So your site displays a Not Secure Warning: What it means and how to fix it with free SSL

Security | SEO | 12 minute read
David Hornreich

It’s July, and this month Google is rolling out a new rules for how secure and non-secure sites are displayed.

The new version and that means the next time you’re browsing around your website, admiring it for all its beauty, you may see this Not Secure warning in Chrome’s address bar:

not secure warning - chrome

You’ve got questions:

  • Why am I seeing a Not Secure warning?
  • Are other site visitors getting a warning?
  • What does Not Secure even mean?
  • How long has my site been showing this warning?
  • How do I fix it?
  • Should I be panicking? Panic is an appropriate reaction, right?

Let’s address that last question first…

Don’t Panic.

We see this a lot — and it’s never the end of the world.

Your site is fine. You’re fine.

But you do need to take action.

That’s because if your site displays a Not Secure warning:

  • It may be penalized by Google, reducing traffic to your site
  • Your visitors will see it, which isn’t a great look.

So to get rid of that Not Secure warning once and for all there are some simple, often free, steps you’re going to want to take.

 

Want a solution as fast as possible?

Answer one question and we’ll direct you to the right spot:

Do you have an SSL certificate installed on your site?

Yes No I’m not sure
Or, if you’d like to learn more about SSL, HTTPS, and why you’re seeing the warning, read on.

 

 

 

 

…Not skipping ahead, eh? I like your spirit. Let’s talk about…

Secure = SSL Installed = HTTPS

So many acronyms, so little explanation. What does this all mean?

Hop in our Wayback machine and let’s go back to the distant future — the early 1990s. You may remember that since those days, sites on the World Wide Web started with “http://”  (You may ever remember learning that HTTP is an acronym for “HyperText Transfer Protocol”).

Another, less common protocol was hanging around back then too — HTTPS. As the name suggests, it’s awfully similar to HTTP — it’s just an extension that provides an extra layer of security.

This more secure protocol wasn’t widely used back then, but it’s slowly become more common over time.

These days, thanks in large part to initiatives by Google, it’s becoming the industry standard. In February of 2018, Google reported that:

  • Over 68% of Chrome traffic on both Android and Windows is now protected
  • Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
  • 81 of the top 100 sites on the web use HTTPS by default

At this point, anyone saying you don’t need to set up SSL is stuck in the past — they’re the same as those that said “We don’t need our site to work on phones” in 2008, and “We don’t need a website, the internet is just a fad” in 1998.

To run on https, a site will need to have a valid SSL (Secure Socket Layer) certificate installed and configured.

Either a site has an SSL certificate installed and configured (Secure!) or they don’t (not secure!).

If your site is displaying a Not Secure warning, it means that SSL isn’t installed, or it’s installed but not configured properly.

 

Why you’re seeing this warning now — and what it means

Before 2017, Google’s Chrome browser would tell you if a site was using https by displaying a nice green icon and “secure” message.

If a site was just using http, you wouldn’t get any message at all. Instead, you’d see displayed this rather innocuous-looking icon:

not secure warning icon

It’s quite possible this icon has appeared next to your URL for ages and you’ve never noticed it.

The icon effectively says that your site isn’t using https, it’s just very subtle: Only when a user clicks the icon for more info will they get this more dire-sounding warning.

not secure warning detail text

 

Since then, times have changed.

In January 2017, Chrome started displaying a gray Not Secure warning in the address bar any time a user began typing within a form on an http version of a site, like this:

not secure warning on form input

This is intended to be a more aggressive way of telling users, “Hey, the information that your typing in isn’t encrypted — so maybe think twice about what you enter.”

And the times, to paraphrase Bob Dylan, are still a-changin’.

Beginning in July of 2018, Google Chrome is displaying that Not Secure warning on sites without SSL at all times — not just when a visitor is using a form.

That means — no matter what — every time someone visits a site without SSL installed and configured, they’ll get a Not Secure warning in their address bar:

not secure warning full

It’s not a great impression to make.

Instead, this is the icon you want to see:

secure message

That’s a good looking message: It’s green, it’s got a lock icon, and it says Secure.

Other browsers are following suit. No matter what browser your visitors are using, HTTPS is the way of the future.

 

 

Rather not have to worry about any of this?

Get $200 Off Our Done-For-You SSL Installation & Configuration Services.

Sounds great, I could use the help Nah, I can do it myself

 

 

 

 

…Going at it yourself, eh? I like your initiative. Let’s get you off to a good start.

Answer one question and we’ll direct you to the right spot:

Do you have an SSL certificate installed on your site?

Yes No I’m not sure

I’m not sure if I have SSL installed or not

That’s ok, a lot of our clients come to us not knowing if they have SSL installed or even what SSL is.

Luckily, we can find out if you have SSL on your site — and it only takes three steps and about 10 seconds.

  1. Click Here to open the SSL checker
  2. Enter your URL and click “check SSL”
  3. The results will come up within seconds.

ssl checker success

If you see a bunch of green check marks like the example above, you’re in good shape and you have SSL installed.

If the SSL Checker shows that SSL is set up but you’re still not getting the green “secure” message in your address bar, check out these possible reasons and solutions.

If you get a red or yellow warning sign, that means you don’t have SSL installed.

Read on and let’s look at what you can do.

I don’t have SSL / I need SSL installed on my site

Good news — chances are you can install SSL on your site without needing outside help.

Better yet, it probably won’t cost you a dime.

That’s thanks to a service called Let’s Encrypt — a free, automated, and open certificate authority.

So how do you install SSL using Let’s Encrypt?

Check out this list of web hosting providers that support Let’s Encrypt. Once you find your provider, click on the “Source” link beside it to open up instructions specific to your host.

Some hosts are easier to configure than others. (If you find yourself getting stuck — or you just won’t want to be bothered with it — we offer a done-for-you SSL install for $79. Click here if you’d like to talk about it.)

Once you’ve got your SSL certificate installed and configured, you should be the recipient of a nice, new, green “Secure” message in your browser.

But if you’re still getting a Not Secure warning, read on and we’ll solve what else might be the matter.

I’ve got SSL, but my site’s still displaying a Not Secure warning

If you know you’ve got an SSL certificate but your site isn’t giving you that nice green icon, there are a few things that may be at play. Let’s look at each.

 

1) You have an SSL certificate, but it’s not installed or configured properly.

Maybe when you bought your domain name or hosting, GoDaddy or whoever sold you an SSL certificate at the same time.

In fact, logging into your account shows you’ve got SSL — so why isn’t it working?

Well, maybe your provider made sure it was installed and configured properly… but maybe they didn’t.

What to do:

Talk to your domain registrar, ask them to configure your SSL certificate, and see if they’ll refund you for the months you weren’t using it.

 

2) You’re not forcing https.

Take a look at your URL in your address bar. Does it start with http or https?

If it starts with http, that means you’re loading the standard version of the site. To load the secure version instead, go up to your address bar and add an “s” after the http so that it says https, then hit enter.

If your SSL certificate is installed properly, you’ll get that delightful green “secure” message that we want to see.

But having two versions of your site available — one secure, one not — isn’t ideal. You can’t very well just ask everyone who visits the site to type an “s.”

What to do:

What you’ll want to do is force https — effectively forwarding anyone who visits the non-secure http version of your site to the secure https version.

How do you force https?

There are all sorts of ways depending on how your site is set up and how technical you want to get.

If you’ve got a WordPress site and don’t want to edit code, try the Force HTTPS Plugin by LittleBizzy. It’s well-rated, regularly updated, and does the job.

If you’re more comfortable with code can access your site files via FTP, you can edit .htaccess following these instructions to force https.

Or if you use Flywheel — the hosting we recommend to our WordPress Concierge clients and use ourselves — it’s as easy as flipping a switch.

force https in flywheel

 

3) Your site is secure, but you’re linking to non-secure content

This is a likely culprit if your URL starts with https but you’re still not getting that nice green icon.

Basically, while your site is secure, it’s calling some sort of file or asset on another site insecurely. 

That could be content hosted on another site that doesn’t use https, or it could be a link to your own site’s content that accidentally starts with http instead of https.

You may hear this referred to as “mixed content” — some content is secure, some is not.

What to do: 

The key here is to find the culprit or culprits, then fix the code.

Using Chrome, visit your site, right-click and choose “Inspect.” A module will appear displaying a lot of code. It’ll be indimidating, but fear not: 99.9% of it can be ignored.

Look for a tab that says “console,” then click on it.

See any results that look like this? That means you’re likely referencing non-secure content. You’ll need to update your code and replace each instance of http with https.

Not Secure Warning Mixed Content

 

If your site runs on WordPress, the easiest way to make this happen is with a plugin called Really Simple SSL.

As soon as you install the plugin, you’ll be given a notification with a link that will allow you to enable SSL. Click it, and you should find that those mixed content errors are resolved.

 

4) Your SSL certificate expired

SSL certificates expire and need to be renewed often — but it’s a feature, not a bug.

When a certificate expires, it must be re-authenticated by your web browser. Essentially it’s a check: I know this was secure a few months ago, but is it still secure?

The good news: You can set your SSL certificate to auto-renew so you can set it and forget it. But if you don’t have auto-renew set up, or there was an error and auto-renew didn’t complete properly — you might run into this issue.

What to do:

Talk to your domain registrar (or check your account settings) to see if auto-renew is turned on.

If not, make sure to renew the certificate and turn on auto-renew for the future.

 

5) Something else is going on

None of these solve your problem? There are other reasons your SSL certificate may not work, but they’re more technical than we should delve into here.

What to do:

If you’re still stumped, start a live chat and let’s see if we can get you up and running.

 

Sometimes it’s not about if you can do something, it’s about whether it’s worth the hassle.

Right Now, Get $200 Off Our Done-For-You SSL Installation & Configuration Services.

Sounds great, I could use the help Nah, I can do it myself