Website is not secure – how to fix
If you have just seen a message in your web browser that your site (or another) is insecure – relax. It probably just means that you don’t have an SSL certificate.
Your site or the site you are visiting hasn’t had a sudden security fail – it is more that Google has raised the bar on general website security to promote the use of SSL certificates.
You may have been sent a message by your website manager similar to this one sent by Google to users of their services.
“To owner of http://yoursite,
Starting October 2017, Chrome (version 62) will show a ‘NOT SECURE’ warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.
The following URLs on your site include text input fields (such as < input type=”text” > or < input type=”email” >) that will trigger the new Chrome warning.
Review these examples to see where these warnings will appear, so that you can take action to help protect users’ data. This list is not exhaustive.
The new warning is part of a long term plan to mark all pages served over HTTP as ‘not secure’. Here’s how to fix this problem:
Migrate to HTTPS
To prevent the “Not Secure” notification from appearing when Chrome users visit your site, only collect user input data on pages served using HTTPS.
To migrate to HTTPS you will need a security certificate and these range from free for LetsEncrypt through several versions from $100-300 annually.
The best way to get the certificate added is to talk with your website host or website developer if you have one. Most hosting companies have a system in place where they can “attach” a certificate to your site for a fee.
Often there are a couple of extra steps to negotiate so as to avoid “mixed content” which is where the little green padlock doesn’t show in the browser bar because some element like an image is linked to an insecure source.
At left – this is what the “green padlock” looks like. when installed.
On a WordPress site it might be that some hard code in widget/s that need to be changed from http to https (which causes the mixed content warning.)
There are also WordPress plugins that can help with the redirection needed so that all parts of the site are displayed from a secure form of http. Finding mixed content can take some time but should be easy enough for a developer to do.
Really Simple SSL is a plugin that automatically detects your settings and configures your website to run over https.
On a couple of WordPress we have noticed that earlier security settings on specific pages have needed to be changed so as to not conflict with the new site settings.
Once you have installed a security certificate your site URL will be listed as https and show a green padlock on Chrome and Firefox. But more importantly it won’t show a warning sign saying “insecure content”.
Google has mentioned that they will rank secure sites higher in their SEO scores which is another reason to upgrade. The best reason for a security certificate though is that besides improved security it shows your customers that your business can be trusted online.
Update: See also YES YOUR SITE NEEDS HTTPS.
“But my site doesn’t have forms or collect information from users.”
Doesn’t matter. HTTPS protects more than just form data! HTTPS keeps the URLs, headers, and contents of all transferred pages confidential.