I know how frustrating it can be when you visit your website and see a big “Not Secure” warning in the browser. It feels like something’s broken—and worse, your visitors can see it too. 😬
That little message can scare people off before they’ve even had a chance to look around. They might leave without reading a word, filling out a form, or making a purchase.
Google shows this warning when your site doesn’t have an SSL certificate. That means your site isn’t using HTTPS, and the browser is letting visitors know their connection might not be private.
Luckily, the fix is straightforward, and I’ll walk you through it step by step. I’ve used the same process on my own websites and helped countless others do the same with WordPress.
🌟Expert Tip: Not confident about fixing errors yourself? Why not leave things to the professionals?
Our team at CanadaCreate offers Emergency WordPress Support Services, available 24/7. We can fix everything from SSL errors to plugin issues at affordable prices for small businesses and website owners.
Why Does Google Show “Not Secure” on Your Website?
When I see the “Not Secure” warning pop up on a site, I know it usually means one thing: the site isn’t fully encrypted. Google shows this warning when a website doesn’t use HTTPS or there’s something wrong with its SSL certificate.
For reference, HTTPS (Hypertext Transfer Protocol Secure) is the secure version of HTTP. It uses something called an SSL/TLS certificate to encrypt the connection between your website and your visitors.
And the Google “Not Secure” message isn’t just a minor warning you can ignore. Most visitors don’t stick around when they see that alert. It signals a lack of trust, and that affects everything from conversions to your search rankings.
Let me walk you through the four most common reasons I’ve seen this warning appear on WordPress websites.
1. Your Website Doesn’t Have an SSL Certificate
SSL certificates encrypt the connection between your website and your visitors. Without one, browsers assume your site is unsafe, because technically, it is. Any data people enter on your site, like personal or credit card details, could be intercepted.
That’s why Chrome and other browsers flash the “Not Secure” warning for sites that still use plain HTTP. I’ve seen this happen to brand-new sites where SSL just wasn’t enabled yet, or even older sites where it was never installed.
2. Your SSL Certificate Is Expired or Invalid
Sometimes the SSL certificate is there, but it’s expired or wasn’t installed properly. This is one of the first things I check when someone asks why their site suddenly shows a warning.
You can usually spot this SSL issue by clicking the padlock (or the missing padlock) in your browser’s address bar.
If there’s a problem, then your hosting provider should be able to help you renew or reinstall the certificate.
3. Your Website Has Mixed Content Issues
Even with a valid SSL certificate, your site can still show as “Not Secure” if it’s loading some content over HTTP. I’ve seen this a lot when people switch their site to HTTPS but forget to update old links to images, scripts, or stylesheets.
This situation, termed mixed content, is problematic for browsers. Correcting it involves updating insecure URLs to ensure all content loads via HTTPS, a process detailed later.
4. WordPress Settings Contain HTTP URLs
Always verify the site URL settings within WordPress. If theWordPress Address or Site Addressremains set to HTTP, your site could still display security warnings despite a functioning SSL certificate.
Access these settings underSettings » Generalin your WordPress dashboard. Change both URLs to HTTPS to ensure secure loading on every page. Further instructions are provided later.
Having discussed the causes of the “Not Secure” warning, let’s explore how to resolve it and prevent its recurrence.
How to Fix the “Not Secure” Warning in Google Chrome
Encountering the “Not Secure” warning on your site can be unsettling, as it undermines visitor trust.
Fortunately, the solution is generally straightforward, involving enabling an SSL certificate, adjusting WordPress settings, or addressing mixed content issues.
Based on my experience troubleshooting numerous sites, I will guide you through the necessary steps to secure your site and eliminate the warning permanently.
The steps covered are as follows:
- Step 1. Get a Free SSL Certificate for Your Website
- Step 2. Update Your WordPress URLs to Use HTTPS
- Step 3. Fix Mixed Content Issues in WordPress
- Step 4. Set Up an HTTP to HTTPS Redirect in WordPress
- Step 5: Evaluate Your SSL Configuration for Potential Security Flaws
- Assure a Secure Experience for Each Visitor
- Additional Resources
Step 1. Get a Free SSL Certificate for Your Website
The initial step in resolving a “Not Secure” warning involves verifying the presence of an SSL certificate. This security component encrypts data transferred between your website and its users, facilitating HTTPS.
Previously, SSL certificates were often costly. Although some providers still charge high prices, complimentary options exist, particularly beneficial for new websites.
Many WordPress hosting providers now include free SSL certificates in their packages. I’ve utilized this feature across numerous sites, and in the majority of instances, activation is a simple process involving just a few clicks within your hosting control panel.
If you’re using Bluehost, just log in to your account and head to your website settings. Then click the ‘Security’ tab.
Here, you’ll find the option to activate the free SSL certificate. Simply enable it, and the process is complete.
Note:The preceding screenshots illustrate the Bluehost interface. The layout may vary slightly if you’re using a different hosting provider, but the SSL configuration is generally located within the security area.
For hosts that use cPanel, you’ll need to launch it from your hosting dashboard. Scroll down to the ‘Security’ tab and click on the SSL/TLS icon.
And if your host doesn’t offer free SSL, don’t worry—you can still get one through Let’s Encrypt.
For a comprehensive walkthrough, see: How to Add Free SSL in WordPress with Let’s Encrypt.
Step 2. Update Your WordPress URLs to Use HTTPS
If your WordPress settings are incorrect, your website might display a “Not Secure” warning, even after SSL installation. Correct this by updating your site’s URL.
Navigate to theSettings » Generalsection within your WordPress admin panel.
Then, make sure both the ‘WordPress Address (URL)’ and ‘Site Address (URL)’ fields use https://rather thanhttp://.
Remember to save your changes.
WordPress will now utilize https:// for all website URLs. However, some HTTP URLs may still reside in your database, potentially causing future problems.
I will now guide you through resolving these URLs.
Step 3. Fix Mixed Content Issues in WordPress
Mixed content, where certain elements load via HTTP (insecure), triggers the ‘Not Secure’ warning.
Typically, these URLs are embedded in your WordPress database, often by your theme or plugins. You might also find http:// URLs within your content.
To resolve this, employ a search and replace plugin to locate and replace http URLs with https://. Search & Replace Everything is an excellent choice.
I prefer Search and Replace Everything due to its speed, efficiency, and beginner-friendly interface.
Tip💡: There is also a free version of Search & Replace Everything that you can use.
First, you need to install and activate the Search and Replace Everything plugin. For details, you can see this guide on how to install WordPress plugins.
Upon plugin activation, go to the Tools » WP Search & Replace page to start using the plugin.
In the ‘Search for’ field you need to enter http:// and in the ‘Replace with’ field add https://.
After that, you need to click on ‘Select All’ to ensure all tables in your WordPress database are included in the search.
Finally, click on the ‘Preview Search & Replace’ button.
The plugin will then perform the search and show you a preview of the results. This allows you to review the data before it is permanently changed.
Carefully review the results, and once you are satisfied, click on the ‘Replace All’ button.
The plugin will then make changes to your WordPress database and replace all HTTP URLs with HTTPS.
For more details, see this guide on how to fix the mixed content error in WordPress.
Step 4. Set Up an HTTP to HTTPS Redirect in WordPress
After switching a site to HTTPS, one of the steps I never skip is setting up a redirect from HTTP to HTTPS. Without it, people might still land on the insecure version of your site through old links or bookmarks.
The most reliable way to fix this is by adding a redirect rule to your .htaccess file. Here’s the snippet I use on most WordPress websites:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Refer to this guide for detailed instructions on fixing the WordPress .htaccess file.
If your site uses Nginx instead of Apache, you’ll need a different redirect setup.
Instead of editing a .htaccess file, you’ll need to update your Nginx configuration.
Here’s the code I would add to redirect all HTTP traffic to HTTPS in Nginx:
server { listen 80; server_name yoursite.com www.yoursite.com; return 301 https://yoursite.com$request_uri;
}
You’ll want to place this block above the existing HTTPS server block in your site’s Nginx config file—usually found in /etc/nginx/sites-available/ or /etc/nginx/conf.d/.
After adding the redirect, remember to reload Nginx so the changes take effect:
sudo nginx -s reload
If you’re unsure where to make these changes, contact your hosting provider for assistance.
Step 5. Test Your SSL Setup for Security Issues
After implementing the changes, test your website to confirm that everything functions as it should.
To verify your certificate and site security, utilize the SSL Labs SSL Test. Input your domain name to assess its SSL implementation.
‘Why No Padlock?’ is another tool frequently used. Its strength lies in explaining issues clearly, making it suitable for those new to SSL.
Also, access your site via Incognito mode. If the “Not Secure” alert persists, clear your WordPress cache or allow some minutes for the updates to propagate.
Ensure Your Site Projects Safety to All Visitors
A browser warning can deter site visitors. The most significant consequence is eroding the confidence of your site’s users and customers.
I trust this guide has assisted you in fully securing your WordPress site with HTTPS, eliminating any visitor hesitations about trusting it.
Additional Resources
I consistently adhere to this WordPress security guide across all websites I manage. This structured guide presents a straightforward plan for properly securing your WordPress website.
Here are some extra resources that you might find beneficial:
- How to Renew SSL Certificate (Step by Step for Beginners)
- TLS vs SSL: Which Protocol Should You Use for WordPress?
- Ecommerce Security Tips: How to Secure Your WordPress Store
- How to Add HTTP Security Headers in WordPress (Beginner’s Guide)
- Most Common WordPress Errors and How to Fix Them
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
