Download this help site
(PDF 82MB)


Traffic encryption (HTTPS)

You can provide secure access to your website using  traffic encryption . Traffic encryption is available for all Wild Apricot domains (sites that use  wildapricot.org ). You can make secure access optional, or you can choose to automatically redirect visitors to a secure URL. You can redirect visitors always, or just when filling out Wild Apricot forms.  Online payments on Wild Apricot will always be encrypted.

What is traffic encryption?

Traffic encryption, known officially as hypertext transfer protocol secure (HTTPS), is a method of securing the transmission of information to and from a website.

 Read more/less

It ensures the security of website traffic by encrypting the information being transmitted, and by using security certificates to identify and authenticate the website. This is the same technology used by banks worldwide to secure their online banking sites.

To communicate with a website through a secure, encrypted channel, you use a URL (website address) that begins with https rather than http. Once a secure channel has been established, your browser may display a padlock icon in the address bar or the status bar.

Do I need to use traffic encryption?

If you access the internet over a unsecured Wi-Fi connection, you run the risk of someone intercepting the data you are sending and receiving.

 Read more/less

This becomes a real security threat if you are an administrator managing a Wild Apricot website. Visitors who submit private information to your website via online forms (e.g. membership applications, event registrations) may also feel more comfortable knowing the traffic is secured.

If you're an administrator…

You wouldn't want someone to steal your credentials and access your membership list.

If you're filling out a form…

You might want to encrypt the data to be on the safe side, even though the chances of someone intercepting your personal information are low.

If you're just visiting the site…

Security is probably not an issue for you (unless you are trying to avoid tracking of what you view online).

If you're making a payment on a
Wild Apricot site…

Your credit card data and private information is always protected.

Using traffic encryption can also improve the Google ranking of your site. For more information, click here.

How do I get secure access to my site?

For Wild Apricot domains (sites that use wildapricot.org), you simply add an s after the http in your website address (e.g. https://nycs.wildapricot.org/  instead of   http://nycs.wildapricot.org/  ). To enforce secure access throughout your site, you need to set your traffic encryption options (see below).

 Read more/less

Do not include www in the URL (e.g.  https://nycs.wildapricot.org/   not  https://www.nycs.wildapricot.org/  ).

What if I use a custom domain?

If your site uses a custom domain name (such as   www.nycs.net  instead of  nycs.wildapricot.org ), you need to purchase a security certificate to fully secure your site. Without a security certificate installed on your Wild Apricot, you should not set your traffic encryption to Always.


Before you buy a certificate, you need to follow certain steps so we can provide you the certificate signing request (CSR) that you need to give your domain provider or certificate authority. After you receive your certificate, Wild Apricot staff will install it on your site for a small fee. For details and pricing, see  Securing custom domains (below).

If you don't want to purchase a security certificate, you can switch your primary domain name to the wildapricot.org domain, which is already secured by a security certificate. For instructions on switching domain names, see Domain name management.

What if I use another Wild Apricot domain?

If your site is using another Wild Apricot domain – such as camp7.org, camp8.org, camp9.org, cloverpad.org, memberlodge.com, memberlodge.org, onefireplace.com, onefireplace.com, roundtablelive.org, or shuttlepod.org – you cannot fully secure your site without switching your primary domain to the wildapricot.org version of your site. Setting your traffic encryption to Always will produce errors and security warnings with these domains. 

You should consider setting the wildapricot.org version of your site as the primary domain from the  Domain name management screen. You could then set the traffic encryption on your site to Always .  You would then need to inform your members about the new URL for your site. For instructions on switching domain names, see Domain name management.

Traffic encryption options

If you want to enforce secure access, you can automatically redirect visitors to your site to a secure URL. You can redirect visitors always, or just when filling out Wild Apricot forms.

 Read more/less

Whatever settings you choose, visitors can always use the secure URL to access your site (by adding an s after the http in the website address).

To control when visitors to your site are redirected to a secure URL, follow these steps:

  1. Click Settings.
  2. Under Security, click Traffic encryption (HTTPS/SSL).
  3. Choose when you want to redirect visitors to the secure URL.


    Level of security




    All http page requests will be redirected to the encrypted https page. There are some limitations that you should be aware of (see below).



    Do not select this option if you are using, as your primary domain, a custom domain   that does not have its own security certificate installed on your Wild Apricot site, or if you have memberlodge.org, memberlodge.com, or camp.org set as your primary domain.

    Forms only


    Only pages containing Wild Apricot forms (such as membership applications and event registrations but not login form gadgets) will be redirected to the secure URL. Once redirected to a secure URL, the visitor will not be redirected back to an insecure page within the current session. Members will be directed to a secure URL once they log in. You should choose this option if your site links to external resources (e.g. graphics or stylesheets) that are stored on a website that is not secured (uses http instead of https). See below for limitations.

    Payments only


    Online payments will be processed on secure pages, but while on your site, visitors will never be redirected to your site's secure URL. Visitors can, however, use the secure URL at any time to access the site. Once a member logs in from a secure page, the member will stay on secure pages for the remainder of the current session.

  4. Click Save.

Regardless of what settings you choose, payments on Wild Apricot sites are always encrypted and handled via a separate secure URL ( https://payments.wildapricot.com ).

Securing custom domains

To secure a custom domain (such as  www.nycs.net  instead of nycs.wildapricot.org), you need to purchase a custom security certificate that Wild Apricot staff can install on your site. After that, you can set your traffic encryption to Always.


If you use a custom domain without purchasing a security certificate, visitors who access your site by manually entering https will typically see a security warning displayed by their browser stating that your custom domain name doesn't match the security certificate (which is issued by Wild Apricot). They can ignore it and use the site but may be scared away by the warning.

Obtaining a free security certificate using Let's Encrypt

Let's Encrypt offers free security certificates for custom domains. Since installing security certificates from Let's Encrypt is simpler than installing certificates from other vendors, Wild Apricot does not charge an installation fee or a renewal fee for security certificates from Let's Encrypt.

To get a security certificate from Let's Encrypt installed on your Wild Apricot site, have a full account administrator send an email requesting a security certificate from Let's Encrypt to Wild Apricot support, and include your custom URL and Wild Apricot account number in the message. We'll let you know once it's installed.

Obtaining a security certificate from any other vendor

The cost of a one-year security certificate from a vendor other than Let's Encrypt begins around $100. To install the security certificate from a vendor other than Let's Encrypt on your custom domain, we charge an initial fee of $50 and a renewal fee of $50.

The steps involved in purchasing and installing a custom security certificate from a vendor other than Let's Encrypt are as follows:

 Read more/less
  1. Choose a security certificate vendor. (For instructions on purchasing a security certificate from DigiCert, click here.)


    You should avoid purchasing certificates from WoSign and StartCom. They are no longer considered to be trusted authorities. For details, click here.

  2. Have a full account administrator send an email to Wild Apricot support and provide the following information:
    • Country/region Name (2 letter code) – you can find your two-digit country code at: www.digicert.com/ssl-certificate-country-codes.htm
    • State/province (full name)
    • City
    • Organization name – The legally registered name of your organization/company (maximum 64 symbols, including spaces).
    • Organizational unit name – The name of your department within the organization (frequently this entry will be listed as "IT," "Web Security," or is simply left blank).
    • Common name – The name/domain through which the certificate will be accessed (usually the fully-qualified custom domain name e.g. www.domain.com. Note some vendors might not generate the SSL certificate for both www.domain.com and domain.com, so be sure to specify the main domain you would like to use).
    • Email Address
  3. Our support representative will generate and email you a CSR (Certificate Signing Request). You can use the CSR to order an SSL certificate from your vendor.


    For security reasons, we cannot accept the sharing of the SSL private keys, or install on our servers SSL certificates that were not based on our Certificate Signing Requests (CSRs).

  4. Visit your vendor's website and use the CSR to order your certificate. Make sure the SSL certificate you purchase is for Apache or Nginx, and make sure your vendor includes the following statements in the SAN (Subject Alternative Name) section of the certificate so that it applies to your website's URL with and without the www:

  5. After receiving the SSL certificate from your vendor, email it to us – usually it is an archive file or CRT/CER files provided by certificate vendor – and separately send the intermediate certificate file.
  6. After we receive the certificate from you, we'll install it on your website and let you know when we're done.
  7. Finally, we will instruct you to update your custom domain's DNS settings . We'll provide the details but you'll need to contact your domain name provider, or access your domain registrar account online, to perform this step.

Once the process is complete, we'll invoice you for the installation fee.

Secure site seals

When you purchase a security certificate from a vendor, you are usually entitled to display the branded seal on your site to let visitors know your site is secure.

 Read more/less

For information on obtaining the HTML code to display the seal on your site, visit your vendor's website. The following links provide information on obtaining the code from some of the more popular vendors:


Visitors to your website may encounter problems establishing or maintaining a secure connection if the page includes references to resources stored at a site that begins with http rather than https. These resources could include:

 Read more/less
  • external graphics
  • external stylesheets
  • third-party widgets
  • JavaScript files
  • YouTube videos
  • internal resources identified using an absolute reference that begins with http

In these cases, the browser may block content, generate an error message,

or display an icon indicating that the page is not completely secure.

The traffic to and from your site will remain encrypted, but the unsecured resources could be viewed by a third party.