Why is my website not secure?
Find out the reasons why your website is labeled "not secure" and how to fix this.
23 February 2021 · 7 min read
One of the worst feelings that can come with owning a website is seeing it labeled by browsers as “Not Secure.” This warning message is very common on Google Chrome, especially for websites without an encrypted connection.
Firefox, Safari, and other web browsers have followed suit, giving similar warnings in the address bar when users are on a non-secure website.
E-commerce websites are usually among the worst affected since they require users to enter sensitive information, such as shipping addresses, passwords, and credit card details. If users see an e-commerce website as non-secure, they won’t add to the cart, let alone proceed to checkout.
Is your website showing as not secure whenever people try to access it? This article is intended to help you find and fix the issue(s). There’s no need to fret, however, you’ll need to be ready to put in some work.
Before we dive into the steps, let’s start with some basics.
What does it mean when my website is labeled as “not secure”?
Websites typically serve content to users over the Hypertext Transfer Protocol (HTTP). You can think of HTTP as the standard way a user’s device communicates with the website they’re browsing.
When your website is labeled as “not secure,” it means that the content being served up is without encryption. Encrypted communication between your device and your browser is essential because if all that transmitted data is in the open, it can be accessed by cybercriminals and tampered with. In most instances, this hacked information is used to perform identity theft and make fraudulent purchases.
For this reason, Google started marking non-HTTPS sites as “not secure” in Chrome back in 2018.
What is HTTPS, and how does it secure your website?
Hypertext Transfer Protocol Secure or HTTPS is an internet protocol that enables the secure transmission of information between a website and the user’s browser and device. For a website to display the HTTPS protocol in the address bar, it must utilize a security certificate known as SSL (Secure Sockets Layer).
SSL certificates are small bits of code on your web server that digitally bind a cryptographic key to an organization’s details. When installed, the SSL certificate enables an encrypted connection when serving up content to users. Think of it like putting a letter in an envelope and sealing it before sending it through the mail.
An SSL certificate also activates the padlock symbol in the URL (Uniform Resource Locator) of your website, signifying a secure connection from the webserver to the browser. This tells your site visitors that you are who you say you are and that the webpage is protected against unwanted tracking or information stealing.
This is not to say that HTTP sites are not secure. Just that websites with an HTTPS URL provide an additional layer of security and data integrity that is more favorable to Google and other search engines. Ultimately, we’re headed towards a future where implementing an SSL certificate for your website will be a standard requirement.
Is HTTPS important for SEO?
The short answer is yes. Google has repeatedly stated that security is a top priority. Therefore, HTTPS is a ranking factor.
Plus, a regular HTTP version of your site will display the “not secure” warning to visitors, which will most likely scare them away. This increases the bounce rate of your site, which is also an important SEO consideration.
Does the HTTPS requirement apply to all browsers?
Having a website with an HTTPS URL is important regardless of what browser visitors are using. That being said, the “website not secure” warning doesn’t appear on all browsers. Firefox, Safari, Internet Explorer and other browsers may display a message but not in an explicit way like Google Chrome.
Then again, Google Chrome accounts for over 66% market share of web browsers as of September 2020. So why risk it?
How to fix the “website not secure” warning
You need to encrypt your website’s data transmission by installing the right SSL certificate and activating the HTTPS protocol. The process is relatively straightforward though it’s best to get a web developer to do it for you as it involves dealing with your web host.
Here’s a step-by-step:
1. Purchase an SSL Certificate
Many popular domains and hosting providers, including Bluehost, GoDaddy, and Namecheap, offer free SSL certificates included with their hosting packages. The vendor you purchased your web hosting from should also ideally be the one to provide your SSL certificate. This makes the process much faster and the certificate easier to install.
What type of SSL certificate should I get?
There are three main trust levels when it comes to SSL certificates — Domain Validated (DV SSL), Organization Validated (OV SSL), and Extended Validation (EV SSL). The trust level you want for your website security is usually the primary consideration.
- Domain Validated SSL
DV SSL certificates are the most basic and contain the least amount of identity information. These certificates offer encryption but without company information, meaning visitors cannot actually confirm that you or your company runs your website. For this reason, it is not recommended for business use.
- Organization Validated SSL
OV SSL certificates are a step higher in trust level and include information about the company. This gives your business a level of authentication while also encrypting content being served up by the website. However, the business info contained in the certificate is prominently displayed.
- Extended Validation SSL
EV SSL certificates lend the most credibility to websites because they include the highest amount of relevant company information. When you use this certificate, your company name will be clearly displayed next to the locked padlock symbol in the website URL.
Another key consideration is how many domains you want to protect with the SSL certificate. If just one, then a standard SSL certificate will do. Two or more domains? Consider getting a multi-domain or Wildcard certificate. You’ll see all these options when making your purchase.
2. Install the SSL certificate
Head over to your web host admin panel and install the SSL certificate you just purchased. Again, if dealing with hosting and security is not your forte, get a professional web developer to do it for you. If you got your SSL certificate from your current hosting provider, the installation process should be a lot easier.
There might be minor variations per web host, but the installation process generally goes like this:
- Log in to your admin panel and click on the SSL tab
- Click the Install button. You should see a dropdown of the SSL certificates that you purchased
- Select the one you want to install and add it to the relevant domain
- Copy the contents of your certificate text and paste them into the appropriate fields
- Click Install
You should note that it may take a couple of hours to effect changes across the web and become visible to your website visitors.
3. Change the URL
If you’re running a WordPress site, you’ll need to change the URL to the HTTPS secure version. Else it will keep loading the old HTTP URL. To make the change, log in to your WordPress dashboard and open the settings.
Under the “General” tab, you’ll see WordPress Address (URL) and Site Address (URL). Add the extra “S” to the HTTP in the field and save your change.
4. Do a 301 Redirect
Even after changing your website URL, people who visited your site before or bookmarked may still end up on the non-HTTPS version since they’re still using the old link. The solution is to implement a site-wide 301 redirect — a permanent redirect of link equity to a new version of the page.
There are some plugins you can use to perform the redirect. These programs essentially force the website to load incoming traffic from your website visitors over HTTPS instead of HTTP. Your web developer can also carry out the 301 redirects manually through an FTP client. Manual redirects are usually more reliable.
5. Clear your browser cache
If after 48 hours your website is still not loading over HTTPS, clear the browser cache. The process differs by browser, but for Google Chrome, click on Settings and scroll down to the Privacy and security section.
You’ll see an option to “Clear browsing data.” When you click on it, you’ll see a Time range dropdown and other settings below. Set the time range to 24 hours or higher, place a checkmark on the other options and click on “Clear data.”
Once completed, close your browser and open it again. Enter your website address in the URL bar and load it. It should display the HTTPS protocol and the locked padlock symbol.
Why do some website owners choose not to migrate to HTTPS?
- Cost — This is one of the most common reasons website owners refuse to switch to HTTPS. It’s not just the cost of the SSL certificate but also the cost of hiring a web developer to do the job. SSL certificates can range from $0 to over $1,000 per year.
- Website security is not a priority to the owner — Well, website security should always be paramount, but if you’re not using the site for business or establishing online credibility, why bother? However, note that visitors will always see the “not secure” warning.
- Fear of losing SEO juice — Many website owners fear that significant site changes, such as 301 redirects, can result in fluctuations in search engine rankings. However, losing existing page ranking as a result of 301 redirect isn’t an issue anymore as Google has gotten smarter. Still, there might be some issues arising from such a site-wide change.
This brings us to the next point…
What happens when I migrate your website to an HTTPS version?
Expect new URLs. Traffic volume may decline as it will take some time before Google recrawls your site and reindex the new pages.
There might be broken links. A site-wide 301 redirect may lead to broken links, especially if not implemented properly. In most cases, the prudent thing to do is manually check every webpage on your site and make sure they’re loading well and reflecting the new change.
Here are some things you can do after making the switch to HTTPS
- Verify your website in GSC — Google Search Console allows for the detailed tracking of your various website goals. After installing the SSL certificate, check your website on GSC and make sure it is verified for both the HTTP and HTTPS versions. Don’t forget to set your preferred domain to the one with the HTTPS URL.
- Update XML Sitemap — The XML sitemap is essentially a map that allows Google and other search engines to navigate your site easily. You’ll need to update it to reflect the HTTPS versions of your site’s pages. You’re submitting the updated sitemap to Google so it can recrawl and reindex your web pages in reference to the new links.
Are SSL certificates only for eCommerce sites?
Before Google announced the Not Secure warning, SSL certificates were mainly used for websites that process payments and handle sensitive information. After 2018, however, if you don’t want your site to be labeled as non-secure, you must install an SSL certificate.
Where can I get a free SSL certificate?
If you’re unable to get a free SSL certificate from your hosting provider, you can get it from the Let’s Encrypt initiative. However, certificates are only valid for 90 days, after which you’ll need to renew.
What are my options if I have several websites and cannot afford that many SSL certificates?
You can get a multiple domains SSL certificate or Subject Alternative Names (SAN) SSL Certificate. With this type of certificate, you can use a single SSL to provide protection for several websites.
Want to learn more about proper website management? Check out our Resource Center today. At B12, we combine artificial technology (AI) with experienced web designers so you can get your new, fully optimized website within two weeks. Get started with a FREE website draft now!