Website Says Not Secure? 4 Steps to Fix It

Updated: Feb 25, 2025

Why Does My Website Say Not Secure Thumbnail

As a website owner, seeing a "not secure" warning in your browser's address bar is the last thing you need. Not only does it look unprofessional, but it means your website is potentially putting your visitors at risk.

Why does your website say "not secure?" We'll provide a simple four-step process to find the cause - and fix it.

Table of Contents

Why Does My Website Say "Not Secure"?

Getting a "Not Secure" in your browser's address bar essentially means: "Warning! Enter data on this webpage at your own risk!"

Without an SSL/TLS certificate installed, your website is using regular old HTTP protocol instead of encrypted HTTPS. That means hackers could potentially read any data transmitted between the website and visitors.

An SSL/TSL certificate encrypts data flow using complex algorithms to scramble information. Think of it like sending a letter - the SSL/TLS envelope keeps prying eyes from reading it in transit.

Your Connection Is Not Secure Screenshot

The "Not Secure" warning appears like this in users' browser bar:

Getting this warning certainly doesn't inspire confidence, especially from a customer's perspective. Browser warnings can make your website appear untrustworthy. As a result, potential customers may be deterred from visiting your website or completing transactions.

Fewer visitors leads to fewer sales. Over time, this can seriously impact your business.

HTTPS vs HTTP

To understand the risks of an unsecured site, it helps to first explain the difference between HTTP and HTTPS.

HTTP stands for Hypertext Transfer Protocol. It's the underlying protocol that defines how web browsers and servers communicate. When you access a website with HTTP, any data transferred between your computer and the server is sent in plain text format.

HTTPS stands for Hypertext Transfer Protocol Secure. The only difference is the addition of an SSL/TLS certificate encrypting the data flow, which prevents hackers from reading sensitive information, like usernames, passwords, and credit card details.

In short, HTTPS websites are secure, while HTTP sites are not.

For a more in-depth look at how SSL/TLS and TLS encryption work, check out our piece on SSL/TLS vs TLS.

http vs https shows how information travels between a customer and a web server. With https, it is encrypted with an SSL key in transit.

How Do I Fix the “Not Secure” Connection Indicator?

If you’ve come across the "not secure" indicator on your website and you would like to resolve it, follow these step-by-step instructions to fix it:

Step 1: Install an SSL/TLS Certificate

Since the root cause of the "not secure" warning is a lack of encryption, installing an SSL/TLS certificate is the first step toward fixing the issue.

There are a few ways of obtaining an SSL/TLS certificate:

From Your Web Host

The easiest option for obtaining an SSL/TLS certificate is through your web hosting provider. Many hosts include free SSL/TLS certificates with their paid hosting plans. (You can find out which ones in our list of best web host services for features.)

Installation is as simple as contacting their chat support and requesting activation on your account. The entire process usually takes only a few minutes.

From a Third-Party

You can also purchase SSL/TLS certificates from trusted third-party Certificate Authorities (CAs). Some big names in this field are Symantec, GeoTrust, and Sectigo (formerly Comodo).

Installing these certificates can be a bit tricky. The process might differ depending on your web host, although most hosts provide guidelines to help. It often involves filling out a form with your website's info and adding some code to your website's .htaccess file.

If you're not comfortable coding or tweaking your website's settings, consider asking a developer or your web hosting provider for help.

With a WordPress Plugin

If you built your website on WordPress, you can use plugins to simplify SSL/TLS installation and management. For example, plugins like Really Simple SSL can help configure your site to use HTTPS and ensure proper redirects. If you're using a free certificate from Let’s Encrypt, you’ll need a tool like Certbot or a hosting provider that automates the certificate issuance and renewal process.

Go to your WordPress dashboard.
Find the "plugins" tab.
Search for the plugin you want to use (e.g., Really Simple SSL).
Click "Install".
Once it's installed, click "Activate."

Step 2: Ensure All Internal and External Links Are HTTPS

After you install your SSL/TLS certificate, most of your website should be secure. However some links, images, videos, stylesheets, and scripts - especially on older pages - may still use HTTP instead of HTTPS. These are known as mixed content issues, which can weaken the security of your entire page.

Modern browsers often block or downgrade insecure HTTP requests to protect users. Here's how to ensure all internal and external links are updated to HTTPS:

Common Areas to Check for HTTP Links

HTML Files: Links in your website's content, such as <a> tags, <img> tags, and <script> tags.
Stylesheets (CSS): Ensure any @import rules or external CSS files are loaded using HTTPS.
Scripts and Libraries: Verify JavaScript files or external libraries (such as jQuery) are using HTTPS.
Embedded Content: Check iframe embeds or third-party integrations.
CMS Configuration: For WordPress or other CMS platforms:

Update the Site URL and Home URL settings to HTTPS (usually found in the CMS settings).
Ensure sitemaps and robots.txt files are updated to use HTTPS URLs.

Tools to Automate the Process

Use search-and-replace tools to update all HTTP links to HTTPS. For WordPress, plugins like Better Search Replace or Really Simple SSL can handle this automatically.
Use an SSL/TLS checker to identify insecure links or resources.
Use SEO software or website auditing tools to scan for mixed content issues. Many tools will generate reports that highlight insecure resources.

Redirects and Server Configuration

You’ll need to set up redirects to ensure users and search engines are automatically sent to the secure version of your site. For most web hosts, this can be done using .htaccess (Apache servers) or server block configuration (Nginx servers).

Here’s some code you can copy and paste into the configuration files:

For Apache (.htaccess):

<br>RewriteEngine On
<br>RewriteCond %{HTTPS} !=on
<br>RewriteCond %{HTTPS} !=on
<br>RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

For Nginx:

server {
<br>   listen 80;
<br>   listen 80;
<br>    server_name yourdomain.com www.yourdomain.com;
<br>    return 301 https://$host$request_uri;
<br>}

Ongoing Maintenance

It's possible for mixed content issues to pop up here and there over time. So, regularly check your website for mixed content issues after making updates or adding new content. You can also add this step to your website maintenance plan to ensure all future links and resources remain secure.

Step 3: Confirm Your Are Tracking HTTPS in Google Search Console

Google treats HTTP and HTTPS sites as separate entities, so you’ll need to add your HTTPS version as a new property in Search Console. Then, make sure all canonical tags and sitemaps reflect the HTTPS URLs to avoid indexing issues

Once set up, check to make sure no HTTP pages are indexed using the HTTP report in the Experience menu under HTTPS. Verify that canonical tags across your site point to the HTTPS version and update your sitemap to include only HTTPS URLs. This will ensure that search engines prioritize the secure version of your site to help avoid indexing problems.

Indexing Report Google Search Console shows HTTPS pages and whether any HTTP pages are indexed

Step 4: Generate a New XML Sitemap

Finally, you might need a new XML sitemap file that includes all your updated HTTPS URLs. Since, as we mentioned, Google treats HTTP and HTTPS versions as separate properties, you want to make sure the file has the most up-to-date information.

You can use your web host's online tools or WordPress plugins to generate a new XML sitemap. Once created, submit the sitemap to Google Search Console by going to the Sitemaps menu. This allows Googlebot to discover, crawl, and index the new secure site. If you have an old HTTP sitemap in Search Console and your pages have all been redirected, it's fine to remove it.

Keep Your Website Secure

If your website says "not secure," one key reason why this happens is because you don't have an SSL certificate. Among the many web hosting features you need to have, an SSL/TLS certificate is essential. The good news is many providers include it for free with their hosting plans, along with guidance for a secure setup.

If you're ready to find a host that offers free SSL/TLS certificates and meets all your other needs, take a look at Softailed's Best Picks for web hosting. We've done the legwork to help you find the perfect host quickly and without much hassle.

FAQs on How to Fix “This Site Is Not Secure” Warning

How do I get an SSL/TLS certificate for my website?

The easiest way is to choose a web host that includes free SSL/TLS certificates with their paid hosting plans. Softailed makes it simple to compare hosts and find hosts that provide SSL/TLS certificates. In fact, it’s one of the features we filter for in our list of best web hosting providers.

You can also purchase SSL/TLS certificates from trusted third-party Certificate Authorities (CAs).

What should I do if my SSL/TLS certificate expires?

If your browser shows an expired certificate warning, the first step is to contact your web host and request renewal. If they cannot renew it, you'll need to purchase and install a new certificate.

This may cause brief downtime during the installation and verification process. Be sure to check your email as most web hosts send renewal reminders in advance to avoid this headache.

Most hosting providers enable auto-renewal by default to avoid downtime. Changing that to manual renewal could cause a brief service interruption.

Is it safe to use a non-secure website?

Generally, no. Websites without SSL/TLS encryption transmit data in plain text, making it vulnerable to interception by attackers.

To protect user information and improve SEO, implementing SSL/TLS encryption is critical before collecting any visitor data.

Why does Chrome say "Not secure" when my certificate is valid?

There are a few reasons Chrome may show a false warning:

Mixed content issues where HTTP and HTTPS resources are combined
Expired or incorrect intermediate certificates
Outdated browser cache (try clearing it)
Google security flag based on past website issues
Server-side configuration issues, such as outdated protocols (e.g., TLS 1.0, 1.1), that may not meet modern browser security requirements.

Complex root causes like these will require deeper investigation. Sometimes, you may need professional help to resolve the issue.

Is having an SSL/TLS certificate good for SEO?

According to John Mueller, Senior Search Analyst at Google, having an SSL/TLS certificate is considered a "lightweight SEO ranking factor". That means it has a relatively small direct effect on your search engine rankings. However, its impact on the visitor experience is more significant.

When users are greeted with a "not secure" warning when visiting your website, they are less likely to stick around or return. This decreased user engagement and trust can indirectly harm your SEO efforts over time.

Kyung Yun

Software engineer with a weakness for collecting too much data. I live for web hosting and cloud computing. If I’m not online, I like to go fishing and create weird things with my 3D printer.