With regard to performance concerns when temporarily opening the port occasionally: I don't think you have too much to worry about.
With regard to exposing port 80:
The fail2ban recommendation is good.
For performance (and security?), maybe a NGINX reverse proxy configuration would help by returning error pages at the proxy level for commonly targeted paths such as WordPress resources. This would be especially helpful if your app is heavier.
For larger attack surfaces that have comparatively more potential vulnerabilities (user inputs, databases), a web app firewall (WAF) like ModSecurity could be used for other security concerns.
I found this article
about gzip bombs
quite fascinating, although if it works it is not robust or even a good solution for the problem.
I have previously used Apache and NGINX on a pi 3 with a port forward from an obscure port number
on my router. The request logs looked bad enough of course but I had no performance problems, and I have no basis for comparison since I have never run port 80 on a pi. If you really find this to be an issue (it probably won't be) then w.r.t. pi's I can vouch for the port forward solution.