Just waiting for everyone to come in saying you shouldn’t do this lol. Yes, changing the port is a nice little bonus. It doesn’t any extra security, but it moves you out of the way from the automated bots that scan the internet trying recent 0days. You’ll probably see a reduction of 99% traffic hitting the service and the only logs will be real people.
Honestly, all applications are vulnerable AF, especially the open source projects without a major team behind them. I work in a security research team and we find critical bugs like this in a weekly basis. Even in major projects which you would be scared to know about. I personally wouldn’t expose anything except SSH or a VPN, or if I have to expose a web app, it’s going inside a VLAN with very restrictive firewall rules, proper logging, and a reverse proxy enforcing authentication via an OIDC based IDP.
We generally spend a couple of days to a week before finding something critical allowing RCE.