Google has changed the way its Chrome browser displays unencrypted pages. (Unencrypted pages are less secure than encrypted pages, and begin with HTTP rather than HTTPS.) Depending on how your Wild Apricot site is set up, this may affect how your site appears to visitors using Chrome.
Wild Apricot is not making these changes, Google is. We are only alerting you, and providing you with options for dealing with them.
How were these pages previously displayed?
For HTTP pages, Chrome previously displayed an information icon within the address bar.
Visitors to the page could click the icon to view information about the pages, including security details.
Now, pages that use HTTP and collect passwords or credit card information are labelled by Google as insecure. The phrase Not secure appears ahead of the page address within the address bar.
In subsequent releases, Google will add a red error icon to the Not secure warning, and will begin displaying this warning for all HTTP pages, regardless of whether the pages collect passwords or credit card information.
What should you do now?
If you’re not using a custom domain, or using a custom domain with a security certificate:
You should set the traffic encryption on your site to Always.
(Custom domains looks like nycs.net rather than nycs.wildapricot.org.)
If you’re using a custom domain without a security certificate:
Option #1: Get a security certificate
You can a security certificate (aka SSL certificate) installed on your Wild Apricot site, then set the traffic encryption on your site to Always. Do not set your traffic encryption to Always until the certificate is installed.
Until you get the security certificate installed on your site, you should set the the traffic encryption on your site to Forms only. That way, only pages with login boxes would be flagged as insecure – until Google implements the second phase of their plan and flags all HTTP pages as insecure.
You can purchase a security certificate from a certificate authority or you can ask Wild Apricot to install a free certificate from Let's Encrypt. If you plan on purchasing a security certificate, be sure to follow these instructions before you buy anything, so that we can provide you the certificate signing request (CSR) that you need to give your domain provider or certificate authority. To install the security certificate from a vendor other than Let's Encrypt, we charge an initial fee of $50 and a renewal fee of $50.
Option #2: Switch your primary domain to wildapricot.org
If you don't want to go through the effort of obtaining a security certificate, you can switch your primary domain name to the wildapricot.org version of your site, then set the traffic encryption on your site to Always. Visitors to your site can continue to access your site using your custom domain name, but when they get there, the address bar on their browser would display your wildapricot.org domain name. So, visitors would start with your custom domain and end up on the wildapricot.org domain, but with all pages fully secure and no need for a security certificate.
To switch your primary domain name, click the Settings menu then click Domain name under Site settings, then click the Set as primary link beside the wildapricot.org domain.
If you're using a memberlodge.org or camp.org domain rather than wildapricot.org:
You cannot set your traffic encryption to Always if you using one of these as your primary domain. You should consider switching to wildapricot.org by setting the wildapricot.org version of your site as the primary domain from the Domain name management screen, then set the traffic encryption on your site to Always. You would then need to inform your members about the new URL for your site (whatever.wildapricot.org instead of whatever.memberlodge.com).
For further information, contact our our Support department.