We’ve all been there. You open up a link and you see an ominous “connection is not secure” message in front of the web page’s URL in the browser address bar. Uh oh. Seeing this may take you through a whole series of emotions. Frustration. Concern. Annoyance. You are probably asking yourself:
Then, right in the middle of the screen, there’s the unmistakable full-page warning, which likely prompts you to click away and never return.
If you manage a site showing the “connection not secure” warning, it’s quite possible that you may utter some spicy language, especially if you have installed an SSL certificate, but the site is showing as insecure anyway.
First, make sure it’s not a date or configuration issue. If your site is showing “not secure,” click the “not secure” link in the browser bar and check the following things first:
If you have an SSL certificate and you’re seeing an error, you’ll need to either get a new certificate, or fix the configuration of the certificate you currently have.
Additionally, make sure your date and time are accurate on your server. Every SSL certificate is only valid over a range of dates, and sometimes incorrect clock settings, especially on a server, can cause an issue.
Before we go into fixing the problem, it’s important to understand what the “connection is not secure” warning means and why it’s there.
HTTPS stands for Hypertext Transfer Protocol Secure. It is a type of encryption that protects the privacy of the connection to a website. If HTTPS isn’t present or isn’t set up properly, modern browsers like Chrome and Firefox indicate the site is “not secure” to let visitors know that they may incur some risk in using the site. Google has marked sites that don’t support HTTPS connections with a “connection is not secure” warning since 2018.
Yes! It’s especially important if you engage in eCommerce or if you collect user information on your site. Without HTTPS, the connection to your site isn’t encrypted. This means that a hacker could access your users’ information while it’s in transit.
Even for non-eCommerce websites, data submitted via online forms also should be transmitted securely. HTTPS ensures that.
HTTPS is also about trust. Showing you have a secure connection is important for your relationship with your visitors. It indicates to them that the information they see on your site has been loaded and controlled by you only, not by malicious activity.
Visitors may also feel hesitant to do business with you or refer you if they see “connection is not secure” and conclude that you don’t take security or privacy seriously.
Security is top-of-mind for many people. It’s common knowledge that personal information can be intercepted on its way to or from an insecure site. Most people won’t want to take that risk.
Here’s another reason to ensure HTTPS is in place across your website: in 2014, Google started exploring if they should factor HTTPS into site’s ranking in search results. Flash forward to today: Google now uses HTTPS as a ranking factor in determining its search results.
Does that mean Google will favor your website if it is secure? Not necessarily. Yes, it’s technically possible that you can still rank high in the SERP if your website is insecure. Some other elements of your SEO status may override HTTPS ranking impact. That said, it’s probably less likely than if it is secure. Not having HTTPS can certainly penalize you in search results , and sites that don’t support HTTPS may rank lower in Google search.
In other words, HTTPS is not a sole factor in your ranking, but it could be a tiebreaker. For example, if your site and another site meet the same criteria for achieving a certain ranking and the difference is that your site is secure and the other one is not, Google may favor yours.
If you host your site on Duda, you can skip the work required to enable HTTPS compared to most WordPress or cPanel installs.
Duda automatically creates an SSL certificate for a site the first time we see traffic to it. Then, the certificate is provisioned and installed, usually within two hours. To learn more, see how to get SSL on Duda.
Conversely, if for any reason you want to disable HTTPS for a Duda website, you can do that as well.
Note: All Duda sites also include malware protection, regular scanning for vulnerabilities, and other built-in security measures.
While there are many ways to set up SSL and force HTTPS to your site on most non-Duda content management systems, it almost always involves several steps, external vendor registrations, sign-ins, activations, manual integration with your hosting and probably troubleshooting. Ugh. That said, here are some pointers.
Different systems have different ways to address this issue. With WordPress, first, you have to get an SSL certificate for your WordPress installation. (Note: Some WordPress hosting providers charge hundreds of dollars per year for an SSL certificate.)
Here are the steps that are typically involved:
Once the certificate is installed, then you may want to ensure that HTTPS is forced across the entire WordPress site. In WordPress, you can force HTTPS with a plugin that will ensure that every page in the future follows HTTPS. To do this part of the process, you’ll need to explore the following steps.
Additionally, if you’re getting an SSL certificate from a certificate authority associated with a host, you’ll likely need to renew the certificate every one to two years, and get to go through this same process each time.
Reminder: In contrast to WordPress, modern systems like Duda take care of HTTPS automatically
You can also force HTTPS in your cPanel via your host if you’re using WordPress, Drupal, Joomla, or another CMS. Here’s how:
If even just some of your pages, subdomains or content elements aren’t protected with HTTPS, portions of a site will still show “not secure” and won’t have the padlock. As if you didn’t have enough to deal with, right?
First, double check that all subdomains and pages on your site do have SSL installed.
Next, check for individual insecure elements that the pages themselves are linking to. Many times, externally-linked images, libraries, or stylesheets may be the culprit.
You can generally identify these insecure elements pretty easily with an SSL checker. For these elements, ensure that any links to those elements are using HTTPS, and not HTTP.
Related: Want to see how else you can save time on your workflow? Schedule an appointment to speak with a Duda success manager.
