How to Remove āNot Secureā Warning From the Login & Admin Page?
by
7-layers of Security for Your WordPress Site
Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.
Is your WordPress login not secure? Does it disappear once you have gained access or does it appear only after that?
All these are common issues, but you have the power to resolve them. This guide will take you through the steps to address this warning and fortify your WordPress site with SSL certificates and HTTPS.
TL;DR: Your browser flags your WordPress login page as āNot Secureā when it cannot find an SSL certificate on your site, or when it doesnāt trust the certificate if it exists. Refresh your siteās SSL certification and pair it with a robust security plugin like MalCare to strengthen your siteās security.
Why is my WordPress login not secure?
Your WordPress login says ‘Not Secure’ warning if your site does not have an SSL certificate, or if it is either improperly configured or has expired.
The SSL certificate is required to encrypt the data sent to and from your site. This lends security to the HTTP communication protocol and upgrades it to HTTPS. The āNot Secureā warning on your login page indicates that it is not using the HTTPS protocol.
HTTPS also gives your login page a padlock icon next to its address, showing that it is secure and trustworthy. If your login page has a āNot Secureā label instead, it can deter users from logging in to the dashboard. This issue can be easily resolved in ways that we will show in the following sections.
How to fix WordPress login not secure warning?
The following steps outline the ways in which you can remove the WordPress login not secure warning. They have also been explained in detail afterward.
- Back up your site
- Check your site for an SSL certificate
- Install an SSL certificate
- Fix existing SSL certificate
- Clear all your caches
- Verify if the āNot Secureā warning has disappeared
1. Backup your site
The first and foremost thing to do before trying to fix the WordPress login not secure warning is to back up your WordPress site. While our steps are comprehensive and deal with all possible issues, creating a backup is still important as you can recover your site data easily in the unforeseen event that something goes wrong.
2. Check your site for an SSL certificate
Once you have backed up your site, the next thing you need to do is to check if an SSL certificate exists on it or if it has expired. This can be done simply by checking your site URL on an online SSL checker tool, like SSLShopper. This gives you all the details about your siteās SSL certification.
3. Install an SSL certificate
If the results from the previous step show that you do not have an SSL certificate, then follow the steps on how to install an SSL certificate in WordPress. However, if your site does have an SSL certificate, you can skip this step and move on to the next one.
4. Fix your existing SSL certificate
If you already have an SSL certificate on your WordPress site and are still seeing a āNot Secureā warning while trying to log in, it could be due to either an expired or an improperly configured SSL certificate.
If your existing SSL certificate has expired, you will need to get in touch with the certificate authority (CA) that issued it and have it renewed. Usually, CAs have their renewal plans laid out well for you to go through and they might also send you certificate expiry notifications in advance.
If your existing SSL certificate is still valid, it might be that it is not properly configured. In that case, follow the steps mentioned here:
1. Force your login page to use HTTPS using a plugin
Using plugins to configure an SSL certificate on your WordPress site is the easiest way to remove the āNot Secureā warning from the entire site, including the login page. Multiple plugins are available to do so, like WP Encryption, SSL Zen, etc., but we recommend using Really Simple SSL.
- Install and activate Really Simple SSL from your WordPress siteās admin dashboard.
- Go to Settings and then to SSL. This is your Really Simple SSL dashboard, which shows all possible issues with your site.
- Click on Activate SSL. A pop-up appears with information you should know before going ahead.
- Click on Activate SSL again. This sets up your site with an SSL certificate in just a few minutes.
Note: You may be logged out of the admin dashboard.
2. Force your login page to use HTTPS manually
If you used a plugin like Really Simple SSL for installation, it would have taken care of this for you. However, if the certificate was installed in an alternative way, you can try the manual method of fixing this issue. Please note that we do not recommend this method as it carries the scope of making errors that could hamper your site.
To force your login page to use HTTPS manually, you can perform the following steps either through Secure Shell (SSH) or through File Transfer Protocol (FTP).
Using SSH
Use Command Prompt, if you are a Windows user, or Terminal, if you are a Mac user, for these steps.
- Obtain your WordPress site serverās SSH credentials from your site host.
- Log into your WordPress siteās server using SSH with the following command, replacing user_name and ipaddress with the credentials for the server:
ssh user_name@ipaddress
Enter your password when prompted.
- Enter the following command to list all the files:
ls -a
- You should see the wp-config.php file. Enter the following command to open it in an editor:
vi wp-config.php
- Hit i to edit the file and enter the following line of code before the file ending:
define(āFORCE_SSL_ADMINā, true);
- Hit Esc and enter the command :wq to save the file and exit the editor.
Using FTP
Install and use an application like Filezilla or Cyberduck for these steps. In this case, we are using Filezilla.
- Obtain your WordPress site server’s FTP credentials from your site host.
- Open Filezilla, enter your IP address in the Host section, your username, password, and port number (if any) and click on Quickconnect.
- You will see the file structure of your WordPress site in the Remote site section once you are logged in. Double-click on public_html to open the folder and find wp-config.php in the files listed below.
- Right-click on the wp-config.php file to open a context menu and select View/Edit to edit the file.
- In the file editor, type in the following line before the file ending and press Ctrl + S for Windows users or Cmd + S for Mac users to save the file:
define(āFORCE_SSL_ADMINā, true);
- On closing the file editor, you will see a dialog box asking if you want to upload the edited file back to your WordPress server. Click on Yes and you are done.
Sometimes, the switch from HTTP to HTTPS may lead to an unusual situation where your browser might be unable to load your WordPress site’s login page due to too many redirects from it. In that case, add the following lines of code to the wp-config.php file using any of the above two methods:
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
$_SERVER['HTTPS']='on';
Make sure that you add these lines before the following line of code:
require_once(ABSPATH . 'wp-settings.php');
5. Clear all your caches
The browsers you use and the plugins you have installed on your site usually store copies of your website to enable faster access to it. This is called caching of your site as it is stored in the cache memory. Clearing the browser cache is an essential step in the journey to remove the āNot Secureā warning from your login page. These steps are for the Google Chrome browser but are usually similar for all other browsers.
- Click on the three-dot icon on the top right side of the browser and select Settings.
- Click on Privacy and security and then click on Clear browsing data.
- In the Basic tab, select All time from the Time range dropdown list, and check only the Cached images and files box.
- Click on Clear data to clear the cache.
If you use a WordPress caching plugin like Airlift, WP Rocket, WP Super Cache, etc., or if your web hosting provider uses caching to speed up your site, you should clear these caches too. The steps to do so can be found in your plugin or your hosting providerās documentation.
6. Verify if the āNot Secureā warning has disappeared
Once you are done with all these steps, navigate to your WordPress site and try to log in. Your login page should now show a padlock icon in the address bar showing that your site is now secure.
Troubleshooting for wordpress login not secure
There are a few things that could go wrong when you try to remove the ‘Not Secure’ warning from your WordPress website login page by manually installing an SSL certificate. In this section, we have covered some such issues.
- What if the login page is suddenly inaccessible?
Check if your login page is properly set up to force SSL usage with updated URLs in the databases. If that does not work, it could be that a plugin is conflicting with the SSL certificate. Try deactivating plugins to see if it resolves the issue. - What if you see an ERR_SSL_VERSION_OR_CIPHER_MISMATCH error?
This error is usually caused by an improperly configured SSL certificate. Recheck your SSL settings to address configuration errors. If the issue is not with your SSL certificate, update your browser or switch to another browser to see if it resolves the issue. You can also identify any other issues with your SSL certificate by using an online tool like the Qualys SSL test. - What if you see a NET::ERR_CERT_INVALID error?
A browser may flag your login page as invalid if your site’s SSL certificate has incorrect details, like the wrong domain name, improbable SSL certificate issue and/or expiry dates, etc. Check for these details and if required, reissue your SSL certificate with the correct details. - What if none of the above solutions work?
In this case, clear all your caches. Your browser, plugins, and web host may sometimes hold on to old login page links, which causes problems when trying to reach the login page with the new HTTPS links.
Using a plugin to install an SSL certificate on your WordPress website evades a lot of these issues. This is why, we do not recommend the manual mode of installing an SSL certificate.
Remember, removing the ‘Not Secure’ warning from your WordPress login page shows that you have a properly configured SSL certificate. However, this is not enough to guard your site’s login page against the variety of threats out there. We have discussed several ways you can secure your WordPress login page.
How to prevent WordPress login not secure warning?
Now that you have secured your WordPress login page by properly configuring its SSL credentials, letās look at the ways to prevent the āNot Secureā warning from appearing again.
- If your website uses outgoing links to connect to another website, make sure you edit these links to access their sites using HTTPS.
- Keep track of certificate expiry dates to be prepared for such eventuality. If your certificate has expired, you can renew it with your existing provider, or switch to free verified HTTPS certification providers like LetsEncrypt.
- Use a plugin like Easy HTTPS Redirection to route users to an already-configured HTTPS SSL version of your site.
- Submit your site’s updated HTTPS URL to Google Search Console so that Google now knows and directs users to the secure version of your site. The details to do so can be found here.
Final Thoughts
Well done on successfully eliminating the WordPress login not secure warning!
However, as we emphasized before, relying solely on an SSL certificate isn’t sufficient. To fortify your website against potential hackers, you require a specialized security plugin.
Consider a tool like MalCare, which goes beyond safeguarding just your login and admin areas. It conducts daily scans, identifying any suspicious activities and promptly addressing any discovered malware. Additionally, it equips you with the means to further fortify your website.
FAQs
Why is my WordPress login not secure?
In a nutshell, your WordPress login page shows up as āNot Secureā because your browser does not trust your siteās SSL certificate for that page. If this is a sitewide problem, install an SSL certificate or change your SSL certificate provider. If this is a problem only on the login page, force your login page to use HTTPS by modifying the wp-config.php file.
How do I make my WordPress login page secure?
Your WordPress siteās login page is the first line of defense against any form of attack. Use strong passwords, coupled with measures like two-factor authentication (2FA). Ensuring your siteās login page is served securely over HTTPS by using SSL certificates is also important. Finally, use MalCare, a strong security plugin that provides all-around protection for your website.
How do I force SSL login in WordPress?
To force your WordPress siteās login through HTTPS using SSL, edit the wp-config.php file and insert the following line of code: define(āFORCE_SSL_ADMINā, true);. This will force all logins and admin sessions to occur over SSL. You can do this either by accessing your siteās files over SSH or by using an SFTP utility like Filezilla.
Share it:
You may also like
MalCare Protects Against Critical Vulnerabilities in Ultimate Membership Pro Plugin
On February 23rd, 2024, two severe security vulnerabilities were found in the Ultimate Membership Pro plugin, affecting versions up to 12.7. These vulnerabilities could allow attackers to upgrade their user…
A Complete Guide to the php.ini WordPress File
Is your WordPress site running slowly or showing strange errors? Are you experiencing performance issues on your site and want solutions? From malware attacks to your site running out of…
Security WordPress Theme: How to Keep Your Site Safe While Looking Good
Themes go beyond appearance and also affect your WordPress siteās security and its functioning. A vulnerable theme can act as a gateway for hackers to access your site. If your…
How can we help you?
If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.
My site is hacked – Help me clean it
Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.
Secure my WordPress Site from hackers
MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.