How to Fix “Not Secure” Website in Chrome (for WordPress Sites)
Table of Contents
A “Not Secure” warning in Chrome usually means your WordPress site is not loading fully over HTTPS. This can happen when your site has no SSL certificate, an expired certificate, mixed content, or missing HTTP to HTTPS redirects.
For WordPress users, the fix is usually simple: install an SSL certificate, update your WordPress URL to HTTPS, force HTTPS redirects, fix mixed content, and test the site again in Chrome DevTools or an SSL checker.
This warning matters because visitors may lose trust when they see it, especially on login, checkout, booking, donation, or contact form pages. It can also affect search confidence because Google treats HTTPS as a ranking signal.
In this guide, you’ll learn why Chrome shows the warning and how to fix it step by step.
Quick Diagnosis: Why Chrome Says Your Site Is Not Secure
| Problem | Why It Happens | Fix |
|---|---|---|
| No SSL certificate | Site loads over HTTP | Install SSL |
| Expired SSL | Certificate is no longer valid | Renew SSL |
| Mixed content | Some files load over HTTP | Replace HTTP URLs |
| HTTP not redirected | Old URL still opens | Add 301 redirect |
| Domain mismatch | SSL does not cover www/subdomain | Update SSL coverage |
| CDN or plugin issue | External assets load insecurely | Update plugin/CDN URLs |
What Does “Not Secure” Mean in Google Chrome?
“Not Secure” in Chrome means the browser cannot verify a complete HTTPS connection for that page. In simple words, Chrome cannot confirm that the connection between your visitor’s browser and your website is secure.
This usually happens when your website does not have a valid SSL certificate, still loads through HTTP, or loads some files such as images, scripts, fonts, or stylesheets from insecure HTTP links.
For WordPress websites, this warning is common after moving from HTTP to HTTPS without updating all internal links, media files, plugin assets, or redirect settings.
Is a “Not Secure” Website Always Hacked?
No, a “Not Secure” warning does not always mean your website is hacked.
In most cases, it means your site has a security configuration issue. For example, your SSL certificate may be missing, expired, or not applied correctly. Your site may also have mixed content, where the main page loads with HTTPS but some files still load through HTTP.
However, you should still fix it quickly because visitors may lose trust when they see the warning, especially on pages where they submit forms, book appointments, register for events, or make payments.
Why Chrome Shows This Warning
Chrome may show the “Not Secure” warning for several reasons:
- Your website does not have an SSL certificate.
- Your SSL certificate has expired.
- Your WordPress site URL still uses HTTP.
- Your site has mixed content errors.
- Some plugins or themes load insecure files.
- Your HTTP pages do not redirect to HTTPS.
- Your CDN or subdomain is not using HTTPS correctly.
Common Reasons WordPress Shows “Not Secure” in Chrome
There isn’t just one reason this warning pops up. This often happens due to missing SSL, mixed content (like images or scripts loading over HTTP), or plugins and themes pulling non-secure resources. In fact, your site might even have an SSL certificate installed and still get flagged by Chrome.
Let’s go through the most common ones.
1. No SSL certificate installed
This is the most straightforward cause. If your site is still running over http:// and you haven’t installed an SSL certificate, browsers will mark it as “Not Secure” by default. Without it, anything submitted on your site could be intercepted, even on basic contact forms.
2. SSL is installed but not forced (mixed content issues)
Sometimes, an SSL certificate is installed correctly, but your WordPress site still loads some content (such as images, scripts, or stylesheets) over HTTP instead of HTTPS. This is known as mixed content, and it can prevent the browser from displaying the padlock.
In these cases, the web browser sees that part of the page is secure, but some elements are not. As a result, it gives a warning rather than the padlock icon.
3. Plugins or themes loading non-secure content
Even if you’ve secured your site correctly, some plugins or themes might load external resources (like fonts, icons, or scripts) over HTTP. These can trigger mixed content warnings and keep your site from appearing fully secure.
This often happens with:
- Custom-coded themes
- Third-party scripts (like Google Fonts or old CDN links)
- Social media embeds
4. Your domain or subdomains aren’t fully configured with HTTPS
If your primary domain is secured but subdomains like blog.yoursite.com or shop.yoursite.com aren’t, visitors may still see “Not Secure” on parts of your site.
It’s also possible that your SSL certificate only covers your root domain (such as example.com) and not the “www” version, or vice versa. This can lead to issues depending on how your URLs are configured in WordPress.
How to Check Why Your Site Is Not Secure
Even if your site looks fine on the surface, it’s a good idea to run a few checks to confirm everything is secure. Here are a few ways to quickly test your WordPress site for HTTPS issues.
Use Chrome DevTools (Security tab)
One of the easiest ways to check your site’s security status is by using Chrome’s built-in developer tools. This tool is invaluable if you want to delve into specific problem areas, such as scripts or images that are still loading over HTTP.
Here’s how:
- Open your website in Chrome.
- Right-click anywhere on the page and select Inspect.
- Click the “Security” tab at the top (you may need to click the >> icon to find it).
- You’ll see a summary of the page’s security, including whether HTTPS is working and if there’s any mixed content.
Online SSL checkers
You can also use free online tools to scan your website’s SSL status and catch any hidden issues:
- Why No Padlock? – Great for finding mixed content on individual pages.
- SSL Labs SSL Test – Gives a detailed report on your SSL certificate’s strength, expiry, and compatibility.
Plugins and tools
If you prefer to manage things directly from your WordPress dashboard, there are a few helpful plugins:
- Really Simple SSL – Automatically detects your SSL certificate and helps fix mixed content by updating internal URLs.
- Wordfence – Offers basic HTTPS scanning as part of its security features.
- Jetpack – Includes security monitoring, including HTTPS-related checks on supported plans.
How to Fix the “Not Secure” Warning in WordPress
Once you’ve confirmed that your site is being marked as “Not Secure,” it’s time to fix the Google Chrome Not Secure warning. The good news is that most WordPress users can do this in a few steps — no coding required in most cases.
Step 1: Install an SSL certificate
Before anything else, your site needs a valid SSL certificate. If your SSL certificate is displayed as not secure in WordPress, it may be due to a missing redirect, an expired certificate, or incorrect setup.
Here’s how to get one:
- Through your hosting provider: Many hosts offer free SSL certificates via Let’s Encrypt. You can usually enable it with one click from your hosting dashboard.
- Manually: If your host doesn’t support free SSL, you can purchase one and install it yourself. This requires a bit more setup, mainly if your site uses a custom server or CDN.
Step 2: Force HTTPS in WordPress
Installing SSL is only part of the solution. You also need to make sure WordPress is set to use HTTPS across the entire site.
Here’s what to do:
- Go to Settings > General in your WordPress dashboard.
- Update the WordPress Address (URL) and Site Address (URL) fields to use https:// instead of http://.
Next, you’ll want to redirect all traffic from HTTP to HTTPS. You can do this by:
- Using a plugin, such as Really Simple SSL, can handle this automatically.
- Manual method: Add the following code to your .htaccess file (for Apache servers):
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>Step 3: Fix mixed content errors
To fix mixed content error in WordPress, you’ll need to update all insecure links still using HTTP.
Here’s how:
- Scan your site with a tool like Why No Padlock or use the browser console to find insecure URLs.
- Update image URLs and links in your content, widgets, and theme files to use https://.
- Use Better Search Replace to change http:// links in your database to https://
To learn more, check our in-depth guide on How to fix WordPress mixed content error in 3 simple methods.
Step 4: Test your HTTPS setup
After making the changes, it’s a good idea to double-check everything to ensure accuracy.
- Open your site in an incognito window and look for the padlock icon.
- You can also use tools like Chrome DevToolsor Why No Padlock to see if any mixed content warnings are still there.
- For a thorough check, run your site through SSL Labs to ensure your certificate is set up correctly. This helps you catch anything you might have missed.
Step 5: Submit your site to Google Search Console again
After switching to HTTPS, it’s a good idea to update Google Search Console. This helps Google re-index your secure version and prevents duplicate content issues between HTTP and HTTPS versions. To do so,
- Log in to your account.
- Add the https:// version of your site as a new property.
- Submit your updated sitemap (usually found at https://yoursite.com/sitemap.xml).
WordPress HTTPS Checklist
Before you mark the issue as fixed, check every part of your WordPress site that can affect HTTPS. A valid SSL certificate is important, but your whole website also needs to load through HTTPS without mixed content errors.
Use this checklist to confirm your WordPress site is fully secure in Chrome:
| HTTPS Check | What to Confirm | Status |
|---|---|---|
| SSL certificate is active | Your domain has a valid SSL certificate installed from your hosting provider. | ☐ |
| WordPress Address uses HTTPS | Go to Settings → General and make sure WordPress Address (URL) starts with https://. | ☐ |
| Site Address uses HTTPS | In the same settings page, make sure Site Address (URL) also starts with https://. | ☐ |
| HTTP redirects to HTTPS | When someone opens the http:// version, it should automatically redirect to https://. | ☐ |
| www and non-www versions work | Both www and non-www versions should point to the correct secure version. | ☐ |
| Pages load without mixed content | Images, CSS, JavaScript, fonts, videos, and embeds should load through HTTPS. | ☐ |
| Internal links use HTTPS | Menu links, buttons, blog links, product links, and CTA links should not use old HTTP URLs. | ☐ |
| Media files use HTTPS | Old uploaded images and files should not load from http:// media URLs. | ☐ |
| Plugins and themes are updated | Outdated plugins or themes can load insecure scripts or styles. Keep them updated. | ☐ |
| CDN uses HTTPS | If you use Cloudflare, BunnyCDN, or another CDN, confirm SSL is enabled there too. | ☐ |
| Sitemap uses HTTPS URLs | Your XML sitemap should list only https:// URLs. | ☐ |
| Google Search Console has HTTPS property | Add and verify the HTTPS version of your website in Google Search Console. | ☐ |
| Cache is cleared | Clear WordPress cache, plugin cache, CDN cache, and browser cache after fixing HTTPS. | ☐ |
| Chrome shows no warning | Open your site in Chrome and confirm the “Not Secure” warning is gone. | ☐ |
How to Prevent the Not Secure Warning from Coming Back
Setting up HTTPS is a significant step forward, but maintaining your site’s security is an ongoing task. To keep your site safe and running smoothly, follow these tips:
- Keep your plugins and themes updated: Old plugins or themes can create security gaps. Always keep them updated to the latest version. Updates often fix bugs and patch security issues.
- Use security plugins like Wordfence: While SSL encrypts the connection, it doesn’t protect your WordPress backend. A good security plugin helps you monitor threats, block suspicious activity, and receive alerts if something goes wrong. Wordfence is a popular option and works well with SSL.
- Use a secure hosting provider: Your host plays a big role in your site’s safety. Choose one that offers built-in SSL, firewall protection, regular backups, and malware scanning.
- Enable automatic redirects: Ensure that visitors are always directed to the HTTPS version, regardless of how they enter your URL. This means redirecting from http:// to https:// and ensuring that both www and non-www versions of the domain point to the exact location.
- Add a Content Security Policy (CSP) header: A CSP helps stop unwanted scripts from running on your site. This protects you from things like cross-site scripting (XSS). It’s a bit technical, but many hosting services or security plugins allow you to set it up.
- Enable HTTP Strict Transport Security (HSTS): HSTS instructs web browsers to always use HTTPS for your site. It prevents people from accidentally loading the HTTP version again. You can add this through your server settings or with your security plugin.
FAQs About the Chrome Not Secure Warning
Why does Chrome say my WordPress site is Not Secure?
Chrome shows “Not Secure” when your site does not load through a complete HTTPS connection. Common causes include missing SSL, expired SSL, mixed content, or HTTP pages not redirecting to HTTPS.
How do I fix a Not Secure website in WordPress?
Install an SSL certificate, update your WordPress URLs to HTTPS, force HTTPS redirects, fix mixed content, and test the site again in Chrome DevTools.
Why does my site still say Not Secure after installing SSL?
Your site may still load images, scripts, fonts, or old internal links over HTTP. This is called mixed content and must be fixed before Chrome shows the secure connection status.
Does the Not Secure warning affect SEO?
Yes, it can affect user trust and search performance. Google has confirmed HTTPS as a ranking signal, though content quality remains more important.
What is mixed content in WordPress?
Mixed content happens when an HTTPS page loads some resources through HTTP. These resources can include images, CSS files, JavaScript files, fonts, videos, or third-party embeds.
Do I need to update Google Search Console after moving to HTTPS?
Yes. Add the HTTPS version of your site, submit the HTTPS sitemap, and make sure HTTP URLs redirect to the correct HTTPS URLs.
Can a plugin cause the Not Secure warning?
Yes. Some old plugins or themes may load scripts, fonts, icons, or images through HTTP. Update the plugin, replace the insecure URL, or remove the source if needed.
Final thoughts: Don’t let a simple SSL issue hurt your site
A Chrome “Not Secure” warning is usually fixable, but you should not ignore it. It can reduce visitor trust, especially if your site collects emails, payments, bookings, reservations, or login details.
Start with the basics: install a valid SSL certificate, update your WordPress URLs to HTTPS, force HTTP to HTTPS redirects, and fix mixed content. After that, test your site with Chrome DevTools, an SSL checker, and Google Search Console.
If you use ThemeWinter plugins or themes, make sure your hosting SSL is active and your site URLs are properly set to HTTPS. Once the technical setup is correct, your WordPress site can load securely and give visitors a safer browsing experience.
