You opened your own website in Chrome, and there it was — “Not Secure” sitting right next to your URL. Feels like an accusation, doesn’t it? Like your site is being called out in front of everyone.
Here’s the short answer: your site is running on HTTP instead of HTTPS. That means the connection between your visitors and your server isn’t encrypted. Anyone sitting between them — on public Wi-Fi, on the same network, with the right tools — can technically read what gets transmitted. Browsers now call that out explicitly rather than quietly tolerating it.
But “no SSL” is just the most common cause. There are three others that catch site owners off guard, especially after they’ve already installed a certificate and still see the warning. This guide covers all four, tells you how to diagnose which one you’re dealing with, and walks you through fixing each one.
What the “Not Secure” Warning Actually Means
The label comes from your browser, not from Google. Chrome, Firefox, Safari, and Edge all started displaying it by default after Google pushed the industry toward universal HTTPS encryption starting in 2017.
A secure website uses HTTPS (Hypertext Transfer Protocol Secure) and an SSL/TLS certificate to encrypt the communication between web browsers and web servers, protecting private or sensitive data from being intercepted. When a website is marked as not secure, it usually means it’s not using HTTPS.
The encryption matters even for sites that don’t collect passwords or payment details. Browsers now label even informational websites as not secure when HTTPS is missing or misconfigured, regardless of whether a site collects sensitive information.
In other words: the warning isn’t reserved for sketchy sites. It shows up on perfectly normal business websites that just haven’t been configured correctly. And visitors don’t know the difference — they see the warning and leave.
Why This Matters More Than You Think
Most site owners notice the “Not Secure” label and put fixing it on the to-do list. That’s a mistake.
According to Google’s data, users avoid unsecured websites at a rate of around 97%. That warning acts as a hard gatekeeper, immediately pushing bounce rates to the top of the typical range, anywhere from 70% to 100%.
Studies show that security warnings reduce conversion rates by as much as 50%. For an eCommerce site, a service business, or any page where someone needs to trust you before taking action, that’s significant.
The SEO impact is real too. Since 2014, Google Search has used HTTPS as a ranking signal, meaning secure websites rank higher. As of 2025, 87.6% of all websites have valid SSL certificates — sites without one lose both visibility and customers.
The warning isn’t just a technical detail. It’s a conversion problem, a trust problem, and a rankings problem all at once.
The 4 Reasons Your Site Says “Not Secure”
1. No SSL Certificate Installed (The Most Common Cause)
According to frequency data, no SSL certificate installed accounts for roughly 80% of cases. The most common cause is simply not having an SSL certificate installed on your server.
If your site URL starts with http:// rather than https://, this is your issue. The fix is straightforward: get an SSL certificate and install it.
Free option: Let’s Encrypt provides free, auto-renewing certificates that most major hosts support. If you’re on cPanel, Cloudflare, or a managed WordPress host, there’s usually a one-click option in your dashboard.
Paid option: Commercial certificates from providers like DigiCert, Sectigo, or GlobalSign start around $10/year and go up depending on validation level. They’re worth it if you want extended validation (EV) or need to cover multiple subdomains with one wildcard certificate.
Once the certificate is installed, update your site settings to redirect all HTTP traffic to HTTPS. This is critical — if your site responds to both http:// and https://, browsers can still get confused.
Quick check: Type your URL into your browser with
https://at the front. If it loads without warnings, you already have a certificate. The problem is something else (see the sections below).
2. SSL Certificate Is Expired
Expired SSL certificates account for about 10% of “Not Secure” cases. Browsers instantly display security warnings when certificates expire — this problem can be avoided by setting up automatic renewal.
SSL certificates don’t last forever. Standard certificates used to be valid for up to two years, then 13 months, and the window keeps shrinking. As of March 15, 2026, the maximum TLS certificate lifespan has been reduced to 200 days, accommodating a six-month renewal cadence — part of a phased approach approved by the CA/Browser Forum.
This is increasingly important because the industry is moving fast. If you’re managing your own certificate and relying on manual reminders to renew it, you will miss a renewal eventually. Most major hosting platforms let you enable auto-renewal — turn it on now if you haven’t already.
How to check: Click on the padlock icon (or the “Not Secure” text) in your browser’s address bar. Select “Certificate.” Look for the “Valid Until” or “Expires On” date. If it’s passed, renew immediately.
3. Mixed Content Errors (This One Catches Everyone Off Guard)
This is the sneaky one. Your SSL certificate is installed and valid. Your URL shows HTTPS. But the “Not Secure” warning still appears. You’re confused and frustrated and Googling at midnight.
What’s happening: Mixed content occurs when HTML on a website loads over a secure HTTPS connection, but other content — such as images, video content, stylesheets, and scripts — continues to load over an insecure HTTP connection. This results in some web content loading securely and some insecurely.
Mixed content problems account for about 7% of “Not Secure” cases. The most common culprits are embedded images with hardcoded http:// URLs, old scripts from third-party services still pointing to HTTP sources, and video embeds from platforms that serve over HTTP.
How to find the problem:
Open your site in Chrome. Press F12 to open DevTools. Click the “Console” tab. Reload the page. Look for red or yellow warnings that mention “Mixed Content” — they’ll include the exact URL of the insecure resource causing the issue.
How to fix it:
For WordPress sites, a plugin like “Really Simple SSL” or “Better Search Replace” can scan your database and update all hardcoded HTTP links to HTTPS in bulk. For non-WordPress sites, search your HTML files for http:// (as opposed to https:// or just //) and update each one.
If you find a third-party embed — a YouTube video, a Google Maps widget, a social sharing button — check whether the source URL supports HTTPS. Most modern services do. If it doesn’t, remove the embed or find a replacement source.
4. SSL Misconfiguration or Wrong Certificate Type
SSL certificate misconfiguration accounts for around 3% of cases. Incorrect domain names, improper installation, or the use of outdated security protocols are all possible issues — these require more complex troubleshooting.
This happens when:
- The certificate was issued for
www.yoursite.combut you’re visitingyoursite.com(or vice versa) - The certificate covers one domain but not your subdomain
- The SSL was installed on the server but your hosting configuration still serves HTTP by default
- An intermediate certificate in the chain is missing
When this happens, the connection may be established securely, but something — most often a missing intermediate certificate or mixed content — prevents the browser from marking it as fully trusted.
How to check for a misconfigured certificate:
Use SSL Labs’ free server test at ssllabs.com/ssltest/. Enter your domain. It will give you a detailed report including whether the certificate chain is complete, which protocols are enabled, and whether there are any configuration issues dragging down your trust rating.
If you’re on shared hosting, contact your host’s support. Misconfigurations at the server level usually require their involvement to fix.
Quick Diagnosis Table
| Symptom | Likely Cause | Fix |
|---|---|---|
URL starts with http://, no padlock | No SSL installed | Install SSL via host or Let’s Encrypt |
| Padlock with “expired” message | Certificate expired | Renew certificate; enable auto-renew |
| HTTPS in URL but still shows “Not Secure” | Mixed content error | Find and fix HTTP resources via DevTools |
| SSL installed but warning on some subdomains | Wrong cert type or scope | Check cert coverage; may need wildcard cert |
| SSL shows valid but browser still warns | Misconfiguration or broken chain | Run SSL Labs test; contact host |
Does “Not Secure” Hurt Your Google Rankings?
Directly? A little. Indirectly? Quite a lot.
Google officially confirmed HTTPS as a ranking signal in 2014. It’s described as a “lightweight” signal — meaning on its own, it won’t shoot you to page one. But a secure site builds user confidence and reduces bounce rates, which can indirectly improve SEO rankings. A high bounce rate often signals to search engines that your site isn’t providing value.
The real SEO damage is behavioral. Approximately 93.7% of the top million websites now use HTTPS by default. The indirect SEO benefits of SSL — improved user trust, lower bounce rates, and stronger engagement signals — are substantial.
If visitors are hitting that “Not Secure” warning and leaving immediately, Google’s systems are picking up those engagement signals. High bounce rates, short session times, no return visits — these send signals that your page isn’t worth ranking highly.
Websites with SSL certificates can experience up to 18% higher conversions, while adding SSL can reduce bounce rates by an average of 12–15%. Those aren’t just trust numbers — they’re SEO numbers.
How to Fix “Not Secure” on WordPress Specifically
WordPress has a few quirks worth knowing about.
After installing SSL, you need to update your WordPress Address and Site Address settings to use https://. Go to Settings > General and make sure both URLs start with https://. Many people install the certificate and skip this step, which is why the warning persists.
Second: force HTTPS via your .htaccess file (or via your host’s redirect settings). Add these lines above the existing WordPress rules in your .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Third: update all internal links. WordPress stores your site URL in the database. Use a plugin like “Better Search Replace” to swap http://yoursite.com for https://yoursite.com across the whole database — including all post content, widget settings, and theme options.
If you’re using a caching plugin, clear the cache after making these changes. Cached pages can still serve HTTP content even after you’ve fixed the underlying issue.
Free vs. Paid SSL: Which Do You Actually Need?
For most sites — including small business websites, blogs, and informational pages — a free certificate from Let’s Encrypt is completely adequate. It provides the same encryption as a paid certificate. The only difference is that it doesn’t carry extended validation or organizational validation, which show a company name in the browser bar (rare these days anyway).
Free SSL comes in one variety: domain-validated single certificates. If you want to encrypt multiple sites, you need to manage multiple certificates. If you want extended validation, a paid option is required.
For eCommerce sites processing payments, a paid certificate with OV (Organizational Validation) is worth considering — it signals to advanced users that the business behind the site has been verified. But for most use cases, Let’s Encrypt does the job.
The 47-Day Certificate Change Coming in 2029
One thing to plan for: The CA/Browser Forum has passed a ballot to reduce SSL/TLS certificates to a 47-day maximum term by 2029. The newly approved measure, initially proposed by Apple, will gradually reduce certificate lifespans through a phased approach.
What this means practically: if you’re manually renewing certificates, that workflow is going to become unsustainable. Automate renewal now — through your host’s control panel, through Certbot (for Let’s Encrypt on self-managed servers), or through a certificate management platform. By the time the 47-day limit takes effect, the industry will have shifted almost entirely to automated renewal pipelines anyway.
Summary: What to Do Right Now
If your site currently shows “Not Secure,” work through this in order:
Step 1: Check whether you have an SSL certificate at all. Type https:// before your domain and see what happens.
Step 2: If you have a cert but still see the warning, check the expiry date via the browser’s certificate info.
Step 3: If the cert is valid and current, open Chrome DevTools (F12 > Console) and look for mixed content errors. Fix every flagged resource.
Step 4: If everything looks correct but the warning persists, run your domain through SSL Labs. Check for chain errors, misconfiguration, or scope issues.
Step 5: Enable auto-renewal for your certificate so this doesn’t happen again in 90 or 200 days.
The warning is fixable. It usually takes less than an hour once you know which of the four causes you’re dealing with. And given that over 67% of users will abandon a form if they don’t see security indicators, every day it goes unfixed is a day your site is working against you.
Frequently Asked Questions
No. It means the connection between the visitor’s browser and your server isn’t encrypted — not that anyone has already accessed your data. It’s a configuration issue, not an attack.
HTTPS is an official (if lightweight) ranking signal. More significantly, fixing it reduces bounce rates and improves engagement — which does influence rankings over time.
Yes. Let’s Encrypt provides free, auto-renewing certificates widely supported by hosting platforms. Most major hosts (Cloudflare, SiteGround, WP Engine, Kinsta) include SSL at no extra charge.
The most likely cause is mixed content: some resource on the page (an image, a script, a video embed) is still loading over HTTP. Open Chrome DevTools and check the Console tab for mixed content errors.
For a simple “no SSL installed” case: 30–60 minutes including propagation time. For mixed content errors on a large site: a few hours. For misconfiguration issues: it depends, but running the SSL Labs test first usually narrows it down quickly.
Published by Organic Cart Studio. Questions about securing your website or improving its search performance? Get in touch.
Read Also: What Role Does Site Speed Play in E-Commerce SEO?
Read Also: WooCommerce Product Pages Not Indexed? Here’s Exactly Why (And How to Fix It)