BLOG | categories | security

Why is my Site not Secure

  • By Steve Founder of PageDart

Why does chrome warn that your site is not secure?

Seeing the “not secure” sign next to the URL, like this:

Then your site is not secure!

Let's take a look into why and how you can fix it.

What Changed?

In July 2018 Google made a big change to the Chrome browser.

They now show the “not secure” warning text next to every webpage that is not using HTTPS and an SSL certificate.

What exactly is an SSL certificate?

We use an SSL certificate to encrypt requests from a user's device to a server.

Encryption scrambles the data sent to a web server. This makes it impossible for someone to read the request as it travels across the internet.

This is very important for protecting the privacy of your users and keeping their data safe.

When a site uses an SSL certificate you have to use HTTPS.

  • HTTPS - Is secure and must use a valid SSL certificate
  • HTTP - Is not secure and does not use an SSL certificate

There are four reasons why your site might say that it is “not secure”:

  • Your site uses HTTP only
  • Your site uses HTTPS but the SSL certificate is invalid
  • Your site uses HTTPS and the SSL certificate has expired
  • Your site uses HTTPS and has a valid SSL certificate but a page loads an image using HTTP

Let's look at when you should set up HTTPS.

Should I use HTTPS?

Do you ask your users for any data?

This could be anything including a contact form or newsletter signup.

If you ask your users for any personal data on your website then you must use HTTPS.

This can be anything from their name and address to their email.

As a responsible website owner, you should protect your user's privacy.

When in chrome, if a user types into an input box on an insecure site, it will display a red warning:

Now we know why we need to use HTTPS do you still have an SSL certificate?

Should I Have an SSL Certificate?

The short answer is, yes!

You see Google is moving us towards a world where every site uses HTTPS by default.

To use HTTPS you need a valid SSL certificate.

You can not use HTTPS without a valid SSL certificate.

An SSL certificate is a small file that scrambles the data sent to your server.

The server can then read the data using a secret key.

This sounds difficult Steve, should I still do it?

Should I Secure My Site?

Google is pushing the web to be secure by default.

As well as showing the “not secure” warning they have gone a step further.

In October 2019 they announced that all files loaded on a page need to be using HTTPS.

This means that all Javascript, images and CSS loaded by the page must also be HTTPS with a valid SSL.

Google has even said that they will start to block the loading of HTTP resources from an HTTPS page in Chrome 79.

As of Chrome 80 if you load even one image without using HTTPS then you will see the “not secure” warning again.

This means that not only should you have a valid SSL certificate on your site to remove the “not secure” warning, all your resources the site loads must also have HTTPS with a valid SSL certificate too.

This may sound complicated but it is now easier than ever to set up an SSL certificate.

And many options are free.

How to get a Free SSL Certificate

Let's Encrypt is the main company behind the free SSL certificate movement.

They have partnered with many companies to offer free SSL certs to us all.

So for example, if you have a Wordpress blog then you can install a plugin to get a free Let's Encrypt certificate.

The plugin I would recommend is SSL Zen

This plugin will take care of the SSL certificate setup for you.

If you are using Wordpress then many hosting providers will now give you SSL for free.

For example, Bluehost offer an SSL certificate as part of every hosting package.

One last option is to use a CDN. This stands for Content Delivery Network. It caches your web server files closer to your users to speed up the performance of your site.

Many of these CDN providers will also set up a free SSL certificate for you.

For example, Cloudflare offers SSL free for low traffic sites.

Migration from HTTP to HTTPS

So now that we know why we need to add HTTPS let's look at the move from HTTP to HTTPS.

You want to protect your user's privacy and ensure that their data is safe.

But, you have many links already setup to use HTTP.

There are a few tasks to complete when migrating from HTTP to HTTPS:

  • Make sure that your sitemap URL's are using HTTPS not HTTP
  • Make sure that all links in your pages content use HTTPS
  • Setup server-side redirection so that any existing links go from HTTP to HTTPS

Sitemap

Google uses the sitemap to locate all the pages on your site.

When migrating to HTTPS we need to make sure that all these links use https:// not http://.

For more information on how to find your sitemap take a look at our guide.

If you have hardcoded any links to pages in your content then you may need to change them.

Search your websites content for any http:// links and update them to use https://.

HTTPS Server Redirection

To complete the migration you need to set up your server to redirect all HTTP requests to HTTPS.

Then when a user types in the following:

http://example.com

Your server will then redirect to:

https://example.com

For SEO and to maintain the links this redirection must be using a 301 redirect.

Let's look at configuring this on some popular web servers.

In NginX use this config:

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://example.com$request_uri;
}

For Apache add this to the main server configuration file:

<VirtualHost *:80>
    ServerName www.example.com
    Redirect / https://www.example.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName www.example.com
    # ... SSL configuration goes here
</VirtualHost>

Secure Padlock

Once you have set up the HTTP to HTTPS redirection and you have a valid SSL certificate installed the “Not Secure” warning text will disappear.

Instead, you will see a padlock icon showing that your site is secure.

Clicking this gives you details of the security that is in use on this site.

This gives your users the confidence that the page is secure.

Wrapping Up, Why is my Site not Secure?

In this article, we have looked at why your site may be showing the “Not secure” warning text.

We have looked at four times when this can happen:

  • Your site uses HTTP only
  • Your site uses HTTPS but the SSL certificate is invalid
  • Your site uses HTTPS and the SSL certificate has expired
  • Your site uses HTTPS and has a valid SSL certificate but a page loads an image using HTTP

To remove the warning text you need to:

  • Run your site using HTTPS and have a valid SSL certificate
  • Load all page assets using HTTPS with SSL

When you do this the “Not secure” warning text will disappear and you will see the secure padlock. And so will your users.

Letting your users know that the site is secure.

Recent Posts

Add Google Search to a Website

In this tutorial we will add Google search to a website using the custom site search tool

How to Create a WordPress Plugin

In this tutorial we are going to look at how to create a WordPress plugin.

How to Add a Search Bar in HTML

We look at how to add a search bar in HTML to your website and search connect it to Google search