How to Fix the Connection Is Not Secure Error

We’ve all been there. You open up a link and you see an ominous “connection is not secure” message in front of the web page’s URL in the browser address bar. Uh oh. Seeing this may take you through a whole series of emotions. Frustration. Concern. Annoyance. You are probably asking yourself:

Is it safe to browse this site?
Is it safe to buy something from this site?
Will I get hacked if I log into this site or submit information?
Does this company care if I get hacked?
Has this site been hacked or could it be hacked?

Then, right in the middle of the screen, there’s the unmistakable full-page warning, which likely prompts you to click away and never return.

If you manage a site showing the “connection not secure” warning, it’s quite possible that you may utter some spicy language, especially if you have installed an SSL certificate, but the site is showing as insecure anyway.

First, make sure it’s not a date or configuration issue. If your site is showing “not secure,” click the “not secure” link in the browser bar and check the following things first:

Make sure your SSL certificate is valid for the current date
Make sure your SSL certificate is configured correctly using an SSL checker

If you have an SSL certificate and you’re seeing an error, you’ll need to either get a new certificate, or fix the configuration of the certificate you currently have.

Additionally, make sure your date and time are accurate on your server. Every SSL certificate is only valid over a range of dates, and sometimes incorrect clock settings, especially on a server, can cause an issue.

What is HTTPS?

Before we go into fixing the problem, it’s important to understand what the “connection is not secure” warning means and why it’s there.

HTTPS stands for Hypertext Transfer Protocol Secure. It is a type of encryption that protects the privacy of the connection to a website. If HTTPS isn’t present or isn’t set up properly, modern browsers like Chrome and Firefox indicate the site is “not secure” to let visitors know that they may incur some risk in using the site. Google has marked sites that don’t support HTTPS connections with a “connection is not secure” warning since 2018.

Do I really need HTTPS?

Yes! It’s especially important if you engage in eCommerce or if you collect user information on your site. Without HTTPS, the connection to your site isn’t encrypted. This means that a hacker could access your users’ information while it’s in transit.

Even for non-eCommerce websites, data submitted via online forms also should be transmitted securely. HTTPS ensures that.

HTTPS Improves Credibility with Site Visitors

HTTPS is also about trust. Showing you have a secure connection is important for your relationship with your visitors. It indicates to them that the information they see on your site has been loaded and controlled by you only, not by malicious activity.

Visitors may also feel hesitant to do business with you or refer you if they see “connection is not secure” and conclude that you don’t take security or privacy seriously.

HTTPS Improves Credibility with Potential and Existing Online Customers

Security is top-of-mind for many people. It’s common knowledge that personal information can be intercepted on its way to or from an insecure site. Most people won’t want to take that risk.

Here’s another reason to ensure HTTPS is in place across your website: in 2014, Google started exploring if they should factor HTTPS into site’s ranking in search results. Flash forward to today: Google now uses HTTPS as a ranking factor in determining its search results.

Does that mean Google will favor your website if it is secure? Not necessarily. Yes, it’s technically possible that you can still rank high in the SERP if your website is insecure. Some other elements of your SEO status may override HTTPS ranking impact. That said, it’s probably less likely than if it is secure. Not having HTTPS can certainly penalize you in search results , and sites that don’t support HTTPS may rank lower in Google search.

In other words, HTTPS is not a sole factor in your ranking, but it could be a tiebreaker. For example, if your site and another site meet the same criteria for achieving a certain ranking and the difference is that your site is secure and the other one is not, Google may favor yours.

How to Enable HTTPS on Duda

If you host your site on Duda, you can skip the work required to enable HTTPS compared to most WordPress or cPanel installs.

Duda automatically creates an SSL certificate for a site the first time we see traffic to it. Then, the certificate is provisioned and installed, usually within two hours. To learn more, see how to get SSL on Duda.

Conversely, if for any reason you want to disable HTTPS for a Duda website, you can do that as well.

Note: All Duda sites also include malware protection, regular scanning for vulnerabilities, and other built-in security measures.

How to Enable HTTPS on other environments

While there are many ways to set up SSL and force HTTPS to your site on most non-Duda content management systems, it almost always involves several steps, external vendor registrations, sign-ins, activations, manual integration with your hosting and probably troubleshooting. Ugh. That said, here are some pointers.

How to Force HTTPS with WordPress

Different systems have different ways to address this issue. With WordPress, first, you have to get an SSL certificate for your WordPress installation. (Note: Some WordPress hosting providers charge hundreds of dollars per year for an SSL certificate.)

Here are the steps that are typically involved:

Request and, if necessary, pay for the SSL certificate from the certificate authority
After requesting the certificate, you’ll need to validate your request, either through modifying the code on your WordPress domain or through another means that shows that you are a legitimate requestor of the certificate (here’s an example of the process ; it’s not trivial)
Once you have been verified, the certificate needs to be installed, which can be a path fraught with peril

Once the certificate is installed, then you may want to ensure that HTTPS is forced across the entire WordPress site. In WordPress, you can force HTTPS with a plugin that will ensure that every page in the future follows HTTPS. To do this part of the process, you’ll need to explore the following steps.

Go to your plugin section in the WordPress dashboard and search for a plugin that will force SSL or force HTTPS
Install the plugin
Activate the plugin
Configure the plugin and, if needed, adjust its settings
Test the plugin and make sure it's working correctly

Additionally, if you’re getting an SSL certificate from a certificate authority associated with a host, you’ll likely need to renew the certificate every one to two years, and get to go through this same process each time.

Reminder: In contrast to WordPress, modern systems like Duda take care of HTTPS automatically

How to Force HTTPS on cPanel

You can also force HTTPS in your cPanel via your host if you’re using WordPress, Drupal, Joomla, or another CMS. Here’s how:

Open your cPanel, log in, and visit the "Dom
ains" section
Toggle the "Force HTTPS" button beside the domain you want to force

My SSL is set up correctly, but I still don’t have the padlock

If even just some of your pages, subdomains or content elements aren’t protected with HTTPS, portions of a site will still show “not secure” and won’t have the padlock. As if you didn’t have enough to deal with, right?

First, double check that all subdomains and pages on your site do have SSL installed.

Next, check for individual insecure elements that the pages themselves are linking to. Many times, externally-linked images, libraries, or stylesheets may be the culprit.

You can generally identify these insecure elements pretty easily with an SSL checker. For these elements, ensure that any links to those elements are using HTTPS, and not HTTP.

Related: Want to see how else you can save time on your workflow? Schedule an appointment to speak with a Duda success manager.

Core web vitals: What agencies need to know in 2026

By Shawn Davis • April 1, 2026

Core Web Vitals aren't new, Google introduced them in 2020 and made them a ranking factor in 2021. But the questions keep coming, because the metrics keep changing and the stakes keep rising. Reddit's SEO communities were still debating their impact as recently as January 2026, and for good reason: most agencies still don't have a clear, repeatable way to measure, diagnose, and fix them for clients. This guide cuts through the noise. Here's what Core Web Vitals actually measure, what good scores look like today, and how to improve them—without needing a dedicated performance engineer on every project. What Core Web Vitals measure Google evaluates three user experience signals to determine whether a page feels fast, stable, and responsive: Largest Contentful Paint (LCP) measures how long it takes for the biggest visible element on a page — usually a hero image or headline — to load. Google considers anything under 2.5 seconds good. Above 4 seconds is poor. Interaction to Next Paint (INP) replaced First Input Delay (FID) in March 2024. Where FID measures the delay before a user's first click is registered, INP tracks the full responsiveness of every interaction across the page session. A good INP score is under 200 milliseconds. Cumulative Layout Shift (CLS) measures visual stability — how much page elements unexpectedly move while content loads. A score below 0.1 is good. Higher scores signal that images, ads, or embeds are pushing content around after load, which frustrates users and tanks conversions. These three metrics are a subset of Google's broader Page Experience signals, which also include HTTPS, safe browsing, and mobile usability. Core Web Vitals are the ones you can most directly control and improve. Why your clients' scores may still be poor Core Web Vitals scores vary dramatically by platform, hosting, and how a site was built. Some of the most common culprits agencies encounter: Heavy above-the-fold content . A homepage with an autoplay video, a full-width image slider, and a chat widget loading simultaneously will fail LCP every time. The browser has to resolve all of those resources before it can paint the largest element. Unstable image dimensions . When an image loads without defined width and height attributes, the browser doesn't reserve space for it. It renders the surrounding text, then jumps it down when the image appears. That jump is CLS. Third-party scripts blocking the main thread . Analytics pixels, ad tags, and live chat tools run on the browser's main thread. When they stack up, every click and tap has to wait in line — driving INP scores up. A single slow third-party script can push an otherwise clean site into "needs improvement" territory. Too many web fonts . Each font family and weight is a separate network request. A page loading four font files before rendering any text will fail LCP, especially on mobile connections. Unoptimized images . JPEGs and PNGs served at full resolution, without compression or modern formats like WebP or AVIF, add unnecessary weight to every page load. How to measure them accurately There are two types of Core Web Vitals data you should be looking at for every client: Lab data comes from tools like Google PageSpeed Insights, Lighthouse, and WebPageTest. It simulates page loads in controlled conditions. Lab data is useful for diagnosing specific issues and testing fixes before you deploy them. Field data (also called Real User Monitoring, or RUM) comes from actual users visiting the site. Google collects this through the Chrome User Experience Report (CrUX) and surfaces it in Search Console and PageSpeed Insights. Field data is what Google actually uses as a ranking signal — and it often looks worse than lab data because it reflects real-world device and connection variability. If your client's site has enough traffic, you'll see field data in Search Console under Core Web Vitals. This is your baseline. Lab data helps you understand why the scores are what they are. For clients with low traffic who don't have enough field data to appear in CrUX, you'll be working primarily with lab scores. Set that expectation early so clients understand that improvements may not immediately show up in Search Console. Practical fixes that move the needle Fix LCP: get the hero image loading first The single most effective LCP improvement is adding fetchpriority="high" to the hero image tag. This tells the browser to prioritize that resource over everything else. If you're using a background CSS image for the hero, switch it to anelement — background images aren't discoverable by the browser's preload scanner. Also check whether your hosting serves images through a CDN with caching. Edge delivery dramatically reduces the time-to-first-byte, which feeds directly into LCP. Fix CLS: define dimensions for every media element Every image, video, and ad slot on the page needs explicit width and height attributes in the HTML. If you're using responsive CSS, you can still define the aspect ratio with aspect-ratio in CSS while leaving the actual size fluid. The key is giving the browser enough information to reserve space before the asset loads. Avoid inserting content above existing content after page load. This is common with cookie banners, sticky headers that change height, and dynamically loaded ad units. If you need to show these, anchor them to fixed positions so they don't push content around. Fix INP: reduce what's competing for the main thread Audit third-party scripts and defer or remove anything that isn't essential. Tools like WebPageTest's waterfall view or Chrome DevTools Performance panel show you exactly which scripts are blocking the main thread and for how long. Load chat widgets, analytics, and ad tags asynchronously and after the page's critical path has resolved. For most clients, moving non-essential scripts to load after the DOMContentLoaded event is a meaningful INP improvement with no visible impact on the user experience. For websites with heavy JavaScript — particularly those built on frameworks with large client-side bundles — consider breaking up long tasks into smaller chunks using the browser's Scheduler API or simply splitting components so the main thread isn't locked for more than 50 milliseconds at a stretch. What platforms handle automatically One of the practical advantages of building on a platform optimized for performance is that many of these fixes are applied by default. Duda, for example, automatically serves WebP images, lazy loads below-the-fold content, minifies CSS, and uses efficient cache policies for static assets. As of May 2025, 82% of sites built on Duda pass all three Core Web Vitals metrics — the highest recorded pass rate among major website platforms. That baseline matters when you're managing dozens or hundreds of client sites. It means you're starting each project close to or at a passing score, rather than diagnosing and patching a broken foundation. How much do Core Web Vitals actually affect rankings? Honestly, they're a tiebreaker — not a primary signal. Google has been clear that content quality and relevance still dominate ranking decisions. A well-optimized site with thin, irrelevant content won't outrank a content-rich competitor just because its CLS is 0.05. What Core Web Vitals do affect is the user experience that supports those rankings. Pages with poor LCP scores have measurably higher bounce rates. Sites with high CLS lose users mid-session. Those behavioral signals — time on page, return visits, conversions — are things search engines can observe and incorporate. The practical argument for fixing Core Web Vitals isn't just "because Google said so." It's that faster, more stable pages convert better. Every second of LCP improvement can reduce bounce rates by 15–20% depending on the industry and device mix. For client sites that monetize through leads or eCommerce, that's a revenue argument, not just an SEO argument. A repeatable process for agencies Audit every new site before launch. Run PageSpeed Insights and record LCP, INP, and CLS scores for both mobile and desktop. Flag anything in the "needs improvement" or "poor" range before the client sees the live site. Check Search Console monthly for existing clients. The Core Web Vitals report surfaces issues as they appear in field data. Catching a regression early — before it compounds — is significantly easier than explaining a traffic drop after the fact. Document what you've improved. Clients rarely see Core Web Vitals scores on their own. A monthly one-page performance summary showing before/after scores builds credibility and makes your technical work visible. Prioritize mobile. Google uses mobile-first indexing, and field data shows that mobile CWV scores are almost always worse than desktop. If you only have time to optimize one version, do mobile first. Core Web Vitals aren't a one-time fix. Platforms change, new scripts get added, campaigns bring in new widgets. Build the audit into your workflow and treat it like any other ongoing deliverable, and you'll stay ahead of the issues before they affect your clients' rankings. Duda's platform is built with Core Web Vitals performance in mind. Explore how it handles image optimization, script management, and site speed automatically — so your team spends less time debugging and more time building.

Why systems, not tools, are the future of vertical SaaS

By Ilana Brudo • March 31, 2026

Vertical SaaS must transition from tools to an AI-powered Vertical Operating System (vOS). Learn to leverage context, end tech sprawl, and maximize retention.

Maximizing SaaS growth with an API-driven website builder

By Shawn Davis • March 27, 2026

Automate client management, instant site generation, and data synchronization with an API-driven website builder to create a scalable growth engine for your SaaS platform.