Last updated:
Most web browsers mark websites that don’t have an SSL certificate as “not secure”. The warning doesn’t mean that the website itself is dodgy. Rather, it tells users that the connection between their browser and the server is unencrypted.
The connection can be secured with an SSL certificate. When your website has an SSL certificate people can visit your site via HTTPS rather than HTTP. For instance, people can visit https://example.com rather than http://example.com.
There are many types of SSL certificates:
Once your website has an SSL certificate you need to make sure that you redirect all website traffic from HTTP to HTTPS. Content Management Systems such as WordPress have the option to set the website URL, which should take care of most of the redirects. In addition, cPanel has a Force HTTPS Redirect option in the Domains interface.
You can also add a redirect rule in the .htaccess file. The following rule strips the ‘www’ subdomain and redirects website traffic to HTTPS:
# Redirect to non-WWW and HTTPS RewriteEngine On RewriteCond %{HTTPS} off [OR] RewriteCond %{HTTP_HOST} ^www\. [NC] RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC] RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]
Alternatively, you can set up a redirect that always uses the ‘www’ subdomain and redirects to HTTPS:
# Redirect to WWW and HTTPS RewriteEngine On RewriteCond %{HTTPS} off [OR] RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC] RewriteRule ^ https://www.%1%{REQUEST_URI} [L,NE,R=301]
After you have added a redirect there may still be page elements that are served over HTTP. For instance, there may be style sheets, JavaScript files or images that are downloaded via HTTP rather than HTTPS. Browsers show a “mixed content” warning if one or more resources are downloaded via HTTP rather than HTTPS. Typically, the warning is an icon of a broken padlock in the browser’s address bar.
You can check why a page is showing a mixed content warning via a website such as Why No Padlock. Once you have identified the issue you can update the URLs.
For WordPress websites the Really Simple SSL plugin can often fix mixed content warnings as well. And if you use Elementor to manage the content on your WordPress website then you may also need to update your website URL in the Elementor settings.