I know how frustrating it can be when you visit your website and see a big “Not Secure” warning in the browser. It feels like something’s broken—and worse, your visitors can see it too. 😬
That little message can scare people off before they’ve even had a chance to look around. They might leave without reading a word, filling out a form, or making a purchase.
Google shows this warning when your site doesn’t have an SSL certificate. That means your site isn’t using HTTPS, and the browser is letting visitors know their connection might not be private.
Luckily, the fix is straightforward, and I’ll walk you through it step by step. I’ve used the same process on my own websites and helped countless others do the same with WordPress.
🌟Expert Tip: Not confident about fixing errors yourself? Why not leave things to the professionals?
Our team at WPBeginner offers Emergency WordPress Support Services, available 24/7. We can fix everything from SSL errors to plugin issues at affordable prices for small businesses and website owners.
Ready to learn more? Just book a free consultation call today!
Why Does Google Show “Not Secure” on Your Website?
When I see the “Not Secure” warning pop up on a site, I know it usually means one thing: the site isn’t fully encrypted. Google shows this warning when a website doesn’t use HTTPS or there’s something wrong with its SSL certificate.
For reference, HTTPS (Hypertext Transfer Protocol Secure) is the secure version of HTTP. It uses something called an SSL/TLS certificate to encrypt the connection between your website and your visitors.
And the Google “Not Secure” message isn’t just a minor warning you can ignore. Most visitors don’t stick around when they see that alert. It signals a lack of trust, and that affects everything from conversions to your search rankings.
Let me walk you through the four most common reasons I’ve seen this warning appear on WordPress websites.
1. Your Website Doesn’t Have an SSL Certificate
SSL certificates encrypt the connection between your website and your visitors. Without one, browsers assume your site is unsafe, because technically, it is. Any data people enter on your site, like personal or credit card details, could be intercepted.
That’s why Chrome and other browsers flash the “Not Secure” warning for sites that still use plain HTTP. I’ve seen this happen to brand-new sites where SSL just wasn’t enabled yet, or even older sites where it was never installed.
2. Your SSL Certificate Is Expired or Invalid
Sometimes the SSL certificate is there, but it’s expired or wasn’t installed properly. This is one of the first things I check when someone asks why their site suddenly shows a warning.
You can usually spot this SSL issue by clicking the padlock (or the missing padlock) in your browser’s address bar.
If there’s a problem, then your hosting provider should be able to help you renew or reinstall the certificate.
3. Your Website Has Mixed Content Issues
Even with a valid SSL certificate, your site can still show as “Not Secure” if it’s loading some content over HTTP. I’ve seen this a lot when people switch their site to HTTPS but forget to update old links to images, scripts, or stylesheets.
This is known as mixed content, and browsers don’t like it. The fix is simple—you just need to update any insecure URLs so everything loads over HTTPS. Later in this tutorial, I will show you how to do this.
4. Your Site Has HTTP URLs in WordPress Settings
Another thing I always double-check is the site URL settings inside WordPress. If the WordPress Address or Site Address is still set to HTTP, your site may continue to trigger security warnings even if SSL is working fine.
You can find these settings by going to Settings » General in your WordPress dashboard. Then, switch both URLs to use HTTPS to ensure that every page loads securely. I will show you how to do this later on.
Now that I’ve covered what causes the “Not Secure” warning, let’s take a look at how to fix it and prevent it from coming back.
How to Fix the “Not Secure” Warning in Google Chrome
Seeing the “Not Secure” warning on your site can be frustrating. You want your visitors to feel safe, not greeted with a warning label.
Luckily, the fix usually isn’t complicated. In most cases, it comes down to enabling an SSL certificate, updating a few WordPress settings, or cleaning up what’s known as mixed content.
I’ve gone through this troubleshooting process on dozens of sites—both my own and for others—and I’ll show you exactly what to do to secure your site and get rid of that warning for good.
Here are the steps I will cover:
Step 1. Get a Free SSL Certificate for Your Website
The first thing I do when fixing a “Not Secure” warning is check if an SSL certificate is installed. This small piece of security tech encrypts data between your website and visitors—and it’s what enables HTTPS.
Years ago, SSL certificates could be expensive. Some companies still charge a premium, but the good news is you don’t need to pay for one, especially if you’re just starting out.
Most WordPress hosting providers now offer free SSL certificates with their plans. I’ve used this option on dozens of websites, and in most cases, enabling it only takes a couple of clicks from your hosting dashboard.
If you’re using Bluehost, just log in to your account and head to your website settings. Then click the ‘Security’ tab.
From there, you’ll see the option to enable the free SSL certificate. Just toggle it on, and you’re good to go.
Note: The screenshots above show the Bluehost dashboard. If you’re using a different host, then things might look slightly different, but the SSL setting is almost always in the security section.
For hosts that use cPanel, you’ll need to launch it from your hosting dashboard. Scroll down to the ‘Security’ tab and click on the SSL/TLS icon.
And if your host doesn’t offer free SSL, don’t worry—you can still get one through Let’s Encrypt.
We have a detailed tutorial showing you exactly how to do it: How to Add Free SSL in WordPress with Let’s Encrypt.
Step 2. Update Your WordPress URLs to Use HTTPS
Even with an SSL certificate, your site might still load as “Not Secure” if the WordPress settings are incorrect. You can fix this by updating your site’s URL.
Simply go to the Settings » General page in your WordPress dashboard.
Then, make sure both the ‘WordPress Address (URL)’ and ‘Site Address (URL)’ fields use https:// instead of http://.
Don’t forget to click on the ‘Save Changes’ button to store your settings.
WordPress will now start using https:// for all URLs across your website. However, some HTTP URLs may still be stored in your WordPress database, which may cause issues moving forward.
Next, I will show you how to fix those URLs easily.
Step 3. Fix Mixed Content Issues in WordPress
One reason for the ‘Not Secure’ warning is mixed content issues. This happens when some parts of your website load using an HTTP (insecure) URL.
Almost all of these URLs are stored in your WordPress database and added by your WordPress theme or plugins. You may also have http:// URLs in your blog posts and pages.
To fix this, you will need a search and replace plugin to find http URLs and replace them with https://. The best plugin for the job is Search & Replace Everything.
I use Search and Replace Everything because it is fast and efficient. More importantly, it is super easy to use even for beginners.
Tip💡: There is also a free version of Search & Replace Everything that you can use.
First, you need to install and activate the Search and Replace Everything plugin. For details, you can see this guide on how to install WordPress plugins.
Upon plugin activation, go to the Tools » WP Search & Replace page to start using the plugin.
In the ‘Search for’ field you need to enter http:// and in the ‘Replace with’ field add https://.
After that, you need to click on ‘Select All’ to ensure all tables in your WordPress database are included in the search.
Finally, click on the ‘Preview Search & Replace’ button.
The plugin will then perform the search and show you a preview of the results. This allows you to review the data before it is permanently changed.
Carefully review the results, and once you are satisfied, click on the ‘Replace All’ button.
The plugin will then make changes to your WordPress database and replace all HTTP URLs with HTTPS.
For more details, see this guide on how to fix the mixed content error in WordPress.
Step 4. Set Up an HTTP to HTTPS Redirect in WordPress
After switching a site to HTTPS, one of the steps I never skip is setting up a redirect from HTTP to HTTPS. Without it, people might still land on the insecure version of your site through old links or bookmarks.
The most reliable way to fix this is by adding a redirect rule to your .htaccess file. Here’s the snippet I use on most WordPress websites:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
For details, see this guide on how to fix the WordPress .htaccess file.
If your website is running on Nginx instead of Apache, then you’ll need to set up the redirect differently.
Instead of editing a .htaccess file, you’ll need to update your Nginx configuration.
Here’s the code I would add to redirect all HTTP traffic to HTTPS in Nginx:
server {
listen 80;
server_name yoursite.com www.yoursite.com;
return 301 https://yoursite.com$request_uri;
}
You’ll want to place this block above the existing HTTPS server block in your site’s Nginx config file—usually found in /etc/nginx/sites-available/ or /etc/nginx/conf.d/.
Once you’ve added the redirect, don’t forget to reload Nginx for the changes to take effect:
If you’re not sure where to make the change, it’s a good idea to reach out to your hosting provider.
Step 5. Test Your SSL Setup for Security Issues
After making these changes, you should test your website to ensure everything is working correctly.
You can use the SSL Labs SSL Test to check your certificate and confirm your site is fully secured. Simply enter your domain name, and it will check the SSL implementation on your domain name.
Another alternative tool that I have often used is Why No Padlock? What I like about it is that it explains issues in plain language, which is helpful for beginners.
Finally, try visiting your site in Incognito mode. If you still see the “Not Secure” warning, you need to clear your WordPress cache or wait a few minutes for changes to take effect.
Make Your Site Feel Safe for Every Visitor
No one wants their site to scare away visitors with a browser warning. The biggest damage is losing the trust of your customers and visitors.
I hope this guide helped you fully secure your WordPress site with HTTPS so that your visitors won’t have to think twice about trusting it.
Bonus Resources
I follow this WordPress security guide on all websites I work on. This step-by-step guide offers an easy action plan to properly secure your WordPress website.
The following are a few additional resources that I think you’ll find helpful:
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.