Why does my website say "Not Secure" and how to fix it

What the "Not Secure" warning actually means

When Chrome, Safari, or Firefox says a site is "Not Secure," it means the connection between the browser and the website is not encrypted. Any data sent between the two is sent in plain text. That could be anything from someone typing into a contact form to a password entered on a login page.

This does not necessarily mean your site has been hacked or that malware is present. It simply means the site is still running on HTTP rather than HTTPS. The difference between these two is an SSL certificate, a small digital file that enables encryption.

Since Chrome 68 was released in 2018, Google has marked all HTTP pages as "Not Secure." It is now the default behaviour for all major browsers. An unencrypted site gets the warning regardless of whether the site itself is safe.

The most common causes and how to fix them

Your site has no SSL certificate at all

This is the most straightforward cause. Your site was set up using HTTP and never had an SSL certificate installed. The fix depends on where your site is hosted, but the good news is that SSL certificates are now free.

If you use a website builder like Squarespace, Wix, or Shopify, SSL is included automatically. You do not need to do anything. But if you are on an older plan or a custom hosting setup, you may need to enable it manually. Check your hosting control panel for a section called "SSL" or "Security." Most modern providers offer free certificates through Let's Encrypt. One click is usually all it takes.

If you are not sure, contact your hosting provider and ask them to install a free SSL certificate on your domain. It takes them a few minutes.

Your SSL certificate has expired

SSL certificates have an expiry date. Most certificates are valid for one to two years, and when they expire, the browser treats the site as unencrypted. The warning returns.

Many hosting providers handle renewal automatically. But if you originally installed the certificate yourself or went through a third-party provider, you may need to renew it manually. Set a reminder to check your certificate status every six months. Most SSL providers will send renewal notices by email, but those emails can end up in spam.

You can check the expiry date of any site's certificate by clicking the padlock icon next to the URL in your browser. It will show who issued the certificate and when it expires.

Some resources on your page are loading over HTTP

This one is less obvious. Your site may have a valid SSL certificate and load over HTTPS, but individual elements on the page (images, scripts, fonts, videos) might still be loading from old HTTP URLs. Browsers detect this and show the "Not Secure" warning even though the certificate itself is fine.

This is called mixed content, and it is very common on older sites that have been migrated to HTTPS. The fix is to find every resource on your pages that starts with "http://" and update it to "https://." A tool like FlashAudit will scan your pages and flag any insecure resources automatically, which saves you from hunting through page source code manually.

Once you have updated the URLs, test the page again and the warning should disappear.

The certificate is installed but not properly configured

Sometimes an SSL certificate is present but the server is not configured to serve the site over HTTPS. Visitors who type your domain directly or click an old link may still land on the HTTP version. In this case, the site loads without encryption even though the certificate is valid.

The solution is to set up a permanent redirect (a 301 redirect) from HTTP to HTTPS. This tells the browser to always load the secure version of your site. Most hosting control panels have an option to "Force HTTPS" or "Enable HTTPS redirect." Turn it on and test your site in an incognito browser window to confirm the change.

How to check if the fix worked

Open your site in an incognito or private browsing window. Look at the URL bar. If you see a small padlock icon, your site is now loading over a secure connection. Click the padlock to view the certificate details and confirm it is valid.

Test multiple pages across your site, not just the homepage. It is possible for the homepage to load securely while internal pages still load over HTTP or contain mixed content. Pay particular attention to contact forms, checkout pages, and any page where visitors enter information.

You can also use SSL Labs' SSL Test (ssllabs.com) for a thorough check. It will verify that your certificate is correctly installed, that the chain of trust is complete, and that your server is configured securely.

Why this matters beyond the warning

The "Not Secure" label is not just an aesthetic issue. It directly affects how visitors perceive your business. In a 2023 survey by GlobalSign, over 80% of users said they would leave a site if they saw a security warning. If you run an ecommerce site, a contact form, or any page that collects customer information, an unencrypted connection can legally put you at risk depending on your jurisdiction.

Google has also confirmed that HTTPS is a ranking signal. All else being equal, a secure site has a slight ranking advantage over an insecure one. It is not the most important ranking factor, but it is one of the easiest to fix.

For these reasons, having a valid, properly configured SSL certificate is now a baseline expectation for any legitimate website. It is not a nice-to-have. It is table stakes.