HelpSpa.com
Search HelpSpa.com

Wild Apricot – Review – Signifigant Administrative, Security and Privacy Limiations

October 11, 2010DavidOther8

I’ve have a very small member website and I use Wild Apricot to manage the site. Generally speaking I’m pleased with the Wild Apricot product, support and pricing. There are, however, some significant limitations which I think you should know about prior to using their service:

1. No Truly Protected Files and Links. Wild Apricot allows you to build a private member area where you can restrict pages so that only registered members can view these pages. In my organization I wanted to give access to my members to certain documents. The problem is that although you can limit access to the page containing the links to the downloads, you cannot protect the downloads.

For example, say you have a membership page with a link to your club by-laws. While you can make the page that has this link only accessible to people who are logged in, you are limited because the link is still a “regular link” – e.g. the link is www.yoursite.com/subdirectory/filename.doc. So while only people who can login can see the link, the link is still accessible to anyone who knows of it’s existence.

2. No robots.txt. Such a publicly-accessible-link problem would be workable if you could prevent a search engine from indexing the content. Those of you who have dabbled in SEO know that you can put a robots.txt file in the root directory of a website which basically tells a search engine what content it should and should NOT put in its search engine listings. The last thing I would want is for someone to search generically for the words “by-laws” and somehow come up with mine! Now realistically it’s not a big deal if someone who isn’t a member of my organization stumbles upon my by-laws — there are not secrets there. The problem lies in the fact that what if the someone stumbled across a truly private document via an accidental Google search?

I discussed the problem with Wild Apricot tech support which was very friendly and responsive, and to make a long story short, they said that I cannot put a robots.txt in the root directory (the SEO people out there know that a robots.txt should be put in the root directory).

So because I am unable to create a private, members-only link for my members to view documents, and because I cannot effectively block search engines from finding these private documents, I cannot use Wild Apricot as a place where I can store and provide documents for my members (in fairness to Wild Apricot, even with a robots.txt file in place in the root directory, you cannot guarantee that all search engines will respect the robots.txt file, and thus robots.txt is NOT a foolproof method of securing your documents). Wild Apricot tech support suggested I use a third-party site for securely storing documents for my organization.

3. No Tierd or Tailored Levels of Administrator Access. Wild Apricot’s system is setup such that you either have full administrative privileges or none at all. In my organization I wanted a setup whereby certain officers could login and perform certain administrative tasks — but only have access restricted to specifically what the officers needed for their job. The last thing I need is an administrative member logging into the site and accidentally modifying critical settings; one of the core principles of system design is to always provide the most restrictive access — and this system does not follow that principle.

Wild Apricot is a very good product that does a good job doing what its supposed to do — at least for most of my purposes. As with any system there are limitations, and this article reviewed some of these imitations for Wild Apricot. If these issues are a problem for you then you should consider another product, but if theses three issues are not a concern for you or your organization, I think that for the price point, Wild Apricot is a great choice (note they also have a free, ad-sponsored trial version so you can see for yourself if it works for you).

Related Posts

  • Thanks for writing about our product!
    A few comments:
    1) If your files are not linked on any public pages, there is no way for search engines to find and index them. So people (or search engines) can only access them if they know the exact path and filename. So robots.txt is not a security helper by any stretch (which you said yourself). In fact, I’ve heard of hackers specifically look up robots.txt files (which are public) so see if they can find links to any juicy directories/files which webmaster decided to protect from prying eyes of search engines.

    2) We do plan to add file-level security to our system – it is on our roadmap, though a timeline has not been fnalized.

    3) We do have a number of different administration roles for security access – this is available to some paid plans only. See http://help.wildapricot.com/display/DOC/Managing+site+administrators

    Cheers!

    Dmitry Buterin

  • Well, I think it’s important to be fair and I appreciate you replying directly. It’s a welcome change from most companies!

    I spoke directly to your tech support about the situation in point 1) and they told me that this was not the case. It was my understanding that the resources directory (containing the files) can still be accessed by search engines. Am I wrong? Is content stored in the /resources directory 100% safe from being indexed? This is not the feeling I received from your tech team.

    And granted it will not be easy to find that link, but the problem remains that the link is available regardless. What’s to prevent a member from emailing the direct link to a non-member?

    2) Fair enough. But it doesn’t currently exist and as such remains a security concern for those who are affected.

    3) I have the first-level paid plan, so my comments are based on that specific level.

  • Steve

    Is there really nothing stopping a malicious user from posting a link to any of these files online? If anyone someone links to a file then there is nothing to stopping it from showing up in the search engine results. Email, facebook, twitter, forums etc. This is a big problem for paid software.

    Private files should not be stored in a web accessible directory, you should make your web application serve these file after the user is authenticated.

    robots.txt should be available but I agree it’s not the place for limiting access.

  • And that’s why I was surprised.

  • Perhaps putting the files on Amazon S3 would work? You could limit access that way using their security settings.

    It is also a good idea to put a rel=”nofollow” on any links that you do not want Google to index.

    Peter

    • It would work — but IMHO — the whole point of paying for a management service like Wild Apricot is to have everything integrated. Adding S3 adds another layer of complexity, security and cost. Granted it’s not that much more complex, but it’s an extra step that really shouldn’t have to be done.

  • I was recently asked to review the security of Wild Apricot and have concerns as well. I took a quick look and saw that they were allowing users to login with cleartext (HTTP) usernames and passwords. I wrote to them asking when we would see a fix and have received disappointing replies that show they do not think using SSL is a serious enough issue to prioritize a fix.

    The service looks pretty good but until this issue is corrected I am advising clients that care about protecting their customers to find another service.

  • David

    A better option is Ultimate Web Builder. You can set member access pages and also keep your downloads secure.

| More

SpiderOak Online Backup, Storage, Access, Sync, and Sharing

We are currently offering a free copy of our 16-page eBook, "How to Organize your Digital Photography Collection" to everyone who signs up for our free newsletter. This eBook will review how to organize your digital photos, discuss metadata, and give you an overview of software than can help you with your digital photography workflow. Sign up in the signup area, located in the right-side column of every page on this site, and read your copy now!


Popular