The Ontario WordPress Advisory Is a Good Reminder: Websites Need Ongoing Care

The Ontario Ministry of Public and Business Service Delivery and Procurement just released a Cyber Security Advisory regarding WordPress Guidance and Best Practices.

We keep an eye on security advisories like this as part of the job, and this latest one is a good example of the kinds of issues that tend to matter most in the real world. It points to the usual problem areas: outdated components, weak authentication, misconfigurations, poor monitoring, and weak vendor governance. None of that is especially surprising.

What is worth repeating is this: a website does not need to be active to need care.

Now, my quiet screaming in the background is that you should always be updating your website and keeping it fresh. Realistically, I know that is not always how things play out, and that is a topic for another article. A lot of businesses look at a WordPress site and think, “It’s mostly static. It just sits there.” That may be true from a content perspective. It is not true from a security or maintenance perspective. WordPress core still needs patching. Plugins still need to be updated or removed. Admin access still needs to be locked down. Logs still matter. Backups still need to work. Someone still needs to be watching.

That is really the heart of the advisory.

It recommends MFA, prompt patching, removing unsupported components, restricting admin portals, enabling detailed logging, closing unnecessary exposed services, documenting vendor responsibilities, and maintaining tested backups that can restore a clean version of the site if needed.

That last part matters more than most people think.

A lot of website risk comes down to one question: who is actually responsible?

The advisory explicitly says organizations should confirm vendor responsibilities for patching, monitoring, and incident response, and make sure that is documented.

Exactly.

Because when something goes sideways, the worst time to discover “we thought someone else was handling that” is after the fact.

This is why we’ve never liked reducing website care to “just hosting.” Hosting is one piece. Ongoing care is the bigger thing. That’s the patching, the monitoring, the backups, the recovery readiness, the security oversight, and the ability to respond when something looks off.

And yes, this matters even if the site is simple.

In fact, simple-looking sites are often the ones people forget about. That’s where complacency creeps in. Meanwhile, attackers are still scanning for outdated plugins, weak credentials, exposed services, and easy openings.

One other useful detail: this is threat advice, not an active incident notice. Ontario is saying, in plain terms, that this is guidance to help organizations prepare and reduce risk before there is a problem.

That’s the right way to read it.

Not as a reason to panic. As a reminder to be clear-eyed about ownership.

If your website runs on WordPress, someone should be actively responsible for keeping it patched, monitored, backed up, and recoverable. If that’s already happening, great. That’s the whole point.

If it isn’t, this is a good time to fix that.

You can reach out to me personally if you want to assess your risk cpriest@pixelcarve.com