Traffic encryption (HTTPS)
You can provide secure access to your website using traffic encryption. Traffic encryption is available for all Wild Apricot domains (sites that use wildapricot.org). You can make secure access optional, or you can choose to automatically redirect visitors to a secure URL. You can redirect visitors always, or just when filling out Wild Apricot forms. Online payments on Wild Apricot will always be encrypted.
What is traffic encryption?
Traffic encryption, known officially as hypertext transfer protocol secure (HTTPS), is a method of securing the transmission of information to and from a website.
It ensures the security of website traffic by encrypting the information being transmitted, and by using security certificates to identify and authenticate the website. This is the same technology used by banks worldwide to secure their online banking sites.
To communicate with a website through a secure, encrypted channel, you use a URL (website address) that begins with https rather than http. Once a secure channel has been established, your browser may display a padlock icon in the address bar or the status bar.
Do I need to use traffic encryption?
If you access the internet over a unsecured Wi-Fi connection, you run the risk of someone intercepting the data you are sending and receiving.
This becomes a real security threat if you are an administrator managing a Wild Apricot website. Visitors who submit private information to your website via online forms (e.g. membership applications, event registrations) may also feel more comfortable knowing the traffic is secured.
If you're an administrator…
You wouldn't want someone to steal your credentials and access your membership list.
If you're filling out a form…
You might want to encrypt the data to be on the safe side, even though the chances of someone intercepting your personal information are low.
If you're just visiting the site…
Security is probably not an issue for you (unless you are trying to avoid tracking of what you view online).
If you're making a payment on a
Your credit card data and private information is always protected.
Using traffic encryption can also improve the Google ranking of your site. For more information, click here.
How do I get secure access to my site?
For Wild Apricot domains (sites that use wildapricot.org), you simply add an s after the http in your website address (e.g.instead of ).
Do not include www in the URL (e.g. not ). Security certificates (used to identify and authenticate websites) are provided free of charge to all Wild Apricot domains. If you want, you can automatically redirect visitors to your website to the secure URL. For more information, see Traffic encryption options (below).
What if I use a custom domain?
Accounts that use custom domains (such as www.nycs.net instead of nycs.wildapricot.org) are also provided with an additional wildapricot.org domain that can be accessed using a secure https URL. Alternatively, we can install your own custom security certificate on your custom domain for a separate charge. For details and pricing, see Securing custom domains (below).
What if I use a different free domain?
Accounts that use other free domains (such as camp7.org and memberlodge.org) are provided an additional wildapricot.org domain that can be accessed using a secure https URL. You can use the secure Wild Apricot domain in addition to your regular website address, or you can switch your website to the wildapricot.org domain. For instructions on switching, see Domain name management.
Traffic encryption options
If you want to enforce secure access, you can automatically redirect visitors to your site to a secure URL. You can redirect visitors always, or just when filling out Wild Apricot forms.
To control when visitors to your site are redirected to a secure URL, follow these steps:
- Click Settings.
- Under Security, click Traffic encryption (HTTPS/SSL).
Choose when you want to redirect visitors to the secure URL.
Level of security
All http pages will be redirected to the equivalent https page. There are some limitations that you should be aware of (see below). If you are using a custom domain that does not have its own security certificate, visitors will be redirected to secure pages within the wildapricot.org domain.
Only pages containing Wild Apricot forms (such as membership applications and event registrations but not login forms) will be redirected to the secure URL. Once redirected to a secure URL, the visitor will not be redirected back to an insecure page within the current session. Members will be directed to a secure URL once they log in. You should choose this option if your site links to external resources (e.g. graphics or stylesheets) that are stored on a website that is not secured (uses http instead of https). See below for limitations.
Online payments will be processed on secure pages, but while on your site, visitors will never be redirected to your site's secure URL. Visitors can, however, use the secure URL at any time to access the site. Once a member logs in from a secure page, the member will stay on secure pages for the remainder of the current session.
- Click Save.
Securing custom domains
To secure a custom domain (such as www.nycs.net instead of nycs.wildapricot.org), you need to purchase a custom security certificate that Wild Apricot can then install.
The cost of a one-year security certificate – which you purchase independently – begins around $100. To install the security certificate on your custom domain, we charge an initial fee of $50 and a renewal fee of $50.
The steps involved in purchasing and installing a custom security certificate are as follows:
- Choose a security certificate vendor. (Wild Apricot recommends DigiCert.)
- Contact Wild Apricot support and provide the following information:
- Country/region Name (2 letter code) – you can find your two-digit country code at: www.digicert.com/ssl-certificate-country-codes.htm
- State/province (full name)
- Organization name – The legally registered name of your organization/company (maximum 64 symbols).
- Organizational unit name – The name of your department within the organization (frequently this entry will be listed as "IT," "Web Security," or is simply left blank).
- Common name – The name/domain through which the certificate will be accessed (usually the fully-qualified custom domain name e.g. www.domain.com. Note some vendors might not generate the SSL certificate for both www.domain.com and domain.com, so be sure to specify the main domain you would like to use).
- Email Address
- Our support representative will generate and email you a CSR (Certificate Signing Request). You can use the CSR to order an SSL certificate from your vendor.
Visit your vendor's website and use the CSR to order your certificate. Make sure your vendor includes the following statements in the SAN (Subject Alternative Name) section of the certificate so that it applies to your website's URL with and without the www:
- After receiving the SSL certificate from your vendor, send it to us.
- After we receive the certificate from you, we'll install it on your website and let you know when we're done.
- Finally, you must update your custom domain DNS settings within your domain registrar account. We'll provide the A-record IP value you'll need.
Once the process is complete, we'll invoice you for the installation fee.
Secure site seals
When you purchase a security certificate from a vendor, you are usually entitled to display the branded seal on your site to let visitors know your site is secure.
Visitors to your website may encounter problems establishing or maintaining a secure connection if the page includes references to resources stored at a site that begins with http rather than https. These resources could include:
- external graphics
- external stylesheets
- third-party widgets
- YouTube videos
- internal resources identified using an absolute reference that begins with http
In these cases, the browser may block content, generate an error message,
or display an icon indicating that the page is not completely secure.
The traffic to and from your site will remain encrypted, but the unsecured resources could be viewed by a third party.