Do you see a WordPress site ‘Not Secure’ warning against your website?

WordPress site not secure example

If you can see this warning next to your website’s name in the address bar, it means the data transmitted from and to your site does not have a secure connection. By running an unsecured website, you put your own site at risk of being hacked. But far worse is that you also put visitors at the risk of having their data stolen.

The repercussions of such a data breach are severe. You can face legal penalties, massive costs of recovery, and you’ll lose the trust of your customers. The ‘Not Secure’ warning in Chrome is just a caution from Google. This alert visitors that there is a lack of security on your site to keep their data safe from hackers. But for any website owner, this is a huge red flag as it means you can lose visitors and potential customers as many don’t visit unsafe websites. You should pay heed and fix it immediately.

Note: The tag doesn’t necessarily mean your website is hacked or there is malware present. But having an unsecured connection puts you at the risk of cyber-attacks which comes with serious repercussions.

At MalCare, we live and breathe WordPress security and we love nothing more than ‘secure’ sites. As this is a common issue, we decided to address the topic.

We’ve compiled a detailed step-by-step guide to remove ‘Not secure’ warnings and make your site secure for you and your users.

Important Steps for Improving the Security Of Your WordPress Website

To remove the ‘Site is Not Secure’ tag on and improve the security of your website, we need to implement two major steps immediately which is:

  1. Get a valid SSL Certificate
  2. Migrate from HTTP to HTTPS

After this, you need to install a security plugin to stay protected from future hack attempts. But before we dive right in, let’s quickly run through the basics to get a better understanding of what’s happening here.

TL;DR – Your website is not secure for you and your users till you install and activate an SSL certificate. You can get this from your web host or an SSL provider. But this is only the first step towards better security for your website. You need to install a WordPress security plugin like MalCare to preemptively block attacks and keep hackers out!

What is HTTP, HTTPS, and SSL?

HTTP

HTTP stands for HyperText Transfer Protocol and enables the exchange of information over the internet. Messages will be transferred in plain text which means anyone that can access this information can read it. Hackers that are on the same server could intercept this information. Other entities that have access to internet infrastructures such as internet service providers and governments could also access this information.

HTTP was initially the standard protocol for all websites but was not recommended for ones that used a customer’s credit card information or dealt with personally identifiable information (PII).

Over the years, hackers found ways to use the data of just about any website. Hackers like to target small websites because they know that small sites don’t have the resources to secure their site. Thus, you needed a mechanism to securely transfer data between a user and the server without anyone else reading it. This is where HTTPS and SSL come in.

HTTPS and SSL

SSL stands for Secure Sockets Layer and is one of the most widely deployed security protocols today. The importance of SSL was realized back in the 1990s and was developed by NetScape in 1995. It essentially provides a secure channel of communication between two machines that operate over the internet.

Benefits of SSL and HTTPS

SSL primarily provides three main benefits:

    • Encryption – An encrypted connection is need wherein data is encoded and transferred between the visitor and website, so no unauthorized party can use it.
    • Authentication – You need to make sure all communication is going to the correct server.
    • Integrity – This ensures the transmitted data is not modified on its journey by a third party.

Once you install SSL on your website, your connection becomes secure. Data transmitted through the SSL channel is encrypted and sent. Therefore, if a hacker gets access to this information, they won’t be able to decode it. With the SSL certificate installed on your website, HTTP becomes HTTPS – HyperText Transfer Protocol Secure. That way migrating your site to HTTPS improves its security.

Regardless of what kind of site you have, all information is transmitting securely. This gives you login protection wherein hackers can’t steal user credentials. All monetary transactions are secure. Lastly, since Google makes HTTPS a ranking factor, your SEO will also improve. Over time, a number of security flaws were discovered in SSL.

To overcome these issues, TLS (Transport Layer Security Protocol) was developed. The primary objectives remain the same, however, TLS is more secure and highly recommended. In many cases, TLS and SSL are often used interchangeably.

Now you can see why SSL (Or TLS) is so important for any website. Google rolled out an updated version of Google Chrome in July 2018 and added the new feature of tagging sites without SSL as ‘Not Secure.

To remove the warning, we’ve put together a step-by-step guide for WordPress SSL. Let’s dive in.

How to Remove ‘Not Secure’ Warning on My WordPress Site 

To make your website secure, you need to follow these 6 steps:

Step 1: Take a backup

Before you make any changes to your website, it’s always good for you to take a backup. Always! In case anything goes wrong while installing an SSL certificate, you should be able to restore your website using your backup. The easiest and most reliable way to take a backup is using BlogVault’s WordPress backup service. You’ll have a backup in under a few minutes that is guaranteed to work.

Step 2: Get a Host with a dedicated IP address

If you’re using a shared server, you won’t be able to implement SSL. This is because you need to ensure traffic that is meant to go to your website is properly directed to your WordPress site only. Visitors who mean to visit your site shouldn’t end up on someone else’s site that resides on the same server as yours.

So, the first step to take is to make sure you get a dedicated IP. You can do this by checking with your WordPress web host about dedicated server plans and upgrade your account.

Step 3: Get an SSL Certificate

You can purchase the certificate from your web hosting company or directly from SSL companies like The SSL Store and SSL.com. You can also get a simple SSL certificate for free from vendors such as LetsEncrypt. This is great for WordPress beginners. However, free only gets you the basic SSL and is not sufficient after a point.

It’s recommended to opt for a paid SSL certificate as you’ll have access to customer support – which is much-needed when you face issues. They also come with a warranty and longer validity. This can transform your WordPress site from being ‘not secure’ to secure. There are primarily 5 kinds of premium SSL certificates available for WordPress sites:

 

Premium SSL Certificates

 

For regular WordPress site owners, the Domain Validation certificate is sufficient. You wouldn’t normally need anything above that. Website developers or those who manage multiple sites might sometimes need the Wildcard or Multi-Domain certificate.

Step 4: Activate the certificate

Some web hosting providers might carry out this step on your behalf, you need to check with them. If you need to activate it yourself, you need to generate a CSR (Certificate signing request).

    • Visit your web hosting cPanel and go to SSL/TLS admin.
    • Here you need to choose ‘Generate an SSL certificate and Signing Request’.

 

Activating SSL Certificate

 

    • Enter the relevant data required and click on ‘Create’. Note: For the field ‘Host to make cert for’, enter your domain name.
    • Once done, blocks of text will be generated. The first block of text is your CSR that you need to copy.
    • Then, log in to your web host account, paste this block of text where it prompts you to do so. Fill up any other required fields.

    Simply follow the next steps and you’ll receive your certificate as a .crt file.

    Step 5: Install the certificate

    Some managed WordPress hosts also handle this step for you. In case they don’t, here’s how you can do it yourself. Go to cPanel and under ‘Security’, select SSL/TLS.

     

    Installing Security Certificates

     

    Next, select “Install an SSL certificate.”

     

    Installing and Managing SSL for WordPress website

     

    An empty box will appear where you can paste your certificate. Once you submit it, your site should be secured.

    Step 6: Update Links From HTTP to HTTPS

    Once you install your SSL certificate, you’ll see that your site now has the green padlock in the address bar. The next step you need to take is to ensure your visitors access your website only through this new HTTPS-enabled route. You need to move WordPress URLs from HTTP to HTTPS. Eg: http:/www.malcare.com should be changed to https://www.malcare.com.

    You can carry out replacing HTTP with HTTPS manually by visiting your wp-admin dashboard. On your dashboard, go to Settings > General. Here, you can update your WordPress Address URL and Site Address URL from HTTP to HTTPS, like this:

     

    Updating links from http to https

     

    For smaller websites and WordPress blogs, you may be able to run this step for every URL. But for large websites, it’s simply not feasible. In these cases, there are plugins like Better Search Replace that will migrate all links from HTTP to HTTPS in bulk. Once done, you need to add a 301 redirect. This will redirect any incoming request to your HTTP links to the HTTPS links.

    Caution: Take a complete website backup before you make any changes to your WordPress website’s files. To do this, visit cPanel > File Manager > Public Html > .htaccess file. Right-click on it to get the edit option. Once the file opens, you need to paste the following code:


    # BEGIN SSL REDIRECT

    RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)
    $ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    # END SSL REDIRECT

    That’s it! You made your site secure using SSL and HTTPS. Clear your cache and refresh your website’s page and you should see that the ‘Not Secure’ tag is no longer there in your WordPress site.

     

    Example of using HTTPS protocol

     

    Important WordPress Tips After Website Migration

    Before we leave you, there are a few steps you should ideally take after you migrate. Your site is most likely connect to other plugins, extensions, and applications. You need to update the new HTTPS links in all of them. Here are a few important tips to follow:

    1. Visit your Google Search Console dashboard. Go to “Add a property”. Here, enter the full URL with HTTPS and add and verify the property.
    2. Add an updated sitemap to the new property. You can use a plugin like SEOPress Plugin that will generate an XML sitemap.
    3. Visit your Google Analytics dashboard. Select Admin > Property > Property Settings. Here you can update the default URL to HTTPS. Next, go to View > View settings. Update your website’s URL to HTTPS once again.
    4. Certain plugins will require you to update your URL as well. If you’re using a backup plugin like BlogVault, because they carry out their backup offsite so as to save your server’s resources, you need to login to your dashboard and update your URL. Check with other plugins as well if you need to update to HTTPS.

    Also, you will prevent or fix mixed content errors which happens when some resources (scripts, stylesheets, images or videos) are loading over an HTTP connection.

    Conclusion: Is an SSL certificate enough?

    An SSL certificate brings a higher level of trust to your website. Transmitted data will be encrypted and therefore, safe from falling into the wrong hands. However, SSL is only one step towards website security. Hackers can still attack your site and find ways to steal data, damage your website, and use your site for malicious activities.

    To stay completely protected, you need to install a WordPress Security Plugin like MalCare. It will scan your website regularly to find any suspicious activities and malware on your site. Also, it enables you to clean your website instantly if any hack is present. It also defends your site against malicious traffic and bad bots and prevents them from visiting your site.

    With an SSL certificate in place and MalCare installed, you can keep your website and your users safe and your WordPress site won’t be ‘not secure’ anymore.

    Try our MalCare Security Plugin Now!