payments.wikimedia.org is HTTPS only. So how about enabling HTTP Strict Transport Security?
what you need for this:
- ensure mod_headers is loaded in Apache
- a config line like: Header set Strict-Transport-Security "max-age=31536000"
before we did this on other services csteipp recommended to start with a lower max-age, like one week, and then raise it to 1yr. qualys ssl check will like you only if it is at least 6 months or it will call it "too short"
careful, because this can't be reverted