You are here: Home » Step-by-Step Guide to Fix “Site Not Secure” Errors When Your SSL Certificate Is Valid
Blog

Step-by-Step Guide to Fix “Site Not Secure” Errors When Your SSL Certificate Is Valid

by Jonathan Dough
written by Jonathan Dough

You’ve got an SSL certificate. It’s valid, it’s shiny, it’s working. But wait… your site is still showing as “Not Secure”? What gives?! It’s like locking all your doors and still hearing spooky noises. 😨

Don’t worry. This common issue often has simple fixes. Let’s break it down step by step—no tech wizardry required!

Step 1: Double-Check Your SSL Certificate

Yes, we know you said it’s valid. But let’s quickly confirm!

  • Go to your site in a browser.
  • Click the padlock icon next to the URL.
  • View certificate details and check the expiration date.

If it’s expired, it’s time to renew. But if everything looks fine, let’s roll to the next step.

Step 2: Ensure All Resources Are Loaded Over HTTPS

This is the number-one reason a secure site shows as “Not Secure”. It’s called mixed content.

You may be loading images, CSS, JavaScript, or fonts using HTTP instead of HTTPS. That messes everything up.

Here’s how to find those sneaky files:

  • Open your site in Google Chrome.
  • Right-click and select Inspect.
  • Go to the Console tab and look for warnings or errors about “mixed content”.

Fix them by changing http:// to https:// in your site’s code or CMS.

Step 3: Use HTTPS in Your Site Settings

If your site still mentions HTTP anywhere in its core settings, that could override the SSL.

In popular platforms like WordPress:

  • Go to Settings > General.
  • Make sure both WordPress Address (URL) and Site Address (URL) use https://.

Save changes. This tells your site to always use HTTPS and makes your certificate actually do its job!

Step 4: Force HTTPS Using a Redirect

Even with HTTPS active, some users (or bots) might try to sneak in using HTTP. Solve this with a redirect!

Add this to your .htaccess file if you’re using Apache:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

For Nginx:

server {
    listen 80;
    server_name yoursite.com;
    return 301 https://$host$request_uri;
}

Now, anyone trying to get in through the back door gets rerouted securely. Like magic!

Step 5: Update Your Internal Links

Old habits die hard. If your internal links still use http://, your browser could flag the page as insecure.

Do a quick search in your code or CMS for HTTP links:

  • Update them to HTTPS automatically using a plugin or tool if available.
  • Double-check menus, headers, footers, and widgets.

This makes your entire site consistently secure. No rebel links allowed.

Step 6: Update External Scripts or Plugins

That cool weather widget you added back in 2014? It might be betraying you!

If you embed stuff from other sites, make sure they also serve content over HTTPS.

If they don’t, browsers might block them—or worse, flag your site as insecure.

Solutions:

  • Find an HTTPS alternative.
  • Host the script on your own site with HTTPS (if allowed).

Outdated plugins or themes can also be culprits. Keep everything updated.

WP Club Manager Plugin

Step 7: Clear Browser and Server Caches

Sometimes your browser is just being lazy and loading old info.

Clear your browser cache. That’s ctrl+shift+del on many browsers—not scary at all.

Also, if you’re using a caching plugin, flush it. And if you’re using a CDN (Content Delivery Network), purge the cache there too.

This ensures new content gets loaded properly and securely.

Step 8: Check Your CDN or Proxy Settings

Using Cloudflare or another CDN? Great! But your configuration might need a tweak.

  • Log into your CDN dashboard.
  • Make sure SSL is fully enabled—not just “Flexible”.
  • Use the “Full” or “Full Strict” option for the best security.

Flexible SSL means the connection between your site and the CDN isn’t encrypted. That’s like locking one side of a door!

Step 9: Enable HSTS (Optional but Cool)

This one’s a bit techy, but powerful. HTTP Strict Transport Security tells browsers to only interact with your site over HTTPS.

Add this to your server configuration or .htaccess:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

It forces browsers to remember your site as secure. Very James Bond-level security. 🕶️

Still Stuck?

If you’ve tried everything and that sad “Not Secure” message still stares at you… it may be time to bring in the experts.

  • Contact your hosting provider. They may have SSL issues you can’t see.
  • Use SSL testing tools like SSL Labs for a deep scan.
  • Consider hiring a pro for a quick audit.

Wrap-Up Time!

See? It wasn’t as scary as it seemed!

Here’s a quick recap of what you did:

  1. Confirmed your SSL is valid.
  2. Checked for and fixed mixed content.
  3. Updated settings to use HTTPS across your site.
  4. Forced redirects.
  5. Fixed rebel links and plugins.
  6. Cleared cache and reviewed CDN settings.

Now your visitors see that happy little padlock next to your URL. Just the way it should be. 🔒

Go ahead, reload your site and smile knowing it’s secure, fast, and trustworthy!

0
FacebookTwitterPinterestRedditWhatsapp

Techsive
Decisive Tech Advice.
© 2020 - 2022; Techsive