If your WordPress SSL is not working or if you have issues with WordPress HTTPS you are in a right place.
When moving a WordPress website to SSL, unexpected issues may occur.
In case you’re trying to add SSL to an existing WordPress site and run into errors, here’s a guide to get rid of the WordPress not secure warnings and harden your website security.
You will find instructions for fixing the most common SSL and HTTPS problems.
Let’s get started!
Table of contents
SSL / HTTPS encrypts the connection a user’s browser has with your WordPress hosting server. This makes it harder for hackers to interfer with the connection.
SSL / HTTPS enabled sites receive a unique digital certificate to identify them. The browser will warn the user not to connect to such a website if a server pretends to be using HTTPS, but doesn’t have the proper certificate.
WordPress displays the Not Secure notice because your website does not have a SSL certificate or it has one that was not configured correctly during installation.
Adding an SSL certificate enhances your website’s user experience and security. Google’s “Not Secure” notice shows up if something is wrong with your SSL.
Google recommends that all websites make use of SSL / HTTPS in order to improve security.
The Chrome web browser considers all sites without an SSL certificate as insecure, which is why it displays a warning.
Customers will have a negative impression of your business if they see the ‘Not Secure’ label in the address bar.
Moreover, to use payment services like PayPal or Stripe you will need to ensure SSL/HTTPS are enabled.
Here are some of the most common SSL/HTTPS issues in WordPress and how to solve them.
For your convenience, we have separated our process into discrete steps. Taking this process step-by-step will take a couple of hours, so bookmark this page!
You shouldn’t feel alarmed if the following parts seem a little technical. Following the instructions carefully will enable you to successfully fix the WordPress website not secure warning. Before starting, make a backup of your WordPress website.
Installing an SSL certificate is intimidating for most people, and in the past, they would have had good reasons to worry.
Since Let’s Encrypt was created, things have drastically changed. With Let’s Encrypt, every website can get an SSL certificate free of charge.
If you are not confortable in setting-up Let’s Encrypt, you can use WP Encryption to generate free Let’s Encrypt SSL certificate for your WordPress site and force SSL/HTTPS sitewide, fixing insecure content & mixed content issues easily.
WP Encryption directly redirects links From HTTP to HTTPS, so you don’t have to do this painful part either.
Another alternative to Let’s Encrypt is WP Force SSL. The PRO version includes more than 14 SSL tests, among other things. WP Force SSL makes it simple for users to switch from insecure HTTP to secure HTTPS and repair SSL issues without having to touch a line of code.
The plugin provides an SSL certificate validation tool that checks to see if the SSL certificate is legitimate, completely installed, and up to date before allowing access to the website. WP Force SSL is totally compatible with all of the themes and plugins that are currently available on the market.
You may receive this error message in Google Chrome. These warnings may appear differently in other browsers, but they all signal that the connection to your website is insecure.
This error message indicates that a user’s browser has not accepted the certificate presented by the website. A number of factors could lead to this:
You may contact the WordPress hosting provider who installed your SSL certificate to fix the issue if you bought it and asked them to do the installation.
If the SSL certificate was manually installed, try reinstalling it or contact the SSL certificate provider support for help.
Mix-content errors can occur when source files (images, scripts, or stylesheets) are still loaded using insecure HTTP protocol in URLs.
In that case, the padlock icon will not appear in the address bar of the website.
WordPress mixed content errors can be fixed with a plugin like WP Encryption or Really Simple SSL.
However, if you have enough time and knowledge, I’d recommend you to fix the mixed content error manually: this more effective and performance-enhancing.
The first step that you need to take is to check that HTTPS is enabled in WordPress.
In Settings » General, you need to ensure that WordPress Address and Site Address options feature HTTPS URLs.
URLs that begin with HTTP should be changed to HTTPS. Make sure you click the save changes button to save your settings.
The next step is to locate old HTTP URLs in your WordPress database and replace them with the new HTTPS URLs.
Install and activate Better Search Replace plugin to get started.
Once activated, you can access the Better Search Replace page under Tools » Better Search Replace. You need to enter your website’s URL with HTTP in the ‘Search’ field.
Afterward, in the ‘Replace’ field, enter the URL of your website with the https prefix.
The plugin will now update URLs in your WordPress database.
If you are still experiencing mixed content errors, then you must check your theme and plugin URLs. To isolate the resources responsible for the error, you will need to use your browser’s Inspect tool.
Once identified you need to manually update the URL directly in the plugin/theme files.
You can also contact the theme developer and ask for an update if you can’t find them.
You can force SSL / HTTPS for the admin section by entering the following code into your wp-config.php file:
define('FORCE_SSL_ADMIN', true);
Unfortunately, this setting alone may cause ‘Too many redirects’ errors in some scenarios.
If this happens to you, you must add the following code just before the line that says “That’s all, stop editing! Happy blogging.”
define('FORCE_SSL_ADMIN', true);
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
$_SERVER['HTTPS']='on';
Unless you tell WordPress, HTTP requests aren’t automatically redirected to HTTPS. When you use a plugin like WP Encryption or Really Simple SSL, it will handle redirects automatically.
In any other case, you will have to set up redirects manually.
Your .htaccess file should include the following code to enable HTTPS redirection.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
It’s time to let Google know that you are using HTTPS for your WordPress site now that you have installed your SSL certificate and set it up properly.
In the absence of this change, Google Search Console will still collect data from the HTTP version which will get less and less traffic over time.
To add this property, go to Google Search Console and add HTTPS as a new property.
Then resubmit your sitemap files containing the new HTTPS versions to Google.
Getting HTTPS URL and SSL certificate will have many positive impacts on your website: better security, no more Chrome warnings, better loading times, better SEO scores, brand credibility and much more.
So even though this looks difficult for you, it’s really important to implement HTTPS URL and SSL certificate to your WordPress website.
I hope this article helped you troubleshoot your issues with SSL / HTTPS in WordPress.
A step-by-step guide on how to troubleshoot the HTTP error when uploading images to WordPress.
Are you facing the Establishing a database connection error in WordPress? One of the most […]
In this article, I’ll show you how to easily turn off PHP errors in WordPress.