How to fix a 'not secure' website: SSL and HTTPS explained

Last updated: May 2026

Your visitors can see the word "Not Secure" in their browser bar before they read a single line of your copy, and that one phrase tanks trust faster than any design choice you can make. To fix a "Not Secure" website you need an SSL/TLS certificate, a clean HTTP-to-HTTPS migration, and a check for mixed-content errors so every asset on the page also loads over HTTPS. Here's why the warning appears, the SEO and conversion costs of ignoring it, and the SSL certificate setup steps that close the gap.

The fix in four moves:

1. Install an SSL/TLS certificate. Most hosts now offer free Let's Encrypt certificates with a one-click install.
2. Force HTTPS site-wide with a 301 redirect from every HTTP URL to its HTTPS equivalent.
3. Update internal links, image paths, and embedded scripts so nothing still loads over HTTP (the source of mixed-content errors).
4. Resubmit your sitemap in Google Search Console and confirm the HTTPS version is the canonical property.

In 2026, HTTPS is baseline. It's the floor every site is expected to clear before a browser will even consider it trustworthy. Google has confirmed HTTPS as a ranking signal since 2014, and the layer above that (Core Web Vitals) has tightened since, with Interaction to Next Paint (INP) replacing First Input Delay as a Core Web Vital on March 12, 2024. If your site is still serving over HTTP, you're not in the conversation. You're flagged before it begins.

The good news: the fix is usually fast and cheap. Often a single afternoon, sometimes a single click. We've seen clients move from "Not Secure" to a clean padlock in under a day with a properly scoped SSL audit. Below is what to fix, why it matters, and how to do it without breaking anything else.

What "Not Secure" actually means

When your browser shows a "Not Secure" label, it's telling visitors that the connection between their device and your server isn't encrypted. Anything they type (passwords, contact form details, credit card numbers) travels in plain text. Anyone sitting between the browser and the server, on the same Wi-Fi, on a compromised router, on the wrong side of a coffee-shop network, can read it.

HTTPS, or HyperText Transfer Protocol Secure, wraps that connection in TLS encryption. An SSL certificate is the credential that lets your server prove who it is and negotiate that encrypted channel. Without one, the browser has no way to verify the site, so it warns the visitor by default.

Why a "Not Secure" warning costs you traffic and revenue

Three problems stack on top of each other when your site runs on HTTP, and each one drags the next.

SEO damage. Google's HTTPS ranking signal is now more than a decade old and bakes into every search result. HTTPS is also a prerequisite for the modern performance signals that matter most: Core Web Vitals, including the INP threshold of under 200 milliseconds for a "good" rating. If you're competing for a query against sites that loaded faster, encrypted properly, and shipped on HTTPS years ago, you start the race behind. Our deeper write-up on website maintenance and ongoing performance optimization walks through how SSL fits into the wider performance picture.

Conversion drop. Visitors notice the warning even when they can't articulate it. A "Not Secure" label in the URL bar before someone has scrolled creates a hesitation that's hard to recover from on a product page or a lead form. The padlock isn't decorative; it's the visual signal modern users use to decide whether to type anything in.

Security exposure. Without TLS, any data your site collects is readable in transit. That's bad for any site that captures personal information and worse for any site moving toward compliance with privacy regulations. It's also the leading-edge weakness that gets exploited in credential-stuffing and session-hijacking attacks.

If you're already auditing how the site lands with potential buyers, our piece on what makes a website marketable covers the trust signals (HTTPS being the first of them) that visitors weigh before engaging.

How browsers display the warning in 2026

Chrome, Edge, Safari, and Firefox all display some form of warning when a page loads over HTTP. Chrome, the dominant browser by a wide margin, leads with the most prominent label: a "Not Secure" pill in the address bar, sometimes paired with a full interstitial when a visitor tries to submit a form on an unencrypted page.

Browser teams have been steadily tightening these warnings since 2018, and the trajectory is one-way: more visible, more aggressive, more likely to interrupt the user before they fill in a field. Assume the warning is only going to get louder.

How to fix a not secure website: the SSL certificate setup steps

Most modern hosts ship one-click SSL via Let's Encrypt, a free, automated certificate authority backed by the Internet Security Research Group. If your host doesn't support it natively, a paid certificate from your provider still works; it just costs more and asks more of you at renewal. The process below covers the common path.

1. Log in to your hosting control panel. Look for an "SSL/TLS" or "Security" section. cPanel, Plesk, WP Engine, Kinsta, SiteGround, and most other managed hosts surface it within two clicks of the dashboard.
2. Enable the free Let's Encrypt certificate if available. Most hosts offer this as a checkbox or one-click install. The certificate provisions in minutes and renews automatically every 90 days.
3. Confirm the certificate covers the right domains. A standard certificate covers a single domain plus its www subdomain. If you run multiple subdomains (shop., blog., app.), pick a wildcard certificate or provision per subdomain.
4. Force HTTPS site-wide. Add a 301 redirect from every HTTP URL to its HTTPS equivalent. On WordPress, the "Really Simple SSL" plugin or a few lines in .htaccess handle it. On other CMSs, your host's documentation has the specific snippet.
5. Update internal links and asset URLs so nothing still references http://. This includes image paths in posts, embedded scripts, third-party widgets, and any hard-coded links in your theme. Tools like Better Search Replace (WordPress) or a database find-and-replace make this a five-minute job rather than a weekend's work.
6. Test for mixed-content errors. Open your site in Chrome, hit F12, and check the Console. Any resource still loading over HTTP will throw a warning here. Fix each one until the console is clean.
7. Resubmit your sitemap in Google Search Console. Add the HTTPS property if you haven't already, set it as the canonical, and submit your sitemap.xml. Google will start crawling the encrypted version, and your rankings should consolidate within a few weeks.

That's the full sequence. For most sites we audit, the entire migration runs in well under a day. The exceptions are large sites with thousands of hard-coded image URLs or sites running on legacy stacks that don't support modern TLS. Both are fixable, but worth scoping properly before you start.

Mixed-content errors: the most common stumbling block

You install the certificate, force HTTPS, and the padlock still doesn't appear. The cause is almost always mixed content: the page itself loads over HTTPS, but one or more assets (an image, a script, an embedded font) still load over HTTP. Browsers treat that as a partial-trust state and drop the padlock.

To diagnose, open the page in Chrome, press F12, and click the Console tab. Every HTTP resource will be flagged. From there you have three options: update the URL to HTTPS, host the asset yourself, or remove it if the source isn't available over HTTPS. For sites with hundreds of legacy posts, a database find-and-replace from "http://yourdomain" to "https://yourdomain" usually clears the bulk of them in one pass.

Where SSL fits into ongoing website maintenance

At Major Tom, SSL audits are part of our standard web maintenance checklist alongside Core Web Vitals monitoring, plugin and theme updates, and security scans. We find clients see the biggest gains when SSL is treated as a permanent state to maintain rather than a one-time install. Certificates expire, hosts change, redirects break when someone updates a permalink. A site that was secure last year can quietly slip if no one is watching.

For agencies and in-house teams setting the bar higher, our piece on what makes an industry-leading website covers the security, performance, and accessibility baselines that separate competent sites from the ones that compound advantage year over year.

What to do if your host doesn't support Let's Encrypt

A small but shrinking number of hosts still don't offer free SSL. In that case, you have two options: buy a paid certificate from your host or a provider like DigiCert or Sectigo, or switch hosts. We'd usually suggest the second. If your host hasn't built free SSL into the dashboard by 2026, there are likely other corners they've cut as well: backup frequency, PHP version, server response time. SSL is the canary.

If you're not sure whether your current host is the bottleneck, run your site through PageSpeed Insights. A Time to First Byte over a second is usually a hosting problem; a slow LCP often is too. Both are signals that the cost of staying is higher than the cost of moving.

Find clarity in the chaos

A "Not Secure" warning is one of those rare web problems where the fix is cheap, fast, and almost always worth doing today rather than next quarter. If you'd rather hand it off, or you've started the migration and hit mixed-content errors that won't resolve, our web design and development team handles SSL audits and HTTPS migrations as part of every engagement. For the SEO side of the equation, our SEO, AEO and GEO services cover the search-side cleanup that should follow any HTTPS migration. We've shipped enough of these to know where the snags hide. Find clarity in the chaos, and get the padlock back.

FAQs

What does "Not Secure" mean on a website?

It means your site is loading over HTTP instead of HTTPS, so the connection between the visitor's browser and your server isn't encrypted. Anything typed into the page travels in plain text and can be intercepted by anyone on the same network. Browsers display the "Not Secure" label by default whenever a site lacks a valid SSL/TLS certificate, and they escalate the warning when a visitor tries to submit a form on an unencrypted page.

How do I get an SSL certificate for my website?

Most modern hosts offer free SSL certificates via Let's Encrypt directly inside the control panel. Look for an "SSL/TLS" or "Security" section, enable the certificate, and confirm it covers your domain plus the www subdomain. If your host doesn't support Let's Encrypt, you can buy a certificate from a commercial certificate authority like DigiCert or Sectigo, or switch to a host that includes free SSL (most do in 2026).

Is HTTPS a Google ranking factor?

Yes. Google has confirmed HTTPS as a ranking signal since 2014, and it's been a baseline expectation rather than a tiebreaker for years now. In 2026, the bigger ranking question sits one layer above HTTPS: Core Web Vitals, including the Interaction to Next Paint (INP) metric that replaced First Input Delay in March 2024. You won't rank without HTTPS, but having it doesn't lift you alone. Performance and content quality do the rest.

What is the difference between HTTP and HTTPS?

HTTP is the original web protocol, where requests and responses travel between browser and server in plain text. HTTPS adds a TLS encryption layer that scrambles that traffic so only the intended server can read it. Visually, HTTP sites get a "Not Secure" label in the browser; HTTPS sites get a padlock. Functionally, HTTPS protects data in transit, supports modern browser features, and is required by Google for ranking and by most modern APIs to even connect.

How long does it take to fix a not secure website?

For most sites, the SSL install and HTTPS migration runs in under a day once you have access to the hosting control panel. The certificate itself provisions in minutes. The remaining time goes into forcing HTTPS site-wide, updating internal links, and clearing mixed-content errors. Larger sites with thousands of legacy posts may need a database find-and-replace, but that's still measured in hours rather than weeks.

What is a mixed content error and how do I fix it?

A mixed-content error happens when a page loads over HTTPS but one or more assets on the page (images, scripts, embedded fonts) still load over HTTP. Browsers treat that as a partial-trust state and drop the padlock. To fix it, open the page in Chrome, press F12, click the Console tab, and update every flagged HTTP URL to its HTTPS equivalent. A database find-and-replace usually clears the bulk of legacy URLs in a single pass.

Will switching to HTTPS hurt my SEO?

Not if the migration is done properly. The risk comes from skipping the 301 redirects from HTTP to HTTPS, forgetting to update your sitemap, or leaving mixed-content errors unresolved. Done correctly, an HTTPS migration consolidates ranking signals on the secure version and typically shows recovery within a few weeks. Resubmit your sitemap in Google Search Console after the migration and monitor for crawl errors over the following month.