I have mine public, strong master password and 2FA enabled. The admin panel is also public with a very strong password, no one is breaking that in many life times. About the database I’m not worried, only accessible locally or through SSH tunnel that only accepts authentication via private key. I’m also using cloudflare, the subdomain is available for my country only, unless when I travel, then I disable it.