A security policy is a document that does just that: it polices security. It's a foundation tool to help us in staying one step ahead of a compromised site. We like that.
These working documents can be as simple or complex as an outfit needs. At enterprise level, you'd have a legally-adjusted multi-tiered approach or, for sole bloggers, something more akin to a checklist. In any case, here are the kinds of elements to weave in:
Isn't this overkill?
The breadth of a policy can be excessive but, for any site, writing up a policy is a smart exercise to highlight weaknesses and to nudge improvements. They may ...