Wouldn’t it be nice to not have to worry about getting hacked? 

Imagine how hyper-focused you can be to grow your business without the constant fear of a hack distracting you. 

This is what an SSL certificate helps you achieve. Once installed, you no longer have to worry about hackers exploiting your data. 

Time to hit the pedal and scale your business.

But, wait…

… parts of your website are still marked as “Not Secure” by Google Chrome. 

It’s all the more scary because the warning appears on not just any page but your login area. Some of you are probably seeing it on your admin page. 

We don’t have to tell you how dangerous it is to transmit login data over an insecure page.

Over the last decade, we have worked with many clients whose website was hacked and their business was on the verge of crashing.  

We’ll show you the exact steps you need to take to protect your login page and admin area.

TL;DR: To remove the “Not Secure” warning, install Easy HTTPS Redirection on your website. It will help you force your login and admin page to serve over HTTPS. That said, an SSL certificate alone will never secure your login page against hackers and bots. You need to implement login protection measures to ensure hackers don’t break into your website.

It can be reaaaally frustrating to find out that even after installing an SSL certificate, Google is marking your site insecure. But trust us, this is for your own good. 

You are still seeing the “Not Secure” warning because the certificate is not configured correctly.

Imagine this: Without the warning, you and your teammates would’ve carried on login in without the slightest suspicion that the login credentials, if obtained, can be exploited. 

Your login information is at risk. Google brought it up for your attention. Now it’s up to you to save your site. 

You are understandably eager to fix your login and admin area but it’s worth recognizing what missteps lead to this issue.

To understand why the SSL certificate was not properly installed in some areas on your site, jump to this section. 

Just in case you: Chrome is flagging ‘Not Secure’ for pages that are not the login or admin page, this might not be the right article for you. This article ONLY covers fixing the login and admin pages. In that case, give this article a read instead: How to Fix Mixed Content Error.

Remove “Not Secure” Warning From the WordPress Login & Admin Page 

You already know the drill: Install an SSL certificate to remove the “Not Secure” warning from your website. 

That didn’t work for your login and admin page. WordPress login says not secure, so does the admin dashboard.

Now what?

There is only one solution to this problem: force both pages to serve with SSL. 

You can achieve this in two ways – the easy way or the hard way. 

• You can use a plugin to essentially do the job for you (the easy way)
• Or you can go to the backend of your site, edit a specific file to enforce SSL (the hard way)

We recommend doing it the easy way. But if you don’t want to add another plugin to your website which is probably overburdened with a ton of plugins already, then go for the manual method. 

That said, we’ll be upfront here: We DON’T recommend the manual method simply because it’s a high-risk activity. We’ve seen things going wrong hundreds of times. The consequences of making mistakes in the backend of your site are really ugly. You don’t want to be stuck with another problem. 

None-the-less, we will show you the manual fix. If you are confident about finding your way in your site’s backend or if you are feeling adventurous today, go ahead by all means but first take a complete backup of your website. DO NOT skip this step. 

No matter how deft you are with following directions, when things go south, you’d be glad to have a backup to fall back on. If you don’t have a backup plugin installed on your site, here’s an article that’ll help you choose one quickly – Best WordPress Backup Plugins

If you don’t want to go through the hassle of choosing a backup, then how about trying out the fix on a staging site first. 

A staging site is an exact replica of your live site. If all goes well on the staging site, then rest assured that the fix will work on your live site as well.

> Create a Staging Site

a. Download and install BlogVault on your WordPress website. 

b. An option for BlogVault should appear on your dashboard menu. Select that. 

c. Next, insert your email ID, then click on Get Started.

d. BlogVault will ask you to create an account with them. All you need to do is enter a password. 

e. Then you’ll be asked to add your site to the BlogVault dashboard. Just click on Add.

f. BlogVault will start taking a complete backup of your site. Wait for the process to end.

g. Now on the BlogVault dashboard, click on Sites and then select your website.

h. On the next page, scroll down to the Staging section and select Add Staging > Submit. BlogVault will start creating a staging site for you. 

i. When the staging site is ready, you will be given a username and password. Make sure you are noting it down somewhere. You’ll need it in the next step. 

j. The next step is to open the staging site by clicking on the Visit Staging Site.

k. As soon as the staging site opens in a new tab, you will be asked to enter the username and password you had noted down in the previous step. The staging site is password protected to secure it against unauthorized access. 

l. You should now be able to access your staging site. Just add /wp-admin/ at the end of your URL to open the login page.

m. Log into the staging site with the same credentials you use to access your live site. 

That done, next, we’ll show you how to remove the “Not Secure” warning on your login and admin area with a plugin.

1. Remove “Not Secure” Warning With A Plugin 

Step 1: Easy HTTPS Redirection

a. After you log in to the staging site, go to Plugins > Add Plugin and in the search bar type Easy HTTPS Redirection. Install and activate iThemes.

b. On the admin dashboard, go to Settings > HTTPS Redirection. 

d. In the next page, you need to take the following action. 

The first thing you need to do is select the option that says – Enable automatic redirection to the “HTTPS”

Move to the next option – Apply HTTPS redirection on.  Under this you need to select A few pages and enter the following URLs:

• wp-login.php
• wp-admin/

This will enforce both your login and admin area to serve with SSL. 

Step 2: Check Your Login & Admin Area

a. Reload your admin area. You should be able to see a padlock instead of the “Not Secure” warning.

b. Log out of your website and check your login page. It should show a padlock instead of the “Not Secure” warning.

In case, you can see the padlock…don’t panic!

It’s probably a caching issue. Clear your cache with the help of this guide – How to Clear WordPress Cache?

c. Now, you need to check your entire website to see if it’s working properly. This is less about the SSL certificate and more about the security plugin that you just installed.

There is a chance that installing a new plugin will break your website. 

So, check all your important pages and functions. This will include your home page, blogs, checkout, cart pages, ads, subscription boxes, contact forms, etc. 

All well? 

Good! 

Let’s move to the next step.

Step 3: Replicate the Step on Your Live Site

There are two ways of going forward from here:

• Open your live site, install the iThemes Security plugin, and follow the instructions from Step 1.
• Or you can use BlogVault’s Merge option to merge your staging site with the live site.  

Using the merge option is easy so you may as well try that out. 

But if you have had enough of learning a new tool, just install the iThemes plugin on your live site. You will be fine.  

2. Remove “Not Secure” Warning Manually

To manually remove the “Not Secure” warning, all you need to do is edit your wp-config file and insert code.

Editing the wp-config file is fraught with risks, even if you have edited it hundreds of times before.

To reduce the chances of a mistake, we suggest editing the config file on your staging site. We’ll show you exactly how to do that. 

Step 1: Create a Staging Site

Click the heading above and it’ll teleport you to a quick tutorial on how to create a staging site in less than 3 minutes.

Step 2: Note Down Your SFTP Details

a. Open your BlogVault dashboard. Select your website. 

b. Next, from the Staging section, select this symbol > 

c. Note down the SFTP details which include Username, Password, Host, and Port.

Step 3: Use SFTP Credentials To Edit Config File

a. Download and install Filezilla into your local computer.

b. Open Filezilla. On top of the window, you should see these options: Host, Username, Password, and Port. 

Insert your SFTP credentials here. And click on Quickconnect.

On Filezilla, there are 4 panels: Local Site, Remote Site, and Filename.

c. On the Remote Site panel, a public_html folder will appear. Click on it. 

d. The panel right below the Remote Site will populate with files and folders. You should be able to see the wp-config.php file in that panel.

e. Right-click on the wp-config.php file and select View/Edit.

f. Drop the following code into the wp-config file:

define(‘FORCE_SSL_ADMIN’, true);

IMPORTANT: Please ensure that inserting it before this statement: /* That’s all, stop editing! Happy blogging. */

g. Close the file. You’ll be asked whether you want to save the file. Select Yes.

 Step 4: Check Login & Admin Area of Your Staging Site

a. Open your BlogVault dashboard. Select your website. 

b. Next, from the Staging section, note down the username and password. 

c. From the same section, select your staging site by clicking on the URL. It will open on a new browser. 

d. As soon as you open the site, you will be asked to enter the username and password you had noted down in the previous step. The staging site is password protected to secure it against unauthorized access. 

e. Open your login page by adding /wp-admin/ at the end of your URL.

• It should show a padlock instead of the “Not Secure” warning.
• Log into your site, you should be able to see a padlock instead of the “Not Secure” warning.

If you don’t see the padlock, it’s probably a caching issue. Clear your cache with the help of this guide – How to Clear WordPress Cache?

f. The next step is to check your entire website to see if all your important pages and functions are working properly. This will include your home page, blogs, checkout, cart pages, ads, subscription boxes, etc. 

Step 5: Replicate the Process On Your Live Site

There are two ways to replicate the process: 

1. Use BlogVault’s Merge option to merge your staging site with the live site (the easy way)

2. Or edit the wp-config.php file on your live site with the help of this guide – How to Edit wp-config.php File?

Open the wp-config files and drop the following code into the wp-config file:

define(‘FORCE_SSL_ADMIN’, true);

IMPORTANT: Please ensure that inserting it before this statement: /* That’s all, stop editing! Happy blogging. */

3. Close the file. You’ll be asked whether you want to save the file. Select Yes.

That’s all folks. You have successfully removed the WordPress login page now secure warning.

Why Are You Seeing “Not Secure” Warning in the Login & Admin Page?

Wondering – why is my WordPress login not secure?

In a nutshell: You are seeing the warning sign because your browser is not trusting your SSL certificate. 

You are probably wondering – but the certificate works fine on the rest of the website!

That’s because your login and the admin area are arguably the most important pages on your website. Your browser refuses to serve these pages over a B-grade certificate. 

Here’s what you can do – 

Open this SSL checker Qualys SSL Labs. Drop your website URL and hit Submit. If you get anything less than a perfect A+ then you are using a B-grade certificate. 

If you are using a self-signed SSL, then here’s why you shouldn’t – Risks of Self-Signed SSL. It’s better to install an SSL certificate from a different vendor. Consult this comprehensive guide on how to choose a good SSL certificate.

If under-going the whole process of selecting and installing an SSL certificate all over again sounds too laborious then fetch an SSL certificate from your hosting provider and let them install it for you. 

It’s possible that your current SSL certificate was fetched from your hosting provider. In that case, contact them. Tell them about your login & admin page warnings. Send them screenshots. 

In 9 cases out of 10, it’s a certificate configuration issue. Chances are that your hosting provider can easily fix the warnings if you haven’t already fixed it using the method we just showed you in the previous section. 

What Next?

Congratulations on successfully removing the “Not Secure” warning. 

Before you move on with your life, here’s something to ponder on – is an SSL certificate enough to keep your website safe from a hack?

Having worked with thousands of WordPress websites for nearly a decade, we are uniquely qualified to answer this question. 

Bluntly speaking: no, SSL alone will not secure your website.

You need a dedicated security plugin to secure your website from hackers. 

A plugin like MalCare will not just ensure that your login and the admin area is protected but also scans your website on a daily basis to detect suspicious activities. It’ll help you clean your website if any malware is found. Moreover, it enables you to take measures to defend your website. 

Why not give MalCare a test drive?