On the near future I will have a WordPress blog, public and visible to anyone, that has a members area. This members area accesses some private data on a special database with financial data, so this kind of info should only be viewable to customers of the site.
The private site will be running inside a VPN on a business LAN and a little server, and I wonder if hosting that private part together with the public site would be a good idea.
In fact, due to WordPress vulnerabilities (it is a desired target right now) I think that if an attacker gains access to the WP site and that's inside the VPN, then he would be able to attack "from inside" and eventually he could even access to the private site and its data.
Wouldn't it be more appropiate to have the public site outside, on a VPS for example? The members area would be accessed through a secure protocol (HTPPS), and I wonder if there are some recommendations on this subject.
Yes a typical configuration would be to have your public website on a separate server which is on the public internet. If it needs any data from your private database you'd setup a NAT that would do mapping for a single port, only to the IP your website runs on.
You can also take it a step further, and have your public internet device just do reverse proxy to a web server that is on a private or semi-private network.
The first question is whether the public and private sites actually have to be run together. Ideally they would be run separately, with the public site on an external server and the private site on a server in the LAN.
If they have to be run on the same server then the risk of the private data being compromised is the same regardless of whether it is hosted externally or internally. The question is whether the compromised server can be used to access data and systems unrelated to the site. In order to protect against this you want to host the server in a DMZ if you host it internally.