Browsers say my website is not secure!

Last updated: 2 March 2022

Most web browsers mark websites that don’t have an SSL certificate as “not secure”. The warning doesn’t mean that the website itself is dodgy. Rather, it tells users that the connection between their browser and the server is unencrypted.

The connection can be secured with an SSL certificate. When your website has an SSL certificate people can visit your site via HTTPS rather than HTTP. For instance, people can visit https://example.com rather than http://example.com.

Types of SSL certificates

There are many types of SSL certificates:

• If you have a fairly small website then a Let’s Encrypt SSL certificate is probably all you need. These certificates are free and renew automatically every 60 days (provided your domain still resolves correctly). If you would like a Let’s Encrypt certificate for your website then it is easiest to submit a support ticket.
• So-called business SSL certificates are valid for one year. The certificate authority that issues certificates is also more stringent than Let’s Encrypt. For instance, you can’t easily get a certificate for a domain like hsbc-bank.co.uk, as the domain is likely to be used for phishing scams. Let’s Encrypt doesn’t care about the domain name – it is only concerned with enabling encrypted connections.
• Wildcard certificates can be used for any subdomain. This is useful if you have lots of subdomains, as business certificates are only valid for your primary domain (i.e. example.com) and the ‘www’ subdomain (i.e. www.example.com). It is worth noting that all Let’s Encrypt certificates are wildcard certificates.
• Extended validation certificates are subject to thorough checks by the certificate authority. The aim is reassure visitors of your website that your business is legitimate. For that reason web browsers used to make the address bar green when a website had an extended SSL certificate. Browser vendors stopped doing that a few years ago, but if reassurance is important to your business then it is still worth considering an extended validation certificate.

Redirecting traffic to HTTPS

Once your website has an SSL certificate you need to make sure that you redirect all website traffic from HTTP to HTTPS. Content Management Systems such as WordPress have the option to set the website URL, which should take care of most of the redirects. In addition, cPanel has a Force HTTPS Redirect option in the Domains interface.

You can also add a redirect rule in the .htaccess file. The following rule strips the ‘www’ subdomain and redirects website traffic to HTTPS:

# Redirect to non-WWW and HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]

Alternatively, you can set up a redirect that always uses the ‘www’ subdomain and redirects to HTTPS:

# Redirect to WWW and HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://www.%1%{REQUEST_URI} [L,NE,R=301]

Mixed content warnings

After you have added a redirect there may still be page elements that are served over HTTP. For instance, there may be style sheets, JavaScript files or images that are downloaded via HTTP rather than HTTPS. Browsers show a “mixed content” warning if one or more resources are downloaded via HTTP rather than HTTPS. Typically, the warning is an icon of a broken padlock in the browser’s address bar.

You can check why a page is showing a mixed content warning via a website such as Why No Padlock. Once you have identified the issue you can update the URLs.

For WordPress websites the Really Simple SSL plugin can often fix mixed content warnings as well. And if you use Elementor to manage the content on your WordPress website then you may also need to update your website URL in the Elementor settings.