Thanks a lot for the detailed response. I see Tailscale pop up here often and have been meaning to better understand how it could fit into my typical hosting setup, so I appreciate that reference.

For additional context I usually host on a shared or dedicated VPS, and in this case am managing a WordPress site I inherited. It seems to me that if the SSH connection is restricted by IP and limited to keys, there are much larger risks involved in hosting a WordPress site publicly available on the internet w/ dozens of plugin dependencies.

> key auth means the machine is authorized on your server

Not necessarily: Depends on whether your key is passphrase-protected and how your SSH agent is configured (if you use one). You can have the standard OpenSSH one ask you for confirmation of every key usage, for example.

> consider a vpn please

But also consider how you'll fix a broken VPN without SSH access.

Many people keep offering advice to consider a VPN and while VPN is very usefull, I have not yet come accross a reason why not use ssh auth. Like what can actually happen? From my pov the risk of running all sorts of userspace software with internet access is much greater, even without port forwarding.