If you use Google Chrome as your browser, you might have visited a website that says “Not Secure” next to its URL at the top of the window. Other browsers might show this website with a red “unlocked” lock symbol next to its name, or perhaps just an “i” in a circle providing a warning that this website is not encrypted.
Maybe it’s your own website that gives these scary warnings.
This kind of warning can erode trust with your new visitors and cause concern for your existing customers. Time to fix it!
What the warning means
In the early days of the internet, browsers asked servers for information using the HTTP protocol. It was a conversation between your computer and the internet, asking for all the data for a particular web page.
However, HTTP isn’t very secure. If you’re sending sensitive information like passwords, or even form data like comments that might contain personal information, it was pretty easy for hackers to snatch that stuff from the data stream.
Several years ago, someone came up with a much more secure alternative called HTTPS. It encrypts information flowing back and forth so it’s much harder for someone to steal it.
About three years ago, Google decided to give a major push to HTTPS as the default internet protocol, to increase security everywhere. It announced that websites using HTTPS would be given a boost in their search results.
And they also added a feature to Chrome that would mark HTTP-only websites as “not secure” to try to encourage owners of those sites to switch to HTTPS.
How to make the switch
If your site isn’t on HTTPS yet, then you should make the switch!
First, you’ll need an SSL Certificate. This is a set of encryption keys that are specific to your website that provide it with custom security.
You can get an SSL Certificate in a few places:
- Let’s Encrypt is a non-profit that is committed to increasing security on the internet, and gives out SSL certificates for free. That’s awesome! But getting a third party SSL certificate and then installing it yourself on your hosting package takes a bit of technical wizardry, and a lot of people aren’t comfortable doing that. Some hosting packages actually WON’T let you do that as you require a high level of access to your hosting to be able to install the certificate.
- Directly from your hosting provider – all hosting providers will give you an SSL certificate if you ask for one. Some hosts, like Siteground, include it in all their hosting packages at no extra cost (they are actually partnered with Let’s Encrypt to provide free SSL to all). Other hosts, like GoDaddy, will charge you an arm and a leg (something like $100 a year) for your SSL certificate. Side advice: if you’re on a host who wants to charge you for your SSL certificate, that’s a good sign that it’s time to switch hosting companies.
However you get your certificate, you’ll need to log into your hosting account at your hosting company to make sure it is installed on your domain. Your hosting company can help you with this if it’s too technical for you.
Now that your SSL is installed, you should be able to go to the HTTPS version of your website and have it load properly. For example, instead of using http://mysite.com, try entering https://mysite.com and make sure it loads. Make sure all images and logos are loading properly, and that the “not secure” warning in the address bar is gone.
If it looks good, then it’s time to swap your WordPress settings so the secure version of the website is always loaded.
- Head to Settings > General on your WordPress Dashboard.
- Under WordPress Address (URL), change the http:// prefix to https://
- Under Site Address (URL), change the http:// prefix to https://
- Save the changes using the blue button at the bottom
And that’s it! You might have to log back into the back end of the site now that the URL has technically changed. Check the site and make sure all pages are loading properly.
Still not secure?
If your site still says “not secure,” there are a couple of possible problems.
Possible Problem 1: Loading unsecure data
If your pages are loading images using a full URL and that URL is still using the http:// prefix, then the whole page gets marked as “not secure” because those images are not secure. This can happen if the images are local to your website, or external. The same kind of thing can happen with videos, PDF files, or other media that are being embedded in your site.
You can test for these kind of unsecure embeds and links using an SSL link checker online.
Use Jitbit to scan your entire site
Use Why No Padlock to scan a single page
If unsecure links are found, then you need to go through them one by one to fix them. If a lot of them are references to your own website, you can consider a database search and replace plugin to change them all at once. (I recommend Better Search Replace by Delicious Brains.)
BUT WARNING, doing a search and replace on your entire database is an ADVANCED SKILL and should not be undertaken lightly. ALWAYS have a full backup of your site before attempting this and DON’T DO IT if you are new to the world of WordPress databases!
Instead, stick with manual fixes.
Possible Problem 2: You’re not actually loading the secure version
Even after the SSL certificate is installed, and you’ve changed your WordPress settings to use the HTTPS version, you can still load the old, insecure version by directly typing in http:// in your URL.
Any old links you had published – say, in Facebook shares or in newsletters or embedded in eBooks – that used the http:// version of your URL will still load the unsecure version of the site.
You can use a plugin to force all visitors to your site, no matter how they got there, to be immediately redirected to the HTTPS version of the same page. (I personally like WP Force SSL by Web Factory.)
Note that plugins that do this often cause problems with mirror sites and staging sites, so if you’re ever doing development work on your website, you’ll probably want to turn it off first.
And that’s it! Hopefully your site is nice and secure now – with the added bonus of bumping up your SEO rank with Google.
Need help installing your SSL certificate and converting to HTTPS? That’s what we’re here for! Get in touch with us on our contact page and we’d be happy to help.