You can provide secure access to your website using traffic encryption. Traffic encryption is available for all Wild Apricot domains (sites that use wildapricot.org). You can make secure access optional, or you can choose to automatically redirect visitors to a secure URL. You can redirect visitors always, or just when filling out Wild Apricot forms.
To protect yourself and your members, Wild Apricot will be requiring traffic encryption for all our client sites. This means that all site pages and all page content must use URLs that begin with HTTPs rather than HTTP. For more information, click here.
What is traffic encryption?
Traffic encryption, known officially as hypertext transfer protocol secure (HTTPS), is a method of securing the transmission of information to and from a website.
It ensures the security of website traffic by encrypting the information being transmitted, and by using security certificates to identify and authenticate the website. This is the same technology used by banks worldwide to secure their online banking sites.
To communicate with a website through a secure, encrypted channel, you use a URL (website address) that begins with https rather than http. Once a secure channel has been established, your browser may display a padlock icon in the address bar or the status bar.
![https://cdn.elev.io/file/uploads/jEC8HySvDwISUdSg8iqChOB9kMRsiM1RCnIFiA0173M/79Ah729VbBHCZ4mLvvGgfhCwxRWjiNOvgPldYO1iMgo/lock_icon-5l0.png https://cdn.elev.io/file/uploads/jEC8HySvDwISUdSg8iqChOB9kMRsiM1RCnIFiA0173M/79Ah729VbBHCZ4mLvvGgfhCwxRWjiNOvgPldYO1iMgo/lock_icon-5l0.png](https://cdn.elev.io/file/uploads/jEC8HySvDwISUdSg8iqChOB9kMRsiM1RCnIFiA0173M/79Ah729VbBHCZ4mLvvGgfhCwxRWjiNOvgPldYO1iMgo/lock_icon-5l0.png)
Do I need to use traffic encryption?
If you access the internet over a unsecured Wi-Fi connection, you run the risk of someone intercepting the data you are sending and receiving.
This becomes a real security threat if you are an administrator managing a Wild Apricot website. Visitors who submit private information to your website via online forms (e.g. membership applications, event registrations) may also feel more comfortable knowing the traffic is secured.
If you're an administrator…
You wouldn't want someone to steal your credentials and access your membership list.
If you're filling out a form…
You might want to encrypt the data to be on the safe side, even though the chances of someone intercepting your personal information are low.
If you're just visiting the site…
Security is probably not an issue for you (unless you are trying to avoid tracking of what you view online).
If you're making a payment on a Wild Apricot site…
Your credit card data and private information is always protected.
Using traffic encryption can also improve the Google ranking of your site. For more information, click here.
How do I get secure access to my site?
For Wild Apricot domains (sites that use wildapricot.org), you simply add an s after the http in your website address (e.g. https://nycs.wildapricot.org/ instead of http://nycs.wildapricot.org/ ). To enforce secure access throughout your site, you need to set your traffic encryption options (see below).
Do not include www in the URL (e.g. https://nycs.wildapricot.org/ not https://www.nycs.wildapricot.org/ ).
What if I use a custom domain?
If your site uses a custom domain name (such as www.nycs.net instead of nycs.wildapricot.org ), you need to obtain a security certificate to fully secure your site. Without a security certificate installed on your Wild Apricot, you should not set your traffic encryption to Always.
You can get a free security certificate from Wild Apricot, or you can purchase one yourself from a domain provider or certificate authority. For details on obtaining a security certificate, see Securing custom domains.
If you don't want to get a security certificate, you can switch your primary domain name to the wildapricot.org domain, which is already secured by a security certificate. For instructions on switching domain names, see Domain name management.
What if I use another Wild Apricot domain?
If your site is using another Wild Apricot domain – such as camp7.org, camp8.org, camp9.org, cloverpad.org, memberlodge.com, memberlodge.org, onefireplace.com, onefireplace.com, roundtablelive.org, or shuttlepod.org – you cannot fully secure your site without switching your primary domain to the wildapricot.org version of your site. Setting your traffic encryption to Always will produce errors and security warnings with these domains.
You should consider setting the wildapricot.org version of your site as the primary domain from the Domain name management screen. You could then set the traffic encryption on your site to Always . You would then need to inform your members about the new URL for your site.
Traffic encryption options
If you want to enforce secure access, you can automatically redirect visitors to your site to a secure URL. You can redirect visitors always, or just when filling out Wild Apricot forms.
Whatever settings you choose, visitors can always use the secure URL to access your site (by adding an s after the http in the website address).
To control when visitors to your site are redirected to a secure URL, follow these steps:
- Within the Website module, click Settings.
- Under Website security, click Traffic encryption (HTTPS/SSL). If you don't see this option, its because your traffic encryption has already been set to Always, which is required now for site security.
- Choose when you want to redirect visitors to the secure URL.
Always
All http page requests will be redirected to the encrypted https page. Do not select this option if you are using, as your primary domain, a custom domain that does not have its own security certificate installed on your Wild Apricot site, or if you have memberlodge.org, memberlodge.com, or camp.org set as your primary domain.
Forms only
Only pages containing Wild Apricot forms (such as membership applications and event registrations but not login form gadgets) will be redirected to the secure URL. Once redirected to a secure URL, the visitor will not be redirected back to an insecure page within the current session. Members will be directed to a secure URL once they log in. You should choose this option if your site links to external resources (e.g. graphics or stylesheets) that are stored on a website that is not secured (uses http instead of https).
Payments only
Online payments will be processed on secure pages, but while on your site, visitors will never be redirected to your site's secure URL. Visitors can, however, use the secure URL at any time to access the site. Once a member logs in from a secure page, the member will stay on secure pages for the remainder of the current session. - Click Save.
Regardless of what settings you choose, payments on Wild Apricot sites are always encrypted and handled via a separate secure URL (https://payments.wildapricot.com).
Limitations
Visitors to your website may encounter problems establishing or maintaining a secure connection if the page includes references to resources stored at a site that begins with http rather than https. These resources could include:
- external graphics
- external stylesheets
- third-party widgets
- JavaScript files
- YouTube videos
- internal resources identified using an absolute reference that begins with http
In these cases, the browser may block content, generate an error message,
![https://cdn.elev.io/file/uploads/jEC8HySvDwISUdSg8iqChOB9kMRsiM1RCnIFiA0173M/AKccRh-8-1BgzZJtLZqjT0gk1-OhgquwIHrvFRtEFYY/firefox_security_warning-YP0.png https://cdn.elev.io/file/uploads/jEC8HySvDwISUdSg8iqChOB9kMRsiM1RCnIFiA0173M/AKccRh-8-1BgzZJtLZqjT0gk1-OhgquwIHrvFRtEFYY/firefox_security_warning-YP0.png](https://cdn.elev.io/file/uploads/jEC8HySvDwISUdSg8iqChOB9kMRsiM1RCnIFiA0173M/AKccRh-8-1BgzZJtLZqjT0gk1-OhgquwIHrvFRtEFYY/firefox_security_warning-YP0.png)
or display an icon indicating that the page is not completely secure.
![https://cdn.elev.io/file/uploads/jEC8HySvDwISUdSg8iqChOB9kMRsiM1RCnIFiA0173M/UfavU5hIU-OVigkYy14XJPVIRXYgu0D8N8fOhz0_RHc/insecure_resources-jIY.png https://cdn.elev.io/file/uploads/jEC8HySvDwISUdSg8iqChOB9kMRsiM1RCnIFiA0173M/UfavU5hIU-OVigkYy14XJPVIRXYgu0D8N8fOhz0_RHc/insecure_resources-jIY.png](https://cdn.elev.io/file/uploads/jEC8HySvDwISUdSg8iqChOB9kMRsiM1RCnIFiA0173M/UfavU5hIU-OVigkYy14XJPVIRXYgu0D8N8fOhz0_RHc/insecure_resources-jIY.png)
The traffic to and from your site will remain encrypted, but the unsecured resources could be viewed by a third party.