(Cross-posted from NTEN Discuss)
Backups are definitely key, and retaining some over a longer period (don't keep just the latest 1 copy). Keeping one in a safe place is also advisable, i.e. just grab one you have now and download it to your org's local file server.
I would say if the website is still providing value then I don't think best practice is necessarily to shut it down. Just support it as best you can and you can always shut it down later if you need to.
Keep in mind website ongoing maintenance should be a fairly small cost of your overall organization. If the website is still valuable then I would say generally those costs are probably worth it. Mainly that should involve the hosting/domain service, and a technical resource for software updates. This could be an existing technical staff, an external person, or some sort of service.
Hosting/domain should run you something like $10-20 /month. The maintenance part depends, for example I often recommend applying security updates every 3 months, and depending who is providing this service for you it might be around roughly $100-200 each time.
Another option you can consider is having someone do a quick audit of your site to make sure there aren't any existing gaps. If nothing else you may be able to do some of this yourself for starters: check the drupal status report on the site and the available updates report, check the user list to make sure that's up to date (disable old users), and you can also consider subscribing to drupal's security mailings if you really want to go down that rabbit hole. :)
Hope this helps!
Martin Hansen Senior Consultant / R&D Lead 519.725.7875 x2120 | 888.817.3048
PeaceWorks™ Technology Solutions 101 - 554 Parkside Drive, Waterloo ON N2L 5Z4 www.peaceworks.ca
Mission driven technology solutions
This communication is intended for only the party to whom it is addressed and may contain information that is privileged or confidential. Any other distribution, copying or disclosure is strictly prohibited and is not a waiver of privilege or confidentiality. If you have received this telecommunication in error, please notify the sender immediately by return email and delete this message from your computer.
Please note: If you do not wish to receive promotional emails from us, please reply to this message indicating your preference and we will refrain from sending further promotional emails.