How to Fix HTTPS and SSL Issues in Your WordPress Website
In order to protect their users, Google has steadily taken measures to encourage website owners to prioritise security with best practices. A “Site Not Secure” notice on a website is one of those measures. It indicates that the website does not have SSL installed.
Obviously as a website owner, we want to do the best for our visitors, and hence want the best WordPress security measures for our sites.
So, if you’re seeing the WordPress site not secure notice on your site, this article will help you fix things, and make your site secure for your visitors and their data.
TL;DR: Install an SSL certificate, redirect your site to https, change all internal links to secure links, and update the Google Search Console to fix the WordPress site not secure issue. Backup your entire site before you make any changes.
Why are you seeing the WordPress site not secure notice?
You’re seeing the WordPress site not secure notice because your site has no SSL certificate or has an SSL certificate that was not properly configured during installation. Installing an SSL certificate significantly improves your user experience and layer of security. So, if there’s a problem with your SSL, Google hits you with “Not Secure” notice.
This is primarily what your site visitors will see:
Ideally, this is what you (and your visitors) should see:
By setting up SSL or HTTPS on your website, you get two major benefits. First, all the traffic to your website is encrypted. This has significant privacy and security advantages. And secondly, the WordPress website not secure warning is replaced with a more reassuring green lock.
How to fix WordPress site not secure warnings?
We have broken down the process into discrete steps for you to follow. Overall, the process takes a few hours to complete, so we recommend you bookmark this page and take in stages.
Also, don’t feel alarmed if the next few parts seem a little technical. Follow the instructions carefully, and you will successfully fix WordPress site not secure warning . For added peace of mind, backup your website before starting.
- Start with an SSL pre-check
Some web hosts or site developers will set up an SSL certificate when the site goes live. Open your website in an incognito window and check if the SSL certificate is already installed.
Adding the “https://” tells your browser to try and connect to the secure version of your site. If you see the green padlock, then you’re in luck. You can skip installing the SSL certificate altogether, and head over to resolving mixed content issues on your site.
Backup your site
Before you take any further steps to fix WordPress site not secure warning, you should definitely take a full WordPress site backup. It is good practice to backup your website before making any changes to your website, especially if they are major.
We recommend using BlogVault to back up your site. If you mess up, you can simply restore your site with one click.
Once your site connects with BlogVault, you can also enable real-time updates. Real-time backups start saving changes made to your site automatically. This means that you can select the last working version of your site backup without a fuss, and not lose all your work on any one silly mistake.
Install the SSL certificate to secure connection
Most people are intimidated by installing an SSL certificate; and some time ago, they would have had good reason. Now, things are much simpler with plugins that do most of the heavy lifting.
It is, however, a long process. Follow our instructions on how to install an SSL certificate carefully. It includes everything you need to know about installing SSL certificates such as:
- Choosing an SSL certificate
- Installing a custom certificate
- Verifying the SSL certificate
If you have questions about types of certificates and how and where to buy them, the article covers it all.
After you’re done with installing the certificate, come back to this article and complete the rest of the steps.
Important: Simply installing the certificate is not enough.
Redirect Links From HTTP to HTTPS
The next step uses a little bit of tech language, and it is important to know these terms as a website owner. It is helpful to know the difference between HTTP and HTTPS.
Now, you’ll have to make sure that every page on your site is served securely, which means that all visitors hit the SSL version of your website. That’s where a HTTP to HTTPS redirection comes into play.
Don’t worry if this sounds a little complicated. As with all things WordPress, you can redirect URL’s from HTTP to HTTPS in two ways:
- With a plugin
- Without a plugin
We highly recommend that you use a plugin such as Really Simple SSL to redirect your site from HTTP to HTTPS. Forcing the site to redirect manually to SSL can have several unintended consequences, as it requires you to fiddle around with WordPress core files that are best left alone.
In either case, we created a full walkthrough article to help you force redirect from HTTP to HTTPS. Go ahead and follow along with the article to get step-by-step instructions. Then, come back and follow along with the rest of this article.
If the forced redirection didn’t work properly, you’ll see some mixed content issues. A very simple way to determine that is to head over to one of these sites and check for mixed content issues:
Mixed content means that your site is serving up unsecured URLs along with secured ones. This means that while your site has an SSL certificate installed, certain old pages are still being served with HTTP URLs.
This is a very common problem with WordPress themes and images.
Again, you can do this in two ways:
- With a plugin
- Without a plugin
Removing mixed content issues manually is a dangerous thing to do as it involves changing database entries. If you do it wrong somehow, you’ll end up wrecking your entire site. So, take a full backup of your website right now with BlogVault.
We’ll try and minimize the risk to that as much as possible but using a plugin to fix mixed content issues is always a safer option. This article by WPBeginner will show you how to use an SSL Insecure Content Fixer plugin.
But if you still want to do it manually, we recommend the following steps:
- Take another backup: If there was ever a time to take a full site backup, it’s now.
- Make a list of HTTP URLs: Use WhyNoPadlock to find the HTTP URLs and make a list.
- Install Better Search Replace: Use the plugin to find and replace those HTTP links with HTTPS.
“Search for” the HTTP URL, paste the same URL in “Replace with” and change the link from HTTP to HTTPS.
The biggest downside of this method is that even though it uses a plugin, it still requires you to do this manually one at a time for each URL.
Update Google Search Console and Analytics
Now that you’re done with installing the SSL certificate and making sure that you serve the HTTPS version of your WordPress site, it’s time to let Google know about it. If you don’t make this change, Google Search Console will keep collecting data from the HTTP version which will keep getting lesser and lesser traffic from now on.
So, head over to Google Search Console and add a new property for the HTTPS version.
Then re-submit your sitemap files, with the updated HTTPS versions.
If your site has any link disavow files on Search Console, head over to the Google Disavow Tool and click on your HTTP version. Download the file and upload it to the new profile.
Then delete the old profile permanently.
Once this is done, head over to Google Analytics and update your Google Analytics property and view. If your Analytics is connected to your Search Console, then all you’ll have to do is click on Property Settings >> Default URL >> click on the dropdown and select “https://”.
Do the same thing for the view. Click on View Settings >> Website’s URL >> click on the dropdown and select “https://”.
That’s the only thing you need to do to fix the WordPress site not secure warning.
Why you should implement SSL on your website?
The important thing to remember is that the advantages of this process will outweigh the minor discomfort you may experience by stepping into this new territory.
You will have:
- Added site security: Serving a site on HTTPS means that you encrypt your site information over an SSL/TLS connection and make WordPress site secure. In simple terms, this means that even if a hacker intercepts your website’s information, they’ll never be able to decrypt the sensitive information and understand what it actually says.
This is absolutely vital for eCommerce sites where financial transactions occur on your site. If that transaction isn’t encrypted, a hacker could steal financial information directly from your site.
- No more Chrome warnings: Chrome holds over 73% of the browser market share. So, a Chrome warning will impact a major share of your web traffic. Resolving a few small technical issues will remove the WordPress site not secure issue permanently.
However, this issue extends to all major browsers including Firefox and Mozilla. You may also start receiving warnings from Google Search Console as well. We recommend that you follow along with the exact steps outlined in this article for a permanent fix.
- Site loading speed: The new HTTP/2 protocol for connecting to a site is way faster than HTTP connections. Now, HTTP/2 actually requires SSL connections. So, installing an SSL certificate may just improve your site loading speed by a lot.
We say “may” because not all web hosts will automatically provide you with HTTP/2 protocols. Before you jump into GTMetrix to check your performance, you should talk to your web host and check if HTTP/2 is enabled on your accounts.
- SEO traffic: According to a Google Search Central article, HTTPS is a ranking factor on Google SERPs. When Google tells you how to get better rankings and traffic from SEO, you listen. Period. It’s not just Google Search Central, though. Independent SEO blogs conducted a bunch of analysis reports who all came to the same conclusion.
- Brand credibility: According to reputed SSL certificate vendor GlobalSign, 77% of online users are scared of their personal information being hacked or misused online. Having the green padlock on your site simply improves your brand’s credibility.
For eCommerce sites, it’s practically a mandate now as no one trusts an online store with a site not secure warning. Financial institutions and major marketplaces even use an Extended Validation SSL certificate. But simple portfolio sites should also install SSL for the sake of brand credibility.
- Referral Traffic: Like SEO, this is more of a marketing reason than an actual security reason. But HTTPS can give you a clearer picture of referral traffic. What most marketers don’t realize is that HTTPS to HTTP referral data is blocked in Google Analytics. So, if your HTTP site gets referral traffic from an HTTPS site the data gets filed under “Direct Traffic.”.
This is severely misleading and can cause you to take some very ill-advised marketing decisions. So, if you’re wondering why your Direct Traffic has gone up in Google Analytics and your Referral Traffic has gone down, this could be a significant reason.
As you probably found out the hard way, there’s a lot more to fixing the WordPress site not secure issue than you might think. Installing the SSL certificate the right way is a good step in the right direction in terms of site security. But that’s not enough.
We highly recommend that you sign up for MalCare. MalCare is a comprehensive WordPress security plugin that automatically scans your site for malware. If your site gets infected or hacked, MalCare will help you remove the malware with one simple click.
You also get an advanced WordPress firewall that protects your site from hackers and bad bots. Armed with a powerful learning algorithm, the firewall automatically blocks malicious IPs discovered across any of the 250,000+ sites that MalCare protects.
Why is my WordPress site not secure?
Google says your WordPress website not secure because your site doesn’t have an SSL certificate or has an SSL certificate that is poorly configured. The simplest way to resolve this Chrome error is to install an SSL certificate. For comprehensive security, though, we recommend installing a WordPress security plugin.
How do I make my WordPress site secure?
Install an SSL certificate the right way using our guide. Then update your Google Search Console and Analytics with the HTTPS version of your site. But this is only the start for making your WordPress secure. If you’re seriously interested in making sure that your site doesn’t get hacked, install MalCare right away.
Is it safe to use a website that says not secure?
The short answer is no. Especially if the site in question is an eCommerce site that handles your financial information. Sites without an SSL certificate are more likely to get hacked and this has serious consequences. Simply visiting an unsecured site can automatically download malware to your PCs without you even realizing it.
Can WordPress sites be hacked?
Yes. In fact, all sites on the internet can be hacked in some way or form. There is no such thing as airtight cybersecurity. WordPress is an incredibly popular site-building platform and loads of hackers try to hack WordPress sites every day. There are definitive ways to secure a WordPress site, though.
How safe is a website on WordPress?
The safety of your WordPress site depends on what security measures you have in place. We recommend conducting a thorough WordPress security audit and taking the necessary countermeasures suggested in our article.
Nirvana is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Nirvana distils the wisdom gained from building plugins to solve security issues that admins face.