Traffic encryption (HTTPS)
You can provide secure access to your website using traffic encryption . Traffic encryption is available for all Wild Apricot domains (sites that use wildapricot.org ). You can make secure access optional, or you can choose to automatically redirect visitors to a secure URL. You can redirect visitors always, or just when filling out Wild Apricot forms. Online payments on Wild Apricot will always be encrypted.
What is traffic encryption?
Traffic encryption, known officially as hypertext transfer protocol secure (HTTPS), is a method of securing the transmission of information to and from a website.
It ensures the security of website traffic by encrypting the information being transmitted, and by using security certificates to identify and authenticate the website. This is the same technology used by banks worldwide to secure their online banking sites.
To communicate with a website through a secure, encrypted channel, you use a URL (website address) that begins with https rather than http. Once a secure channel has been established, your browser may display a padlock icon in the address bar or the status bar.
Do I need to use traffic encryption?
If you access the internet over a unsecured Wi-Fi connection, you run the risk of someone intercepting the data you are sending and receiving.
This becomes a real security threat if you are an administrator managing a Wild Apricot website. Visitors who submit private information to your website via online forms (e.g. membership applications, event registrations) may also feel more comfortable knowing the traffic is secured.
If you're an administrator…
You wouldn't want someone to steal your credentials and access your membership list.
If you're filling out a form…
You might want to encrypt the data to be on the safe side, even though the chances of someone intercepting your personal information are low.
If you're just visiting the site…
Security is probably not an issue for you (unless you are trying to avoid tracking of what you view online).
If you're making a payment on a
Your credit card data and private information is always protected.
Using traffic encryption can also improve the Google ranking of your site. For more information, click here.
How do I get secure access to my site?
For Wild Apricot domains (sites that use wildapricot.org), you simply add an s after the http in your website address (e.g. traffic encryption options (see below).instead of ). To enforce secure access throughout your site, you need to set your
Do not include www in the URL (e.g.not ).
What if I use a custom domain?
If your site uses a custom domain name (such as www.nycs.net instead of nycs.wildapricot.org ), you need to purchase a security certificate to fully secure your site. Without a security certificate installed on your Wild Apricot, you should not set your traffic encryption to Always.
If you don't want to purchase a security certificate, you can switch your primary domain name to the wildapricot.org domain, which is already secured by a security certificate. For instructions on switching domain names, see Domain name management.
What if I use memberlodge.org or camp.org?
If your site is using another Wild Apricot domain, such as camp.org or memberlodge.org, you cannot fully secure your site without switching your primary domain to the wildapricot.org version of your site. Setting your traffic encryption to Always will produce errors and security warnings with these domains.
You should consider setting the wildapricot.org version of your site as the primary domain from the Domain name management screen. You could then set the traffic encryption on your site to Always. You would then need to inform your members about the new URL for your site. For instructions on switching domain names, see Domain name management.
Traffic encryption options
If you want to enforce secure access, you can automatically redirect visitors to your site to a secure URL. You can redirect visitors always, or just when filling out Wild Apricot forms.
To control when visitors to your site are redirected to a secure URL, follow these steps:
- Click Settings.
- Under Security, click Traffic encryption (HTTPS/SSL).
Choose when you want to redirect visitors to the secure URL.
Level of security
All http page requests will be redirected to the encrypted https page. There are some limitations that you should be aware of (see below).
Only pages containing Wild Apricot forms (such as membership applications and event registrations but not login form gadgets) will be redirected to the secure URL. Once redirected to a secure URL, the visitor will not be redirected back to an insecure page within the current session. Members will be directed to a secure URL once they log in. You should choose this option if your site links to external resources (e.g. graphics or stylesheets) that are stored on a website that is not secured (uses http instead of https). See below for limitations.
Online payments will be processed on secure pages, but while on your site, visitors will never be redirected to your site's secure URL. Visitors can, however, use the secure URL at any time to access the site. Once a member logs in from a secure page, the member will stay on secure pages for the remainder of the current session.
- Click Save.
Securing custom domains
To secure a custom domain (such as www.nycs.net instead of nycs.wildapricot.org), you need to purchase a custom security certificate that Wild Apricot staff can install on your site. After that, you can set your traffic encryption to Always.
The cost of a one-year security certificate – which you purchase independently – begins around $100. To install the security certificate on your custom domain, we charge an initial fee of $50 and a renewal fee of $50.
The steps involved in purchasing and installing a custom security certificate are as follows:
- Choose a security certificate vendor. (Wild Apricot recommends DigiCert. For instructions on purchasing a security certificate from DigiCert, click here.)
- Email Wild Apricot support and provide the following information:
- Country/region Name (2 letter code) – you can find your two-digit country code at: www.digicert.com/ssl-certificate-country-codes.htm
- State/province (full name)
- Organization name – The legally registered name of your organization/company (maximum 64 symbols, including spaces).
- Organizational unit name – The name of your department within the organization (frequently this entry will be listed as "IT," "Web Security," or is simply left blank).
- Common name – The name/domain through which the certificate will be accessed (usually the fully-qualified custom domain name e.g. www.domain.com. Note some vendors might not generate the SSL certificate for both www.domain.com and domain.com, so be sure to specify the main domain you would like to use).
- Email Address
Our support representative will generate and email you a CSR (Certificate Signing Request). You can use the CSR to order an SSL certificate from your vendor.
Visit your vendor's website and use the CSR to order your certificate. Make sure the SSL certificate you purchase is for Apache or Nginx, and make sure your vendor includes the following statements in the SAN (Subject Alternative Name) section of the certificate so that it applies to your website's URL with and without the www:
- After receiving the SSL certificate from your vendor, email it to us – usually it is an archive file or CRT/CER files provided by certificate vendor – and separately send the intermediate certificate file.
- After we receive the certificate from you, we'll install it on your website and let you know when we're done.
- Finally, you must update your custom domain DNS settings within your domain registrar account. We'll provide the A-record IP value you'll need.
Once the process is complete, we'll invoice you for the installation fee.
Secure site seals
When you purchase a security certificate from a vendor, you are usually entitled to display the branded seal on your site to let visitors know your site is secure.
Visitors to your website may encounter problems establishing or maintaining a secure connection if the page includes references to resources stored at a site that begins with http rather than https. These resources could include:
- external graphics
- external stylesheets
- third-party widgets
- YouTube videos
- internal resources identified using an absolute reference that begins with http
In these cases, the browser may block content, generate an error message,
or display an icon indicating that the page is not completely secure.
The traffic to and from your site will remain encrypted, but the unsecured resources could be viewed by a third party.
On this page: