How to remove WordPress site not secure warning

Is your WordPress site displaying a "Not Secure" warning? Are you seeing this warning across various pages on your WordPress site? This is a common yet critical issue that can be alarming for both you and your site's visitors, impacting your site's search engine rankings. So, how can you address this warning and enhance your site's security?

The solution to this problem is straightforward. You need to set up an SSL certificate on your site, whether by installing a new one, properly configuring the existing certificate, or renewing it if it has expired. If this process seems unfamiliar, don't worry. In this article, we'll guide you on how to eliminate the "Not Secure" warning on your WordPress site.

Why is your WordPress site not secure?

The 'Not Secure' message on your WordPress site indicates the absence of an SSL certificate or the presence of an improperly configured or expired certificate.

The SSL certificate plays a crucial role in encrypting data that is sent to and received from your website. Without it, the information exchanged with your site becomes vulnerable and susceptible to unauthorized access by hackers. Therefore, it is highly important to set up an SSL certificate for your WordPress site.

By incorporating an SSL certificate, you bolster the security of the HTTP communication protocol on your website, transforming it into the secure HTTPS version. Additionally, the adoption of HTTPS is visually indicated on your site by a padlock icon next to its address, signifying its secure and trustworthy status.

If your website shows a 'Not Secure' warning, it indicates that it is not employing the HTTPS protocol. Additionally, being labeled as 'Not Secure' can potentially dissuade users from visiting the site. The good news is that there are simple solutions to address this issue, and we will discuss them in the following sections.

How to fix WordPress site not secure warning?

You can remove the Site ‘Not Secure’ warning from your WordPress site by performing the following steps, which are also explained in the next sections:

1. Create a backup of your WordPress site
2. Check your site’s SSL status
3. Install an SSL certificate
4. Fix your existing SSL certificate
5. Redirect URLs from HTTP to HTTPS
6. Replace all HTTP URLs with their HTTPS versions
7. Scan for mixed content issues and fix them
8. Inform Google about the changes on your website
9. Clear all your caches
10. Confirm if the ‘Not Secure’ warning has disappeared

1. Create a backup of your WordPress site

While our outlined steps are comprehensive, it is strongly recommended to backup your WordPress site before proceeding to eliminate the "WordPress site not secure" warning. This precautionary measure ensures a smooth recovery of your site's data in case any unexpected issues arise. To accomplish this, you can conveniently utilize a trustworthy backup plugin such as BlogVault through the following simple steps.

Begin by establishing an account on BlogVault and incorporate your site by providing its URL. Following this, opt for the automatic installation feature and input your admin credentials. With these steps completed, your site will commence syncing, and BlogVault will autonomously generate a backup for it.

2. Check your site’s SSL status

Once you've successfully backed up your website, the subsequent task involves confirming the status of its SSL certificate. This entails checking for its existence, active status, or potential expiration. A convenient method for performing this verification is by inputting your website's URL into an online SSL checker tool like Qualys SSL Labs. This tool provides detailed insights into your site's SSL certification status. It's essential to confirm that the results display a rating of A or A+, indicating the highest level of security. Additionally, ensure that your SSL certificate utilizes RSA 2048-bit encryption for enhanced security measures.

3. Install an SSL certificate

If you lack an SSL certificate or if your current certificate has lapsed, this guide provides instructions on installing an SSL certificate for a WordPress site. Should your existing SSL certificate expire, reach out to the original certificate authority (CA) to renew it before proceeding with the installation. It's essential to review the renewal plans offered by various CAs and choose the one that suits your needs. If your site already possesses an SSL certificate, you can proceed to the next step without any further action.

4. Fix your existing SSL certificate

If you are seeing a WordPress site not secure warning despite having a valid SSL certificate, it could be because the certificate is not configured correctly. In this case, follow the steps mentioned below:

1. Force HTTPS on Your Site Using a Plugin

The simplest way to fix the ‘Not Secure’ warning from your entire WordPress site is to use a plugin to configure an SSL certificate. While various plugins like WP Encryption, SSL Zen, etc. are available for this purpose, we recommend using Really Simple SSL.

1. Install and activate Really Simple SSL from the Plugins section on your WordPress site’s admin dashboard.
2. Navigate to Settings, then SSL. This will take you to the Really Simple SSL dashboard, which displays any potential issues with your site.

3. Click on Activate SSL. A pop-up will appear with essential information to consider.

4. Click on Activate SSL once more. This swiftly configures your site with an SSL certificate in just a few minutes. Please note that you may be logged out of the admin dashboard during this process.

2. Manually Enforce HTTPS on Your Site

Choosing a plugin such as Really Simple SSL during the installation process would have automatically handled this task. Nevertheless, if the SSL certificate was installed using a different method, you have the option to address the "WordPress page not secure" warning manually. It's important to note that we don't endorse this method due to the possibility of errors that could adversely affect your website.

If you still choose to proceed manually, there are two methods you can follow: the Secure Shell (SSH) method or the File Transfer Protocol (FTP) method to enforce HTTPS on your site.

2.1 Using SSH Method

For the following steps, use Command Prompt if you are a Windows user, or Terminal if you are a Mac user.

1. Obtain your WordPress site server’s SSH credentials from your site host.
2. Log into your WordPress site’s server using SSH with the following command, replacing ‘user_name’ and ‘ipaddress’ with the appropriate server credentials:

ssh user_name@ipaddress

Code

Enter your password when prompted.

3. Enter the following command to list all the files:

ls -a

Code

4. You should locate the wp-config.php file. Enter the following command to open it in an editor:

vi wp-config.php

Code

5. Press i to edit the file and insert the following line of code before the file’s ending:

define('FORCE_SSL_ADMIN', true);

Code

6. Press Esc and type the command :wq to save the file and exit the editor.
7. Repeat steps 3 to 6 to locate the .htaccess file and add the following lines of code before the file’s ending:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI}      [L,R=301]
</IfModule>

Code

2.2 Using FTP Method

Use an FTP application like Filezilla for the following steps.

1. Obtain your WordPress site server’s FTP credentials from your site host.
2. Open Filezilla, enter your IP address in the Host section, your username, password, and port number (if any), and click on Quickconnect.

3. You will see the file structure of your WordPress site in the Remote site section once you are logged in. Double-click on public_html to open the folder and find wp-config.php in the files listed below.

4. Right-click on the wp-config.php file to open a context menu and select View/Edit to edit the file.

5. In the file editor, type in the following line before the file ending and press Ctrl + S for Windows users or Cmd + S for Mac users to save the file:

define('FORCE_SSL_ADMIN', true);

Code

6. On closing the file editor, you will see a dialog box asking if you want to upload the edited file back to your WordPress server. Click on Yes and you are done.

7. Repeat steps 4 to 6 after finding the .htaccess file in the public_html folder and add the following lines of code before the file’s ending:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI}      [L,R=301]
</IfModule>

Code

In certain cases, transitioning from HTTP to HTTPS can result in an uncommon scenario where your browser struggles to load your WordPress site’s login page due to an excessive number of redirects. If this occurs, insert the following lines of code into the wp-config.php file using either of the methods mentioned above:

if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
$_SERVER['HTTPS']='on';

Code

Ensure that you add these lines before the following line of code:

require_once(ABSPATH . 'wp-settings.php');

Code

5. Redirect URLs from HTTP to HTTPS

Navigate to the Settings in the WordPress Admin panel and select General. Within this section, locate the WordPress Address (URL) and Site Address (URL). Typically, these fields display your site's URL. If these URLs start with http://, it is advisable to update them to https://.

Alternatively, if you can access your site using SSH, you can edit the wp-config.php file for the same result. To do so, open the file in your preferred editor and insert the following lines of code at the end:

define('WP_HOME','https://your.site.com/');
define('WP_SITEURL','https://your.site.com/');

Code

6. Replace all HTTP URLs with their HTTPS versions

You have two options for this task. The manual method involves accessing your database and modifying entries in the wp_options table. However, a small mistake can potentially crash your site. Hence, it’s safer and more convenient to use a plugin like BetterSearchReplace (BSR) for this task. This tool facilitates quick database updates.

Here are the steps to follow:

1. Go to your WordPress Admin dashboard and install the BSR plugin.
2. Once installed, activate the plugin. You’ll find it in the Tools section of your dashboard.

3. Next, in the Search for text box, input your website’s URL in the http:// format. Similarly, in the Replace with text box, use the same URL but in the https:// format.
4. Select all the tables listed in the Select tables menu. For Windows systems, use Ctrl + Left Click; for Mac systems, use Command + Left Click.
5. If you’d like to do a practice run without making any changes to the tables, select the Run as dry run option. When you’re confident and ready to make the changes, deselect the option and execute the tool by clicking on Run Search/Replace →.

7. Scan for and fix mixed content issues

While you may have migrated your site from HTTP to HTTPS using an SSL certificate, some links may have been left out. This happens especially when there are links to images that don’t automatically switch to HTTPS, leading to a site not secure warning in WordPress. This is called a mixed content issue.

The previous step should usually fix this issue. However, if you are still seeing the ‘Not Secure’ warning and want to identify the causes behind this, check your site at Why No Padlock? Once you have identified the issues, you can use a plugin like Easy HTTPS Redirection to convert all these remaining HTTP links to HTTPS ones.

8. Inform Google about the changes on your website

When you change your site’s URL from HTTP to HTTPS, Google has to be informed of this. You can update by adding the new URL to your site’s sitemap, Google Analytics, and Google Search Console. For more information on how to do this, look up Google’s documentation here.

9. Clear all your caches

If you've successfully installed an SSL certificate for your WordPress site but are still encountering the 'Not Secure' warning, there might be cached data causing the issue. To resolve this, ensure you clear any caches associated with your WordPress site, including those generated by caching plugins like WP Rocket or WP Super Cache, and caching services provided by your web hosting.

Refer to the documentation of your specific caching plugin or hosting provider for guidance on clearing caches. Additionally, advise your users to clear their browser caches. Below are steps for Google Chrome, but other browsers offer similar options.

1. Go to the three-dot icon on the top right corner of the browser and choose Settings.

2. Go to Privacy and security and then select Clear browsing data.

3. In the Basic tab, choose All time from the Time range dropdown list, and make sure only the Cached images and files box is checked.

4. Click on Clear data to clear the cache and you are done!

10. Confirm if the ‘Not Secure’ warning has disappeared

Visit your WordPress website and see if the warning ‘Not Secure’ has changed to a padlock icon.

To verify that your SSL certificate is correctly installed, you can use the IONOS SSL checker tool.

Troubleshooting

Some problems may arise when you try to remove the ‘Not Secure’ warning on your WordPress website by installing an SSL certificate all by yourself. In this section, we have discussed some of these problems.

What if you can’t access your site anymore?

Make sure your site is configured correctly to use SSL with updated URLs in both file settings and databases. If this doesn’t help, a plugin may be interfering with the SSL certificate. Try turning off plugins to see if it fixes the problem.

What if you get an ERR_SSL_VERSION_OR_CIPHER_MISMATCH error?

This error usually happens when the SSL certificate is not set up properly. Review your SSL settings to fix any configuration errors. If the problem is not with your SSL certificate, try updating your browser or using a different browser to see if it works. You can also use an online tool like the Qualys SSL test to find out any other issues with your SSL certificate.

What if you get a NET::ERR_CERT_INVALID error?

Your browser may mark your SSL certificate as invalid if it has wrong details, such as an incorrect domain name, unrealistic SSL certificate issue and/or expiry dates, etc. Check for these details and if needed, get a new SSL certificate with the right details.

What if none of the above solutions work?

In this case, clear all your caches. Your browser, plugins, and web host may sometimes keep old login page links, which causes problems when trying to reach your site with the new HTTPS links.

Using a plugin to install an SSL certificate on your WordPress website avoids many of these problems. This is why, we do not suggest the manual method of installing an SSL certificate.

How to prevent the WordPress site not secure warning?

Having properly configured your WordPress site with SSL credentials, let’s look at some of the ways to ensure the ‘Not Secure’ warning doesn’t return.

• If your website includes outgoing links to other sites, be sure to modify them to use HTTPS for secure connections.
• Remember to check certificate expiry dates to avoid any disruptions. If your certificate is nearing expiration, you have the option to renew it with your current provider or explore free, verified HTTPS certification providers like LetsEncrypt.
• Simplify the process with a plugin like Easy HTTPS Redirection. This tool seamlessly guides users to the HTTPS SSL version of your site.
• Inform Google about the updated HTTPS URL of your site. This ensures that Google directs users to the secure version. For detailed steps, refer to the instructions found here.

How does a ‘Not Secure’ warning impact your site?

Having a secure website is vital for many reasons. In this section, we look at how a ‘Not Secure’ warning hampers your website.

• A ‘Not Secure’ warning lowers user trust and confidence, making them reluctant to enter sensitive data on the website. This can hurt e-commerce sites by increasing bounce rates and decreasing conversion rates, affecting their revenue.
• A ‘Not Secure’ warning also harms the site’s search engine rankings, as Google and other search engines factor in security when ranking websites. This can reduce the site’s visibility and traffic in the long run.
• A ‘Not Secure’ warning may even prevent users from accessing the site at all, as some browsers are becoming more strict about security and may block ‘Not Secure’ sites. This will further reduce the site’s potential audience.

As a website owner, you should be wary of these serious consequences and fix this issue as soon as possible.

Additional measures to secure your WordPress site

We’ll be honest: SSL is not enough to secure your website fully.

We have been working with WordPress websites for more than 10 years, and we know what it takes to protect them. Besides SSL security, you should also implement these essential steps:

• Use a robust security plugin like MalCare that can prevent brute-force login attempts.
• Use complex, unique passwords for all user accounts. 
• Implement a lockout policy that automatically locks out users after a certain number of failed login attempts. MalCare includes this functionality in the limit login feature. 
• Enable two-factor authentication for an additional layer of login security.
• Regularly update WordPress core, themes, and plugins to ward off vulnerabilities.
• Set user roles appropriately and keep track of user activity to identify suspicious activities
• Ensure proper file permissions to limit unauthorized access to sensitive files.

Conclusion

You've made a substantial move in enhancing the security of your WordPress site by incorporating an SSL certificate. Nevertheless, it's important to note that this alone does not provide the ultimate solution.