How to Remove ā€œNot Secureā€ Warning From the Login & Admin Page?

by

7-layers of Security for Your WordPress Site

Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.

WordPress Login Not Secure

Is your WordPress login not secure? Does it disappear once you have gained access or does it appear only after that?

All these are common issues, but you have the power to resolve them. This guide will take you through the steps to address this warning and fortify your WordPress site with SSL certificates and HTTPS.

TL;DR: Your browser flags your WordPress login page as ā€˜Not Secureā€™ when it cannot find an SSL certificate on your site, or when it doesnā€™t trust the certificate if it exists. Refresh your siteā€™s SSL certification and pair it with a robust security plugin like MalCare to strengthen your siteā€™s security.

Why is my WordPress login not secure?

Your WordPress login says ‘Not Secure’ warning if your site does not have an SSL certificate, or if it is either improperly configured or has expired.

WordPress login page not secure warning

The SSL certificate is required to encrypt the data sent to and from your site. This lends security to the HTTP communication protocol and upgrades it to HTTPS. The ā€˜Not Secureā€™ warning on your login page indicates that it is not using the HTTPS protocol.

HTTPS also gives your login page a padlock icon next to its address, showing that it is secure and trustworthy. If your login page has a ā€˜Not Secureā€™ label instead, it can deter users from logging in to the dashboard. This issue can be easily resolved in ways that we will show in the following sections.

How to fix WordPress login not secure warning?

The following steps outline the ways in which you can remove the WordPress login not secure warning. They have also been explained in detail afterward.

  1. Back up your site
  2. Check your site for an SSL certificate
  3. Install an SSL certificate
  4. Fix existing SSL certificate
  5. Clear all your caches
  6. Verify if the ā€˜Not Secureā€™ warning has disappeared

1. Backup your site

The first and foremost thing to do before trying to fix the WordPress login not secure warning is to back up your WordPress site. While our steps are comprehensive and deal with all possible issues, creating a backup is still important as you can recover your site data easily in the unforeseen event that something goes wrong.

2. Check your site for an SSL certificate

Once you have backed up your site, the next thing you need to do is to check if an SSL certificate exists on it or if it has expired. This can be done simply by checking your site URL on an online SSL checker tool, like SSLShopper. This gives you all the details about your siteā€™s SSL certification.

checking if SSL is installed using SSLshopper

3. Install an SSL certificate

If the results from the previous step show that you do not have an SSL certificate, then follow the steps on how to install an SSL certificate in WordPress. However, if your site does have an SSL certificate, you can skip this step and move on to the next one.

4. Fix your existing SSL certificate

If you already have an SSL certificate on your WordPress site and are still seeing a ā€˜Not Secureā€™ warning while trying to log in, it could be due to either an expired or an improperly configured SSL certificate.

If your existing SSL certificate has expired, you will need to get in touch with the certificate authority (CA) that issued it and have it renewed. Usually, CAs have their renewal plans laid out well for you to go through and they might also send you certificate expiry notifications in advance.

If your existing SSL certificate is still valid, it might be that it is not properly configured. In that case, follow the steps mentioned here:

1. Force your login page to use HTTPS using a plugin

Using plugins to configure an SSL certificate on your WordPress site is the easiest way to remove the ā€˜Not Secureā€™ warning from the entire site, including the login page. Multiple plugins are available to do so, like WP Encryption, SSL Zen, etc., but we recommend using Really Simple SSL.

  1. Install and activate Really Simple SSL from your WordPress siteā€™s admin dashboard.
  2. Go to Settings and then to SSL. This is your Really Simple SSL dashboard, which shows all possible issues with your site.
ReallySimpleSSL dashboard pre-SSL
  1. Click on Activate SSL. A pop-up appears with information you should know before going ahead.
Things to check before migrating to ssl
  1. Click on Activate SSL again. This sets up your site with an SSL certificate in just a few minutes.
    Note: You may be logged out of the admin dashboard.
Really Simple SSL post-activation pop-up

2. Force your login page to use HTTPS manually

If you used a plugin like Really Simple SSL for installation, it would have taken care of this for you. However, if the certificate was installed in an alternative way, you can try the manual method of fixing this issue. Please note that we do not recommend this method as it carries the scope of making errors that could hamper your site.

To force your login page to use HTTPS manually, you can perform the following steps either through Secure Shell (SSH) or through File Transfer Protocol (FTP).

Using SSH

Use Command Prompt, if you are a Windows user, or Terminal, if you are a Mac user, for these steps.

  1. Obtain your WordPress site serverā€™s SSH credentials from your site host.
  2. Log into your WordPress siteā€™s server using SSH with the following command, replacing user_name and ipaddress with the credentials for the server:
ssh user_name@ipaddress

Enter your password when prompted.

  1. Enter the following command to list all the files:
ls -a
  1. You should see the wp-config.php file. Enter the following command to open it in an editor:
vi wp-config.php
  1. Hit i to edit the file and enter the following line of code before the file ending:
define(ā€˜FORCE_SSL_ADMINā€™, true);
  1. Hit Esc and enter the command :wq to save the file and exit the editor.
Using FTP

Install and use an application like Filezilla or Cyberduck for these steps. In this case, we are using Filezilla.

  1. Obtain your WordPress site server’s FTP credentials from your site host.
  2. Open Filezilla, enter your IP address in the Host section, your username, password, and port number (if any) and click on Quickconnect.
  1. You will see the file structure of your WordPress site in the Remote site section once you are logged in. Double-click on public_html to open the folder and find wp-config.php in the files listed below.
filezilla public_html wp-config.php
  1. Right-click on the wp-config.php file to open a context menu and select View/Edit to edit the file.
filezilla wp-config.php view/edit
  1. In the file editor, type in the following line before the file ending and press Ctrl + S for Windows users or Cmd + S for Mac users to save the file:
define(ā€˜FORCE_SSL_ADMINā€™, true);
  1. On closing the file editor, you will see a dialog box asking if you want to upload the edited file back to your WordPress server. Click on Yes and you are done.
filezilla file edit upload to server

Sometimes, the switch from HTTP to HTTPS may lead to an unusual situation where your browser might be unable to load your WordPress site’s login page due to too many redirects from it. In that case, add the following lines of code to the wp-config.php file using any of the above two methods:

if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
$_SERVER['HTTPS']='on';

Make sure that you add these lines before the following line of code:

require_once(ABSPATH . 'wp-settings.php');

5. Clear all your caches

The browsers you use and the plugins you have installed on your site usually store copies of your website to enable faster access to it. This is called caching of your site as it is stored in the cache memory. Clearing the browser cache is an essential step in the journey to remove the ā€˜Not Secureā€™ warning from your login page. These steps are for the Google Chrome browser but are usually similar for all other browsers.

  1. Click on the three-dot icon on the top right side of the browser and select Settings.
Google Chrome menu
  1. Click on Privacy and security and then click on Clear browsing data.
Google Chrome Privacy and security tab
  1. In the Basic tab, select All time from the Time range dropdown list, and check only the Cached images and files box.
Google Chrome Clear browsing data
  1. Click on Clear data to clear the cache.

If you use a WordPress caching plugin like Airlift, WP Rocket, WP Super Cache, etc., or if your web hosting provider uses caching to speed up your site, you should clear these caches too. The steps to do so can be found in your plugin or your hosting providerā€™s documentation.

6. Verify if the ā€˜Not Secureā€™ warning has disappeared

Once you are done with all these steps, navigate to your WordPress site and try to log in. Your login page should now show a padlock icon in the address bar showing that your site is now secure.

Troubleshooting for wordpress login not secure

There are a few things that could go wrong when you try to remove the ‘Not Secure’ warning from your WordPress website login page by manually installing an SSL certificate. In this section, we have covered some such issues.

  • What if the login page is suddenly inaccessible?
    Check if your login page is properly set up to force SSL usage with updated URLs in the databases. If that does not work, it could be that a plugin is conflicting with the SSL certificate. Try deactivating plugins to see if it resolves the issue.
  • What if you see an ERR_SSL_VERSION_OR_CIPHER_MISMATCH error?
    This error is usually caused by an improperly configured SSL certificate. Recheck your SSL settings to address configuration errors. If the issue is not with your SSL certificate, update your browser or switch to another browser to see if it resolves the issue. You can also identify any other issues with your SSL certificate by using an online tool like the Qualys SSL test.
  • What if you see a NET::ERR_CERT_INVALID error?
    A browser may flag your login page as invalid if your site’s SSL certificate has incorrect details, like the wrong domain name, improbable SSL certificate issue and/or expiry dates, etc. Check for these details and if required, reissue your SSL certificate with the correct details.
  • What if none of the above solutions work?
    In this case, clear all your caches. Your browser, plugins, and web host may sometimes hold on to old login page links, which causes problems when trying to reach the login page with the new HTTPS links.

Using a plugin to install an SSL certificate on your WordPress website evades a lot of these issues. This is why, we do not recommend the manual mode of installing an SSL certificate.

Remember, removing the ‘Not Secure’ warning from your WordPress login page shows that you have a properly configured SSL certificate. However, this is not enough to guard your site’s login page against the variety of threats out there. We have discussed several ways you can secure your WordPress login page.

How to prevent WordPress login not secure warning?

Now that you have secured your WordPress login page by properly configuring its SSL credentials, letā€™s look at the ways to prevent the ā€˜Not Secureā€™ warning from appearing again.

  • If your website uses outgoing links to connect to another website, make sure you edit these links to access their sites using HTTPS.
  • Keep track of certificate expiry dates to be prepared for such eventuality. If your certificate has expired, you can renew it with your existing provider, or switch to free verified HTTPS certification providers like LetsEncrypt.
  • Use a plugin like Easy HTTPS Redirection to route users to an already-configured HTTPS SSL version of your site.
  • Submit your site’s updated HTTPS URL to Google Search Console so that Google now knows and directs users to the secure version of your site. The details to do so can be found here.

Final Thoughts

Well done on successfully eliminating the WordPress login not secure warning!

However, as we emphasized before, relying solely on an SSL certificate isn’t sufficient. To fortify your website against potential hackers, you require a specialized security plugin.

Consider a tool like MalCare, which goes beyond safeguarding just your login and admin areas. It conducts daily scans, identifying any suspicious activities and promptly addressing any discovered malware. Additionally, it equips you with the means to further fortify your website.

FAQs

Why is my WordPress login not secure?

In a nutshell, your WordPress login page shows up as ā€˜Not Secureā€™ because your browser does not trust your siteā€™s SSL certificate for that page. If this is a sitewide problem, install an SSL certificate or change your SSL certificate provider. If this is a problem only on the login page, force your login page to use HTTPS by modifying the wp-config.php file. 

How do I make my WordPress login page secure?

Your WordPress siteā€™s login page is the first line of defense against any form of attack. Use strong passwords, coupled with measures like two-factor authentication (2FA). Ensuring your siteā€™s login page is served securely over HTTPS by using SSL certificates is also important. Finally, use MalCare, a strong security plugin that provides all-around protection for your website.

How do I force SSL login in WordPress?

To force your WordPress siteā€™s login through HTTPS using SSL, edit the wp-config.php file and insert the following line of code: define(ā€˜FORCE_SSL_ADMINā€™, true);. This will force all logins and admin sessions to occur over SSL. You can do this either by accessing your siteā€™s files over SSH or by using an SFTP utility like Filezilla.

Category:

,

You may also like


php.ini wordpress file
A Complete Guide to the php.ini WordPress File

Is your WordPress site running slowly or showing strange errors? Are you experiencing performance issues on your site and want solutions? From malware attacks to your site running out of…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.