Have you logged into your dashboard and received a WordPress site is not secure warning? Or more likely you see a padlock or warning somewhere, typically in your browser’s address bar.
If you use Firefox, you might see something like this:
If you use Chrome, you might see something like this:
Either one of those will have an additional message if you dig a bit deeper.
Again, depending on your browser, it will say something like this. "Your connection to this site is not secure. You should not enter any sensitive information on this site (for example, passwords, credit cards)."
In brief, depending on their browser, these are some of the messages your visitors may see.
- “Your connection to this site is not secure”
- “Your connection is not private”
- “Your connection is not secure”
- “Site security certificate is not trusted”
These are not messages you want your site visitors to be greeted with, especially if you have an eCommerce site. The whole purpose of your business is to have someone buy something, so a popup telling them it would be dangerous to enter their credit card info could kill your business.
Table of Contents
- How to Fix a WordPress Site is Not Secured Warning
- Before Dealing with a Site Not Secure Warning, Backup Your Site
- WordPress Site is Not Secure Fix: Step One – Choose an SSL Certificate
- WordPress Site is Not Secure Fix: Step Two: Install Your SSL Certificate
- WordPress Site is Not Secure Fix: Step Three: SSL Certificate Verification
- WordPress Site is not Secure but You Have an SSL Certificate
- A Few Final Steps
Why Am I Getting a WordPress Site is Not Secured Warning?
First, let’s address why you’re getting this warning in the first place. Then we can dig in a little deeper and I’ll share with you everything you need to know to get your site back on track—and safe for your visitors.
There are some that will tell you that the website insecure message isn’t that important if you’re not selling something. Don’t listen to them. Many search engines, and most assuredly Google, don’t like insecure sites. And when Google doesn’t like something, it drops you down in the rankings.
So fixing a WordPress website is not secure warning is important. Actually, any site not secure warning should be dealt with. This information applies to all websites, not just WordPress. Security best practices are in place for everyone.
The problem? Your website doesn’t have an SSL certificate installed.
Read on and I’ll explain what an SSL certificate is and how to install one on your site. Don’t worry, It’s not that difficult and the only thing it will cost you is a little bit of time.
And while the typical reason for this warning is the lack of SSL, there are other reasons too. In some cases, the site not secure message is due to images, so I’ll cover that as well.
By the time you’re done, your site will be safe. Your visitors and their data will be safe as well.
First of all, it’s a good idea to see if you already have an SSL certificate installed. Many hosting companies offer them for free, so they are part of the initial setup when your site goes live.
If you’re using Firefox, open up a Private Browser window. If you’re using Chrome, use the incognito window. Then use your site URL to check for an SSL.
Your site URL is www.yourdomainname.com. Just add an https:// before that. So you’ll end up with something that looks like this:
That added S onto http means that a website is secured.
This simple step is a message to your browser to attempt to connect a version of your site that has been secured. Assuming there is a secure version, you will see a connection is secure message.
If you’d prefer to diagnose things a little more, you could use a service to check your SSL. You simply type in your site URL and they will run a wizard.
If you get a message saying your site has been secured, you know your SSL certificate is working and the install step is unnecessary. But that also means you’re going to have to do some further digging to see why your site has been flagged with a site is not secure warning.
If so, see the heading WordPress Site is not Secure but You Have an SSL Certificate below.
However, before you go any further though, there is an important step to take.
Anytime you set out to make changes or fix things on your WordPress website, it’s a very good practice to get a full backup first. Because it will be the one time you fail to do this that something goes wrong, and you end up with a bigger problem than what you started with.
WordPress has a huge selection of backup plugins, so I’m not going to recommend one. If you go to wordpress.org and select plugins from the menu, you can do a search. Here’s an idea of what you can find, but there are many more to choose from.
This way, if something goes wrong, you can easily restore your site.
Once you’ve got that step out of the way, and your backup saved, you’re ready to install an SSL certificate or do whatever else might be necessary to remove the site not secure warning.
If you’ve determined from the above test that your site lacks an SSL certificate, I’ll walk you through the install process.
Here’s a quick preview of what you’ll need to do.
- Choose an appropriate SSL certificate
- Install your certificate
- SSL certificate verification
First, there are a few options on where to obtain a certificate. If you don’t have one already, your web host probably doesn’t supply a free one, but that might not be the case.
SSL Certificate Options
Check with your web host to see if they offer a WordPress SSL certificate—often Let’s Encrypt—as part of your hosting package and if they have instructions on how to add it to your site.
Here’s a list of web hosts that do:
- A2 Hosting
- InMotion Hosting
- WP Engine
If you need to purchase a certificate, they can be found for under $10 per year up to $100s per year. Here are a few of the cheaper options.
- Comodo SSL
- Namecheap SSL
And finally, there is a free version for your WordPress site.
- Let’s Encrypt
Now you’re ready to install.
The following instructions will be based on installing a free certificate from Let’s Encrypt.
If you’re fortunate, your host will support this. The above list isn’t exhaustive, so go to your cPanel and check for Let’s Encrypt.
Access your cPanel and find Let’s Encrypt under the Security section
Click on Let’s Encrypt. This will take you to a list of your domains. If you have more than one domain, choose the one you’re working on right now, and then select Issue.
In the next step, you need to choose the addon aliases you want to be included in the certification. Depending on the way your host adds sub domains or addon domains, there may be names you want to exclude. If you have an email address attached to this domain, make sure you include the mail.yourdomainname.com item.
From there, click the Issue button at the bottom of the page.
If all the steps above went as planned, you should get a message that looks something like this.
From there, if you use the Go Back button, you should see your site listed and the verification status showing as installed.
Note that depending on the version of cPanel your host is using, the above images might not match your site. There is also the chance that your host doesn’t use cPanel as its control panel. If so, and assuming they offer Let’s Encrypt, the setup steps will be slightly different.
Next, you will need to change your URL in the address bar. Just as you did before when testing to see if you had a certificate installed, add https:// to the front of your domain name and hit enter. If everything is working as it should, you will be logged out of your WordPress site and have to log back in again.
At this point, assuming you are using Firefox when you hover of the padlock, you should see Verified by: Let’s Encrypt. If you are using Chrome you’ll have to click on the padlock and you should see a message saying Connection is Secure in a green font.
But what if you’ve already installed and verified that you have an SSL certificate on your website and you’re still getting a WordPress site is not secure warning?
Then there is a good chance you are dealing with a mixed content issue.
In some cases, after setting up an SSL on your site you may get a WordPress site is not secure message on images. What does that mean and why does it happen?
A mixed content warning simply means that some of your images or other content is being served via unsecured URLs while others are being served secured.
You have a combination of URLs like this:
Some images are secure, some aren’t. This equals mixed content. But don’t panic, this is a fairly common WordPress security issue. All of these pages can be fixed manually, but it does involve accessing the database through phpMyAdmin and changing the URLs.
My recommendation is to use a WordPress plugin to do this bit of site maintenance. And just like before, I’m recommending you do a full backup of your site, including your databases. It’s especially important this time around.
There are a few options in the WordPress plugin repository, but here’s one you can pick. SSL Mixed Content Fix.
Using this plugin should fix any mixed content warnings without you going to a lot of work. Assuming your site just needs a simple fix, which most do, the plugins default settings will automatically scan your site and make the necessary basic changes.
If the plugin’s Simple fix level identifies some warnings it couldn’t fix, all is not lost. The plugin has a suite of tools that can help diagnose the problems.
Still want to tackle your WordPress site is not secure mixed content warnings yourself? Don’t forget to backup first!
- Find your HTTP URLs. Go to WhyNoPadlock.com and use it to make a list of all your HTTP URLs.
- Use the Better Search Replace Plugin. This plugin will help you find and replace all the HTTP URLs you found and listed in the last step.
One at a time you will need to enter your HTTP URL first in the Search For field and then again in the Replace with field. Except be sure to enter the URL with HTTPS in the replace field.
As you can guess, even though you use a plugin doing the manual fix, this could still be a long and tedious process, especially if you have a large amount of mixed content.
It’s much quicker, not to mention safe, to go with the option I mentioned first. The SSL Mixed Content Fix plugin.
By this time you should have cleared up anything that would have caused a WordPress site is not secure warning. But you want to let Google know that you’ve made the necessary changes.
Remember, sites that have not secure warnings aren’t ranked well in Google and other search engines, so you want to let them know about the change. If you don’t you could find your traffic impacted since Google could continue to collect data from your old HTTP URL.
Head to your Google Search Console and add the appropriate property using HTTPS.
Your sitemaps will need to be updated as well since they will still have your HTTP URLs. Make all the necessary changes and resubmit when you’re done.
And if you have Google Analytics set up, you’ll want to make a change there too. Assuming you have it linked to your search console, go to your Property Settings, chose Default URL, and from the dropdown select https://.
And you are done!
This may seem like it’s a lot of work for one little warning that says your WordPress site is not secure. And that may be so. But the advantage is added WordPress security. For you and for your visitors. And if you have an eCommerce site, this is critical.
And Google will probably show you a bit more love and provide you with a bit more SEO traffic. So it’s a win for you all around.
What are you waiting for? Now that you know why your WordPress site is not secure, it’s time to fix it!