diff --git a/cron/cron.d/website-update b/cron/cron.d/website-update
deleted file mode 100644
index 1842cc0803f0925acab8488f4974c28e4a878037..0000000000000000000000000000000000000000
--- a/cron/cron.d/website-update
+++ /dev/null
@@ -1 +0,0 @@
-*/5 * * * * www $HOME/website/cron/scripts/website-update.sh
diff --git a/cron/cron.monthly/django-cleanup b/cron/cron.monthly/django-cleanup
deleted file mode 100644
index 19f5877671cf7f17ac9b1d1feae7de1823d91c27..0000000000000000000000000000000000000000
--- a/cron/cron.monthly/django-cleanup
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/sh
-# Copyright (C) 2008, Jim Garrison
-
-# Permission to use, copy, modify, distribute and/or distributed modified
-# versions of this software for any purpose with or without fee is hereby
-# granted, provided that the above copyright notice and this permission
-# notice appear in all copies.
-
-# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
-# IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-# Clean old data from the database (expired admin sessions)
-# (see http://www.djangoproject.com/documentation/django-admin/)
-
-python /var/www/conservancy/manage.py cleanup
diff --git a/systemd/conservancy-www-cleanup.service b/systemd/conservancy-www-cleanup.service
new file mode 100644
index 0000000000000000000000000000000000000000..8ce1e3253a318b07cbb30fe5cb45f03a1ad4560a
--- /dev/null
+++ b/systemd/conservancy-www-cleanup.service
@@ -0,0 +1,26 @@
+[Unit]
+Description=Cleanup Conservancy website
+Before=apache2.service
+
+[Service]
+Type=oneshot
+User=www
+ExecStart=/usr/bin/python /var/www/website/www/manage.py clearsessions --verbosity 0
+
+SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
+CapabilityBoundingSet=
+NoNewPrivileges=true
+
+PrivateDevices=true
+PrivateNetwork=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadWritePaths=/var/lib/www/database
+
+[Install]
+WantedBy=apache2.service
diff --git a/systemd/conservancy-www-update.service b/systemd/conservancy-www-update.service
new file mode 100644
index 0000000000000000000000000000000000000000..a2f363b08343f267964eae28521ffbdfd6317d39
--- /dev/null
+++ b/systemd/conservancy-www-update.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=Update Conservancy website checkout
+
+[Service]
+Type=oneshot
+User=www
+WorkingDirectory=/var/www/website
+ExecStart=/var/www/website/systemd/conservancy-www-update.sh
+
+SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
+CapabilityBoundingSet=
+NoNewPrivileges=true
+
+PrivateDevices=true
+PrivateNetwork=false
+PrivateTmp=true
+PrivateUsers=false
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadWritePaths=/var/www/website
diff --git a/cron/scripts/website-update.sh b/systemd/conservancy-www-update.sh
similarity index 100%
rename from cron/scripts/website-update.sh
rename to systemd/conservancy-www-update.sh
diff --git a/systemd/conservancy-www-update.timer b/systemd/conservancy-www-update.timer
new file mode 100644
index 0000000000000000000000000000000000000000..5d790968e2d40a2d7d2a38f7c394ee312764330d
--- /dev/null
+++ b/systemd/conservancy-www-update.timer
@@ -0,0 +1,8 @@
+[Unit]
+Description=Update Conservancy website checkout
+
+[Timer]
+OnCalendar=*:0/5
+
+[Install]
+WantedBy=timers.target