Home / Blog / Website Security

Help! My WordPress Website is ‘Not Secure’

A computer screen displaying a padlock, symbolizing the importance of digital security for SEO and WordPress websites.
Category : Website Security
Date : 6 August 2018
Author : inspomedia

Is your website displaying ‘Not Secure‘ in the Google Chrome browser? If it is and you haven’t done anything about it yet, now is the time!

You may or may not know that Google have recently introduced an update to Google Chrome that causes their browser to show all websites, including WordPress, as ‘Not Secure‘ if the website doesn’t have a valid SSL certificate installed. This October, the warning will be even more noticeable, as Google are making it RED when they release Chrome 70.

SSL means Secure Socket Layer and has been about for many many years. Without getting too techy about it, I will run through what SSL is, why it is important and how to install your own SSL certificate. (skip the explanation, just tell me what I need to do!)

Website Not Secure Message

What is SSL?

SSL provides a secure connection between two PC’s  or devices operating over the internet or an internal network. SSL is used to secure communication between a web browser and a web server. When websites use SSL, the website address/ URL changes from HTTP to HTTPS – the ‘S’ stands for ‘secure’.

Why is having an SSL certificate so important?

Security, Speed, Rankings and Customer Retention!

Websites without SSL are insecure and can be subject to eavesdropping and cyber attacks, because the data being transferred from the web browser to the web server is transmitted in plain text. This means attackers can intercept and view personal/sensitive data, such as account logins, credit card information and other personal details.

When data is passed through a browser using HTTPS, the SSL will ensure that the information is encrypted and secure from interception.

Ok, so protecting user data is important, but why would encrypting data affect the speed of your website?

Well I said I wouldn’t get too techy, so I won’t go into too much detail on this but simply put, the HTTP/2 protocol that is used when your site is encrypted with SSL is much faster than HTTP.
The main reason being, it is multiplexed so it serves data simultaneously, rather than one thing a time. Here’s a HTTP vs HTTPS speed comparison provided by Anthum.

What about your search engine rankings…

Would it surprise you if I said Google wants to make the web faster and safer? Well that’s exactly why they are ranking sites with SSL higher in the the search results. Google announced way back in 2014 that they would be ranking encrypted HTTPS sites higher and that was just the start of it.

Don’t expect your site visitors / customers to stay

If your website is showing as ‘Not Secure’, do you think that customer will feel safe entering their personal details or credit card information? Google have announced that the ‘Not Secure’ alert will be displayed in red from October 2018. As you can imagine, seeing a red ‘Not Secure’ doesn’t exactly fill your site visitors with confidence, and this will definitely have a negative impact on your leads, conversions, sales, and more.

How to make your website secure

To get SSL installed and working correctly, you have three options:

  1. Install the free SSL Certificate yourself – It’s fairly straight forward and shouldn’t take you too long, but you may come across some issues with mixed content that will require changes in the database. We have put together some step by step instructions to help you below.
  2. Ask us to install the SSL Certificate it for you – For only £75, we’ll install the certificate for you. This includes a full website/database backup, SSL installation, configuration, testing and error correction. Get in touch if you would like our help.
  3. Change your hosting to Inspo Media – We offer top notch WordPress web hosting with all our care plans. We will migrate your website to our servers, install your SSL certificate for you and audit your website for other potential issues, free! Choose your care plan here.

How to install your SSL Certificate and configure your website for HTTPS

BEFORE YOU BEGIN, MAKE SURE YOU BACKUP YOUR WEBSITE FILE AND DATABASE

Step 1 – Installing your SSL Certificate
Many web hosting companies now have the option to install a free SSL certificate from Lets Encrypt. You can usually find the option to install the certificate from your cPanel under ‘Security’.
Lets Encrypt SSL Certificate HTTPS

Next, select the domain where you want to install the certificate, and click on Install. You may have to accept terms and conditions before installation will begin.  Once installed move on to step 2.

Step 2 – Configuring your website to use your SSL Certificate

There are a few ways of doing this, so I’ll start with the easiest…

Option 1: Use a free WordPress plugin

This is the easiest method and is recommended for beginners. All you need to do is install and activate the ‘Really Simple SSL’ plugin. Once activated, you need to visit Settings » SSL page.
The plugin will automatically detect your SSL certificate, and it will set up your WordPress site to use HTTPS.

The ‘Really Simple SSL’ plugin will take care of almost everything including the mixed content errors.

Here’s what the plugin will do:

  • Checks your SSL certificate is activated
  • Make WordPress use HTTPS in the URL’s of your website
  • Automatically redirect any links from HTTP to HTTPS
  • Attempts to fix any URL’s in your content still loading from insecure HTTP sources

Sounds simple, so why would you need another option?
When the plugin attempts to fix mixed content errors, it uses a buffering technique that can slow your website down because it’s effectively replacing content on the site dynamically as the page is loaded. The plugin may not be able to fix all mixed content errors, so you may have to manually make changes to URL’s in your database. You will have to keep yet another plugin installed and updated, as deactivating the plugin may bring back mixed content errors.

Option 2: Manually change your WordPress site to SSL (our preferred solution)

Changing your site to SSL manually will take more time to setup but this is a more permanent and performance optimised solution.  You may need to edit your WordPress theme, code and possibly plugins. If you haven’t done this before, then I would stick with option 1 above, or get some professional help.

Start by going to your Settings » General page, and update your WordPress and site URL address by replacing HTTP with HTTPS. Click the ‘Save Changes’ button to store your new URL’s . Once saved, WordPress will automatically log you out, and you will need to re-login.

Site URLs to HTTPS

Now you need to set up WordPress redirects from HTTP to HTTPS. To do this you must add the following code to your .htaccess file.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

If your website is on nginx servers (check with your host if you are unsure), you need to add the following code to redirect from HTTP to HTTPS in your configuration file:

server {
listen 80;
server_name example.com www.example.com;
return 301 https://example.com$request_uri;
}

Make sure you replace example.com with your own domain name!

If you have done the above correctly, your website should now be loading your entire site securely using SSL/HTTPS.

To ensure your admin area is using SSL, you will need to make the following change to your wp-config.php file.

Add the following code above the “That’s all, stop editing!” line in your wp-config.php file:

define(‘FORCE_SSL_ADMIN’, true);

This code will force SSL / HTTPS in your WordPress admin area. (this also works with WordPress multisite networks)

Your website is now completely set up for SSL / HTTPS.

Check your site thoroughly as you may still encounter mixed content errors. Some external links, images, scripts, or stylesheets may still reference the insecure HTTP protocol, this will stop you sites secure padlock icon displaying in the address bar, and it will not be green.

Step 3  – Dealing with mixed content

To find out where your mixed content is coming from, open the Google Chrome inspect tool (Ctrl+Shift+I). There will be a mixed content error warning in the console for each mixed content item.

Most of the mixed content errors can be rectified by installing a plugin called ‘Better Search Replace’. Once installed, you can put your old URL in the top field and your new secure URL in the bottom field, select the tables you want to search and replace all instances of HTTP with HTTPS.

Better Search Replace HTTP

Remember to uncheck the tick box ‘Run as dry run?’, then click on ‘Run Search/Replace’ button.

This plugin will now search your selected tables in the WordPress database for URLs starting with HTTP, and replace them with HTTPS. This process may take a few mins if you have a larger site.

This should have sorted out most, if not all, of your mixed content errors. If you still have a few issues related to plugins or your theme, it would be worth contacting the authors because any changes you make to rectify the issue will be overwritten when the plugin or theme gets updated.

We hope you have found this post useful, let us know how you get on in the comments below and if you need any help, get in touch.

Posted in : Website Security
Tags : https Not secure Secure website SSL Certificate
Author : inspomedia

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *