My Website Says 'Not Secure' — Here's How to Fix It

You typed your own website address into Chrome and saw "Not Secure" next to the URL. That's not a virus. It's not a hack. It means your website doesn't have an SSL certificate, or the certificate isn't set up correctly.

The fix is usually straightforward. Most hosting providers offer free SSL certificates, and activation takes less than 10 minutes.

What "Not Secure" actually means

Every website can load in two ways: over HTTP or HTTPS. The "S" stands for secure. When your site uses HTTPS, the connection between the visitor's browser and your server is encrypted. Nobody can intercept what's being sent back and forth.

When your site uses plain HTTP, there's no encryption. Browsers started warning visitors about this in 2018. Chrome shows "Not Secure" in the address bar. Firefox shows a crossed-out padlock. Safari hides the warning but blocks certain features on HTTP sites.

This matters beyond just the warning label. Google uses HTTPS as a ranking factor. Visitors are less likely to fill in contact forms or make purchases on sites marked as insecure. And if your site has any kind of login or payment form, sending that data over HTTP is a genuine security risk.

Why your website might show the warning

There are four common reasons.

No SSL certificate installed. Your hosting provider hasn't activated SSL, or you haven't requested it. This is the most common cause for older websites that were set up before HTTPS became standard.

Expired certificate. SSL certificates need renewal, usually every 90 days (Let's Encrypt) or every year (paid certificates). If renewal fails or gets forgotten, the certificate expires and browsers show a warning.

Mixed content. Your site loads over HTTPS, but some images, scripts or stylesheets still load over HTTP. One insecure resource is enough to trigger the warning on that page.

Wrong redirect setup. Your site has SSL but the HTTP version doesn't redirect to HTTPS. Visitors who type your domain without "https://" get the insecure version.

You can scan your website for free to find out exactly which of these issues applies to you.

How to fix it: step by step

Step 1: Check if you already have SSL

Open your website in Chrome. Click the icon to the left of the URL in the address bar. If it says "Connection is secure," you have SSL but might have a redirect or mixed content problem. If it says "Not secure," you need to install a certificate.

Step 2: Get a free SSL certificate

Most hosting providers include free SSL. Here's how to activate it on common platforms.

WordPress on shared hosting (SiteGround, Bluehost, HostGator, TransIP): Go to your hosting control panel. Look for "SSL/TLS" or "Security" in the menu. There's usually a toggle to enable Let's Encrypt or AutoSSL. Turn it on and wait 5-10 minutes for it to activate.

WordPress on managed hosting (Kinsta, WP Engine, Cloudways): These providers usually activate SSL automatically. Check your dashboard under the domain settings. If it's not active, contact their support.

Wix, Squarespace, Shopify: SSL is included and enabled by default. If you're seeing "Not Secure," it's likely a custom domain configuration issue. Go to your domain settings and make sure the SSL toggle is on.

cPanel hosting: Log into cPanel. Go to "SSL/TLS Status" under the Security section. Click "Run AutoSSL" for your domain. AutoSSL will install a free certificate and configure it.

Vercel, Netlify: SSL is automatic for all domains. If you've added a custom domain and see warnings, check that your DNS records are pointing correctly.

Step 3: Force HTTPS redirect

After installing SSL, you need to redirect all HTTP traffic to HTTPS. Otherwise, visitors who type "yoursite.com" without the "https://" prefix will still get the insecure version.

WordPress: Install the Really Simple SSL plugin. It handles the redirect and fixes most mixed content automatically. Or add this to your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

cPanel: Go to "Domains" and toggle "Force HTTPS Redirect" to On.

Wix/Squarespace/Shopify: The redirect is handled automatically once SSL is active.

Step 4: Fix mixed content

Mixed content happens when your HTTPS page loads resources (images, scripts, fonts) over HTTP. This is common on older sites that were migrated from HTTP to HTTPS.

How to find mixed content: Open your site in Chrome. Press F12 to open DevTools. Click the Console tab. Mixed content warnings appear as yellow or red messages that say "Mixed Content: The page was loaded over HTTPS, but requested an insecure resource."

How to fix it: Update the URLs of the insecure resources to use HTTPS. In WordPress, the Better Search Replace plugin can change all http://yoursite.com references to https://yoursite.com across your database in one go.

For images hardcoded in your theme or custom CSS, update the URLs manually. If an external resource doesn't support HTTPS, find an alternative that does.

Step 5: Update your sitemap and Google Search Console

After switching to HTTPS, update your sitemap to use HTTPS URLs. In Google Search Console, add the HTTPS version of your site as a new property. Google treats HTTP and HTTPS as separate sites.

Also update your website URL in Google Business Profile, social media accounts and any directory listings.

Frequently asked questions

How much does an SSL certificate cost?

Nothing, in most cases. Let's Encrypt provides free certificates, and most hosting providers include them. Paid certificates (from providers like DigiCert or Comodo) cost 50-300 euros per year but aren't necessary for small business websites.

Will switching to HTTPS break my website?

Rarely. The most common issue is mixed content, which shows up as broken images or missing styles. The fixes are usually simple URL changes. Back up your site before making changes, just in case.

How long does the SSL certificate last?

Let's Encrypt certificates last 90 days but renew automatically. Paid certificates typically last one year. Your hosting provider handles renewal in most cases. If you're managing your own server, set up automatic renewal with Certbot.

Does HTTPS make my website slower?

No. Modern HTTPS (using TLS 1.3) adds negligible overhead. In practice, HTTPS sites often load faster because they can use HTTP/2, which requires an encrypted connection.

My hosting provider charges extra for SSL. Should I pay?

Switch providers. Free SSL is standard in 2026. Any host that charges extra for basic SSL is behind the times. TransIP, Antagonist and Versio all offer free SSL with their hosting packages in the Netherlands.

---

Check your website's security setup for free at trustyourwebsite.nl/scan. The scan checks SSL, mixed content and redirect configuration in 30 seconds.