Router 1 (R1) = upstream wireless router
Router 2 (R2) = downstream wired router
If R2 is on a different subnet, and it should be according to the requirements you set out in your original question, then someone hacking into the R1 would have to figure out what the IP on the WAN port of the R2 is before they could even begin to hope to access it and the network beyond it.
That would be the only interface between the two separate networks. Without knowing it's IP offhand you'd have to go through each possible IP to find it. Once you did, you'ld still be unable to access the router itself, or it's network since there's no route from R1 to R2 and R2's network beyond the router.
Which is to say, clients on the R2 could see the network on the R1, but not vice-versa.
Ensure that R2 is setup to not allow access to the router's management interface from the WAN side. As far as I know, this is the default but you will want to check for a "remote management" setting and if there is one, disable it. Then the only way to get into the router's management interface would be from the LAN side which a remote client, or hacker, couldn't access.
It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.