We've been doing this for 20 years. It's not a security issue on the server itself, it's WordPress, though it's possible your wordpress installation is hacked or being pounded by bots, both of which will cause it to use even more load than it already does. The security of WordPress itself sucks, and WP gets hacked all the time. We usually see a couple of users per week get their Wordpress instances hacked. Even if it's not hacked, it's very inefficient, being one of the heaviest PHP based CMSes available.
Also, our load measurements are a cumulative sum, not actual numbers, which is why they seem extreme. We sample your load every 60 seconds, and just add the samples together over the span of 24 hours. For example, the 200GB memory limit expressed as continuous usage would be only about 140 MB continuous usage, which is pretty easy to get suspended for (and many people do, usually because they left a node or python app running).