileged users, you will not really get to it.

even unattended upgrades can be a controversial practice, especially for a 24/7 server with a high price of failure time. upgrades can require a reboot right? and obviously updates of the core of the system definitely want it
here, the keyword server , so it’s better that all updates go under control (a frequent scheme in big sports is an NLB cluster, in which nodes are serviced one by one, as a result of downtime there is no)
.. another topic is sudden 0-day , it happens that on forums / mailing lists / in the news , you can find out about suddenlya discovered hole, for which they started to cut a patch, but it is not simple, and it will come out after a while .. at the same time, not infrequently, there are recommendations on how to close the problem on your own (including scripts and the like)
this is all to the fact that good security control is impossible switch to automatic

Never do automatic updates! If possible, at least even in a virtual machine on your machine, have a copy of the combat server and update first on it. If this is not possible - by hand during hours of minimum load. Automatic update is a sure way to bad sleep, working overtime at the most inopportune moment, etc.
But this does not mean that you need to rarely update - on the contrary, the more often the fewer updates at a time, in the event of a breakdown, a smaller list of places to check.
Kernel update - either through a reboot, or install such kernels that are updated on the go (but it has its own specifics and it's too early for you to get into it).