How To Fix WordPress Site Not Secure Warnings

Is your WordPress site displaying a “Not Secure” warning in the address bar of your web browser? If so, it’s a critical issue that requires immediate attention. Not only does this warning message indicate potential WordPress security issues, it can erode user trust and adversely affect your site's SEO—potentially leading to a decline in search engine rankings.

This issue is common among WordPress site owners. There are effective ways to resolve it while also upgrading your website's overall security posture. We’ll walk through the causes of the "Not Secure" warning on WordPress sites and provide a step-by-step guide to fix it.

Understanding SSL certificates and HTTPS

To understand why a WordPress website might display a “Not Secure” warning, you first need to understand the roles of SSL certificates and HTTPS in web security.

Secure Sockets Layer (SSL), more accurately known today as Transport Layer Security (TLS), is a protocol that enables encrypted communication between two machines, such as a web server and a browser. An SSL certificate is a digital certificate that authenticates the identity of a website and establishes this secure, encrypted connection.

HTTPS, standing for "HyperText Transfer Protocol Secure," is the secure version of HTTP—the foundational protocol for data transmission over the internet. The "S" in HTTPS signifies that the connection is secured using SSL/TLS encryption, ensuring that any data transferred between the user and the website remains private and protected from eavesdropping or tampering.

Why is my WordPress site showing a "Not Secure" warning?

The most common reason a WordPress website displays a "Not Secure" warning is the absence of a valid SSL/TLS certificate to establish a secure connection between the website's server and the user's browser. This issue could arise because the certificate has expired, was configured incorrectly, or was never installed in the first place. Without a valid SSL/TLS certificate, your site's URL will not include the ever-important "S" in "HTTPS," prompting browsers to display a "Not Secure" warning in the address bar.

Another issue that can cause this warning is mixed content. Mixed content occurs when a WordPress site is served over HTTPS, but some resources—such as images, scripts, or stylesheets—are still loaded over an unsecured HTTP connection. This often happens when certain elements, like media files or plugins, reference HTTP URLs instead of HTTPS.

Regardless of the cause, it's important to resolve any "Not Secure" warnings promptly. Search engines like Google prioritize secure websites in their rankings and have confirmed that HTTPS is a ranking factor. Failing to provide a secure connection not only puts users' sensitive information at risk but can also adversely affect your website's SEO.

Steps to secure your WordPress site

If a "Not Secure" warning appears in your browser's address bar when you visit your WordPress site, consider following these troubleshooting steps:

Step 1: Obtain a valid SSL certificate

If you don’t already have an SSL certificate for your website or it has recently expired (it’s extremely important to renew an SSL certificate before it reaches expiration), obtaining a new one is a necessary first step.

When choosing an SSL certificate, it's important to select one issued by a trusted Certificate Authority (CA), such as Sectigo. Opting for a certificate from a reputable CA reduces the likelihood of errors and compatibility issues, ensuring that your website's visitors won't encounter security warnings.

You’ll have to determine the type of SSL certificate you need, and this is based on factors such as the number of domains or subdomains you want to secure (single-domain, wildcard, or multi-domain certificates), the level of validation required (Domain Validation, Organization Validation, or Extended Validation), and any specific industry compliance standards or security requirements relevant to your website or business.

Step 2: Install your SSL certificate on your WordPress site

Once you have obtained an SSL certificate, the next step is to install and deploy the certificate on your web server to secure your WordPress site. The Certificate Authority (CA) from which you obtained the certificate should provide detailed instructions on how to install it on your specific server environment and offer support if needed.

Step 3: Fix mixed content issues

Mixed content occurs when some parts of your site, such as images or scripts, are still served over HTTP instead of HTTPS. This issue can arise even if HTTPS is enabled.

The easiest way to fix mixed content issues is to use plugins like SSL Insecure Content Fixer and Better Search Replace. These plugins will automatically correct mixed content, ensuring all site URLs, stylesheets, and images are served over HTTPS.

Step 4: Force HTTPS and update site URLs

You can further improve your site’s security and prevent “Not Secure” warnings by forcing all traffic to HTTPS and updating your site URLs. To force HTTPS, you can open the .htaccess file and add the following code:

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

</IfModule>

If you aren’t comfortable editing your server files, you can also use a plugin to help.

You’ll then want to update your site URLs in your database, content, and settings to reflect the new HTTPS URL. You can update site URLs in your settings by changing the WordPress Address (URL) and Site Address (URL) fields. If you have any hardcoded HTTP links in your content or database, you can update these manually or using a plugin such as Better Search Replace.

Step 5: Verify SSL installation and secure connection

After installing a valid SSL certificate and fixing mixed content issues, you must verify everything is working correctly. Start by visiting your site to ensure that all pages load over HTTPS. You can find the details for the SSL certificate available in most browsers near the address bar. If any pages show security warnings, you must find the issue causing the warning and address it as soon as possible.

Improving WordPress security beyond SSL

While having a valid SSL/TLS certificate on your WordPress site is a critical step to improving your website security, it is only one aspect of a comprehensive security strategy you should put into place.

To fully protect your website from various cyber threats, it's important to implement additional security measures. Once you've resolved the "Not Secure" warning, consider the following steps to further enhance your site's security:

• Malware Scanning: Regularly scan your website for malware and vulnerabilities using a reputable security solution like SiteLock.

• Web Application Firewall (WAF): Deploy a WAF to monitor and filter incoming traffic, blocking malicious requests and protecting against common attacks such as SQL injection and cross-site scripting (XSS).

• Limit Login Attempts: Prevent brute-force attacks by limiting the number of login attempts allowed from a single IP address.

• Secure Admin Area: Change the default login URL from /wp-admin to a custom address to reduce the risk of automated attacks.

• Maintain Regular Updates: Always run the latest version of WordPress to benefit from recent security patches and improvements.

• Update Themes and Plugins: Outdated themes are more likely to be exploited by hackers. Regularly check for updates and remove any themes or plugins that are no longer in use to minimize potential vulnerabilities.

• Schedule Backups: Implement a regular backup schedule to ensure that you can restore your site quickly in case of a security breach or data loss.

• Monitor Your Site’s Security: Maintaining your WordPress site’s security is an ongoing process that requires regular monitoring. Google Search Console is one helpful tool you can use to monitor both your site’s security and its ranking in Google search results.

Protect your WordPress site with SiteLock

Securing your WordPress site is important when it comes to protecting your website, its users, and its search ranking. If you would like to get started using an all-in-one solution for strong WordPress security, SiteLock can help!

With SiteLock’s comprehensive WordPress security packages, you get access to a suite of cutting-edge tools and services, including a web application firewall (WAF), malware removal, vulnerability monitoring, and more.

Don’t let poor security impact your website’s reputation and rankings. Sign up for SiteLock and secure your WordPress website with advanced security solutions that will give you peace of mind.