BlogWildApricot Updates 7 Steps to Protect Your Members’ Data (+ Downloadable Checklist) WildApricot Updates 7 Steps to Protect Your Members’ Data (+ Downloadable Checklist) Author: Kate Hawkes May 10, 2019 Contents 🕑 6 min read Whether your organization is planning to get started with a website, or you’ve been using online event registrations and membership applications for years, keeping the data you work with secure is part and parcel of having a website. If, like us, you hear stories about data being misused by online criminals almost every day, it can be worrying to know that if you haven’t secured your website, the data belonging to your organization and members could be at risk too. The good news is that you don’t need technical expertise to get started with changing that. We’ve made a list of 7 key steps to make your website more secure, many of which only take a few clicks to set up. In this post, we’ll show you how to take these steps in your WildApricot account, but most of these tips apply even if you don’t have an account with us. Read on to find out how to: Set up a member contact form Apply Captcha anti-spam settings Allow members to review their privacy settings Limit access to certain pages Make your website GDPR-compliant Secure your domain – SSL certificate Secure your domain – traffic encryption You can download our printable checklist so you can check off these steps as you work through them. The checklist also includes 4 bonus tips to help keep your WildApricot account secure. Click below to download the checklist. 1. Set up a member contact form Why you might need this If you want a way for site visitors to contact members without publicly publishing their email addresses on the website, you can add a member directory gadget that uses a member contact form with a Send message button instead of their contact details. This will help prevent your members from being targeted by spammers. Here’s how: Add a member directory gadget to your site. Find the page you want the directory to appear on, click the Gadgets icon and drag the member directory gadget onto the page. Visitors to your site can view a member’s profile by clicking on the members’ listing within the member directory. You can restrict what information they see and which members are listed by adjusting the Member directory settings. You can enable or disable the member contact form for all members, existing and future (other than those added through import) by clicking on the Settings menu in your WildApricot account, selecting Privacy, going to the Members section. You can enable or disable the member contact form for particular members in their individual contact records. Members can choose to enable or disable the contact form for their own account by clicking on the Privacy link their member profile. For full instructions see this Help Site article. 2. Apply Captcha anti-spam settings Why you might need this: If you’re enabling member contact forms, or other forms such as event registration or donation, WildApricot’s anti-spam Captcha feature helps prevent spambots (automated software) from bombarding your members with emails. The Captcha feature helps prevent this by requiring visitors to your site to enter a set of characters, proving they’re a person rather than a program. Here’s how: For the following forms, the Captcha message is always enabled for visitors and can be enabled for members: Send message form Blog post/comment Forum topic/reply Subscription form For the following forms, the Captcha message can be enabled or disabled for visitors: Event registration Member application Donation Forgot password page Select Security from the Settings menu, and go to Anti-spam settings. You can choose to enable the Captcha feature on these forms for either visitors, members, or both. For full instructions see this Help Site article. 3. Ask members to review their privacy settings Why you might need this: If you want your members to be able to decide what information about them is visible to site visitors or other members. Restricting access to member data such as mailing address or phone number can help make sure this information isn’t misused. Here’s how: Members can log in to their profile and click the Privacy link to specify which fields are visible to everyone, other members, or hidden from everyone else. If you don’t want members to be able to change their privacy settings for a particular field, click the Lock changes checkbox for that field. These settings apply to their listing in the member directory and on their directory profile page. A member can hide their public profile altogether by unchecking the Allow to show profile option. For full instructions see this Help Site article. 4. Limit access to certain pages Why you might need this: If you have pages that you want to only be visible to members, certain levels or groups, or even just to administrators. This might apply to your member directory, member location mapping gadget, or featured member gadget, for example. Here’s how: On the page you want to limit access to, click the Edit button. Under Access level, select the Restricted option. Check the boxes next to the membership levels or groups you want to access the page. You can hide pages from your website menu — under Position in menu, select the Not in menu option. For full instructions see this Help Site article. 5. Make your WildApricot site GDPR-compliant Why you might need this: The General Data Protection Regulation is a set of rules introduced in 2018 that gives EU citizens better control over their data. GDPR applies to any organization that offer goods or services to EU citizens or collects information from them. For example, that means a US-based organization that collects data from EU citizens would need to comply with GDPR. Here’s how: The exact requirements to being GDPR compliant depend on your organization’s circumstances, so be sure to seek legal advice concerning your specific obligations. Generally, the steps you might need to take include: Limiting the personal data you collect from members Confirming you have a lawful basis for all your processing activities Developing an updated, GDPR-compliant privacy policy Providing your privacy policy whenever and wherever personal data is collected Obtaining consent from data subjects for the processing of their personal data where consent is the lawful basis for processing Preparing to respond to data subject requests pursuant to GDPR For more complete instructions see this Help Site article. 6. Secure your domain — SSL certificate Why you might need this: Once you have a security certificate installed, visitors will see a padlock and https url. Without these, many website visitors may not feel comfortable entering information on your site, and they may receive a warning message from their browser (e.g. “not secure” or “connection not private”). If you have a custom domain address, e.g., http://nonprofitexample.com rather than http://nonprofitexample.wildapricot.org, you need to have an SSL certificate installed to secure your custom domain. Any sites with a WildApricot domain automatically have an SSL certificate installed. Here’s how: You can get a Let’s Encrypt security certificate for free, and WildApricot will install it for you. To get a certificate, a full account administrator for your organization needs to send an email to WildApricot support requesting a Let’s Encrypt security certificate. Include your custom URL and WildApricot account number in the email. You can see an infographic of how to get a Let’s Encrypt certificate by clicking here. For full instructions see this Help Site article. 7. Secure your domain — Traffic encryption Why you might need this: Traffic encryption is a method of securing the transmission of information to and from a website. Without traffic encryption, you run the risk of someone intercepting the data you are sending and receiving. This is particularly important if your visitors are filling out forms, or if you’re an administrator and you want to make sure people can’t access data such as your membership list. As long as you have an SSL certificate installed on your site, you and your members can choose to use an https url that uses traffic encryption, but to enforce secure access you can change your settings so any url for your site automatically redirects to https. Here’s how: WildApricot provides free encrypted access to wildapricot.org domains., e.g. https://nonprofitexample.wildapricot.org. If you use a custom domain name, e.g. nonprofitexample.com, you’ll need to install an SSL certificate first (step 6). To automatically redirect visitors to your site to a secure URL, click Settings, then the Security option. Click Traffic encryption (HTTPS/SSL), and choose whether to redirect to the secure URL either always, only for forms, or only for payments. For full instructions see this Help Site article. Read More: 6 Data Security Practices For Nonprofits in The Digital Age Related WildApricot Updates Articles Case Studies 🕑 7 Min Read How The Caxton Club Thrives in the Digital Landscape with WildApricot – Case Study Case Studies 🕑 8 Min Read How The Hale Center Maintains their Innovative Edge With WildApricot – Case Study Case Studies 🕑 4 Min Read How Well-Read Mom Achieves Their Mission with Text Messaging – Case Study The Membership Growth Report: Benchmarks & Insights for Growing Revenue and Constituents Get the report now!