How to Fix “Your connection to this site is not secure” in Chrome

The “Not Secure” warning in Google Chrome can scare away visitors and kill conversions. This error almost always points to an issue with your website’s SSL certificate or HTTPS configuration. In this guide, we’ll show you exactly how to diagnose and fix it, fast.

What is the meaning of “Your connection to this site is not secure”?

The “not secure” message in Chrome can appear for any website, whether it’s built on WordPress or any other platform. It indicates that the website isn’t using HTTPS or doesn’t have an active SSL certificate.

For website visitors: What to do when you see a “not secure” message

If you run into a “not secure” message in Chrome, you may want to avoid visiting that website until the owner fixes it. It typically points to a problem with the site’s SSL certificate or HTTPS configuration.

In some cases, this can be a simple oversight. If the website owner forgets to renew their SSL certificate, it can lead to a case where the site is secure, but Chrome still warns users until the problem is fixed.

As an end user, you have some ways of trying to determine if a “not secure” error is a mistake. In Chrome, you can check the site’s SSL certificate and see if its details match the site and if it’s expired:

You can use your judgment to determine whether to visit sites marked as “not secure”. Even so, if you visit a website that’s not secure, avoid entering sensitive information like passwords until the error is fixed.

For website owners: How to fix the “not secure” website message in Chrome

If your website is displaying a “not secure” error, you need to fix it immediately. Most visitors will avoid your site and might end up on a competitor’s site instead.

As we mentioned earlier, “not secure” messages in Chrome appear due to problems with the site’s SSL certificate (like not having one) or its HTTPS configuration. Let’s start by talking about certificates.

Purchase and install an SSL certificate (or get a free one)

Using an SSL certificate for your website should be non-negotiable. If you’re concerned with costs, you can set up free SSL certificates from authorities like Let’s Encrypt. 

These certificates (the entry level certificates are known as Domain Validated (DV) certificates) are ideal for personal and small business websites.

If you’re running a website for a large business, an ecommerce store with sizable traffic, or an enterprise project, you’ll want to opt for a more robust type — like an Organization Validated (OV) or Extended Validation SSL certificate. 

There will be a cost associated with these and the application can require some level of verification and security testing, but it’s often necessary from a compliance standpoint.

If you’re looking for a web host that will install an SSL certificate for you and manage renewals, take a look at our hosting partners.

Update your website to serve only HTTPS URLs

Once you set up an SSL certificate for your site, you’ll also need to configure it to load over HTTPS. Otherwise, you’ll run into error messages when trying to access the website, regardless of what browser you’re using.

There are several ways to configure your website to only serve content using HTTPS. If your site uses an Apache server, you can modify its .htaccess file to redirect all HTTP content over HTTPS.

If you want to use this approach, it’s important to create a backup of your site first, since you’ll need to edit some of its code. In WordPress, you can do this using Jetpack VaultPress Backup, which will also create real-time backups for your site any time you make changes to it.

Then, connect to the site via file transfer protocol (FTP). Navigate to the site’s root directory and look for the .htaccess file inside. 

Open that file using a text editor. It should look something like the screenshot below, perhaps with some custom configurations depending on your site’s setup:

Now, copy the following code snippet and add it before the # END WordPress line, making sure not to touch any of the other code:

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

That code implements 301 or permanent redirects to route all HTTP traffic through HTTPS. We use a 301 redirect because this should be a permanent change and, this way, you’re passing your link equity to the HTTPS URLs.

If you have a WordPress website, you could also use a plugin to serve only HTTPS traffic. For example, Really Simple SSL enables you to install a free SSL certificate from the dashboard, as well as add 301 redirects to your site without needing to tinker with files manually.

Check for mixed content

In certain cases, problems with your site’s configuration can cause it to load some content over HTTPS, but not all of it. This results in a mixed content error, which can appear in the shape of a “not secure” website message in Chrome.

To check for a mixed content error, you can access the site using Chrome and open the browser’s developer tools by inspecting one of its pages. 

Move to the Security tab and check what it says under Security overview → Resources.

Ideally, you’ll see an “all served security” message. A mixed content warning means you’ll need to revisit how your site uses HTTPS. It might also be an issue with third-party resources your site uses that are loaded over HTTP.

You can use the developer tool’s console to see what assets are loading for your website. The console will highlight mixed content resources so you can easily identify them.

The code we shared earlier for how to route HTTP traffic over HTTPS for Apache servers should work for all content. If you used that code, double-check that it was added properly to the site’s .htaccess file.

For WordPress users, there are additional reasons you might run into a mixed content warning. Sometimes, old media files will stubbornly cling to using HTTP instead. You might need to re-upload these files or use a plugin like Really Simple SSL to force all content to load over HTTPS.

Verify that your site is recognized by Chrome as secure

After implementing any of the above fixes, you’ll want to check to see if the error persists in Chrome. If you still see the “not secure” website message, it means the fix you implemented didn’t work.

Since “not secure” messages are tied to SSL certificates or HTTPS issues, you’ll want to ensure that both are working on your site. If you have a valid certificate set up and all content is properly configured to load over HTTPS, the error message should go away entirely.

Additional important security measures for website owners

Using an SSL certificate and HTTPS are great security measures. But there’s a lot more you can do to keep your site safe and protect visitors from malicious actors.

Let’s look at some effective ways to further protect your website.

1. Install a security plugin to provide 24/7 protection

This advice is for WordPress websites. Even if you don’t use WordPress, there are a lot of amazing security tools and services you can leverage to protect your site — it’s just a matter of finding the right options.

If you’re not sure where to start, look for tools that include some of the features we’ll discuss in this section. As a WordPress user, your best bet is to find security solutions that protect your website on multiple fronts.

Jetpack Security is a suite of WordPress tools designed to protect your website against attackers and restore your content in case something goes wrong. It includes a real-time backup solution, real-time malware scanning and fixes, and spam protection, along with downtime monitoring, an activity log, and protection against brute force attacks.

You can also choose individual products in the bundle if you have specific security concerns. For instance, VaultPress Backup is offered as a dedicated plugin. On its own or as part of Jetpack Security, it provides real-time backups — so every change you make, comment you receive, or order you take is always safe. 

Meanwhile, Jetpack Scan leverages the largest database of WordPress vulnerabilities (which gets regular updates) to check if your website is vulnerable in any way. You can also use the plugin to fix the majority of known issues with only a few clicks.

The Jetpack suite also includes Akismet Anti-Spam. This plugin uses machine learning to review text submissions on your site (comments, forms, even user registrations) and automatically blocks spam with 99.99% accuracy and no annoying CAPTCHA.

Akismet Anti-Spam blocks around seven and a half million spam submissions per hour across the network of sites that use it. It also continuously learns to detect new forms of spam, thanks to all that data.

2. Keep software, themes, and plugins updated

If you’re using WordPress, you’ll want to make sure that all of its components are always up-to-date — the core software, as well as the plugins and themes that you install and activate.

You can quickly check for available updates by accessing the dashboard and navigating to the Updates tab. This will give you an overview of all the elements on your site that require updates.

Software updates are essential because they often include security fixes. Developers might find vulnerabilities they weren’t aware of at first, or they might close security loopholes found by attackers.

The longer a plugin or a theme goes without an update, the more likely it is to be vulnerable. The same goes with WordPress. If you’re still using WordPress 5.0, for example, you’re open to a long list of known vulnerabilities.

Of course, before you update anything, you’ll want to take a backup so you can restore in case the update causes an error. If you have Jetpack VaultPress Backup, the work is already done for you.

In any case, you’ll want to be sure to update WordPress frequently. Ideally, you should check for updates every time you log into the dashboard. 

3. Use two-factor authentication (2FA) for administrative access

Everyone with administrative access to your website should have to use 2FA. This adds another security factor beyond passwords and makes it harder for attackers to gain access to the site, even if they get their hands on user credentials.

You probably already use 2FA on some of the websites you visit. Implementations can vary, as some sites will ask you to use an authentication app, while others send verification codes via email or SMS.

While 2FA can make things a bit harder for some users, it’s essential for anyone with access to the site’s back end. These are the user accounts with more administrative privileges. If attackers gain access to them, they can do a lot of damage to your website.

If you use WordPress, you can leverage the Jetpack plugin to require that admin sign in with a WordPress.com account. You can then enable a requirement for two-step authentication.

This feature is available with the free Jetpack plugin, so anyone can use it. It’s a quick and simple way to create a more secure WordPress login process. 

4. Install a web application firewall (WAF)

A web application firewall is software that monitors and blocks connections to your site based on a set of rules. The best WAF products and plugins manage to block a lot of malicious traffic, typically because they have massive databases of known attackers.

Depending on the WAF, it might also be able to identify attack patterns or suspicious user activity. Overall, using the right WAF can drastically increase website security.

If you’re using WordPress, the Jetpack plugin includes a WAF you can turn on to help protect your website. It’s an option you can toggle on directly from the plugin’s settings.

Using the Jetpack firewall enables you to leverage a massive database of known attackers. To enable automatic rules, you’ll need a Jetpack Scan or a Jetpack Security license.

5. Regularly back up your website

Having recent backups of your site is one of the best ways to circumvent security issues and vulnerabilities. If attackers manage to gain access, you can often fix the problem by restoring a recent backup and implementing additional security measures from that point forward.

The biggest issue with backups is that you’ll often lose data when restoring your site to an earlier state. This is particularly true if the last backup you made was weeks ago.

Jetpack VaultPress Backup offers real-time backups for WordPress websites. This means that every time you make a change to the site, the plugin saves it.

VaultPress Backup eliminates the problem of not having access to recent backups. It also stores backups off site, so if something happens to your server, your site copies are still safe. 

Jetpack Security for WordPress sites

Jetpack Security offers a full suite of products that can help you protect your WordPress site. These include Jetpack Scan, VaultPress Backup, Akismet Anti-Spam, and more.

You can use Jetpack Scan to run automatic malware and vulnerability scans on your website and quickly fix the majority of issues in a matter of clicks. The plugin leverages the largest known database of WordPress security vulnerabilities to keep your site safe.

Jetpack Scan also gives you access to automatic rules for the plugin’s web application firewall. These rules help protect your site against attackers thanks to Jetpack’s growing database of known malicious actors.

With VaultPress Backup, you get to rest easy knowing that anytime you make changes to your site, the plugin will keep it safe. This real-time backup technology makes it so you never lose important data if you need to restore your website to a previous state.

With Jetpack Security, you also have downtime monitoring and an activity log that enables you to check everything that’s happening on your website and identify what actions (and who took them) may have caused an issue. Every time someone logs into your site, updates a page, changes a configuration, or adds code to a core file, it will all be there in the activity log.

Jetpack Security is the ideal, comprehensive security solution for WordPress with over 27 million installs and counting.

Frequently asked questions

If you still have any questions left about how to fix the “not secure” website message in Chrome and how to protect your site in general, this section will answer them.

What is HTTPS, and how does it differ from HTTP?

HTTPS is the secure version of HTTP. Data you send or receive over HTTPS is encrypted to prevent tampering. A website using HTTPS also means it has a valid SSL certificate.

How does an SSL certificate protect information on a website?

An SSL certificate is a digital certificate that proves a website is authentic. It can protect information on a website by enabling you to use HTTPS. Secure HTTPS connections are less vulnerable to cyberattacks.

How do I purchase an SSL certificate for my website?

Depending on your site and its scope, you might need to pay for an SSL certificate. But a lot of sites can use a free one. Some certificate authorities like Let’s Encrypt offer free certificates that you can easily set up on your website.

Can I use a free SSL certificate and is it secure?

You can use a free SSL certificate for most sites, though it’s not recommended for projects with higher security needs, like large ecommerce stores. For most sites, a free SSL certificate will satisfy all of your requirements.

Can SSL certificates expire? If so, can I automate their renewal?

SSL certificates do expire. They need to be renewed periodically as a matter of security, so the site owner can verify they still operate the website. Even so, you can automate the renewal process for most certificates. If you use a web host that offers a free certificate, they’re likely to renew it for you as well.

What should I do if my website shows a “mixed content” warning?

If your site shows a mixed content warning, check that all its components are loading over HTTPS. You might need to implement a redirect to force requests to go through HTTPS or identify the content that’s causing the error and replace it.

What other best practices should I follow to secure my website?

Aside from using an SSL certificate and HTTPS, it’s always best to make regular backups of your site. You should also set up a WAF to block malicious traffic, use spam prevention tools, enable 2FA, and keep your website’s components updated.

What types of tools are recommended for enhancing website security?

When looking for security solutions for your site, consider options that offer real-time backups, malware and vulnerability scanners, activity logs, 2FA, and a WAF. Jetpack Security includes all of those features and more.

Jetpack Security: The fast & easy way to secure your WordPress website

The “not secure” website message in Chrome is one of multiple SSL errors you might encounter. SSL certificates and HTTPS are essential security measures for modern websites, but they’re not the only things that can protect your site.

Once you’ve set up an SSL certificate and enabled HTTPS, you’ll want to move on to other security measures. With Jetpack Security, you can implement multiple security improvements with a single suite of tools. This includes real-time backups and malware scanning, downtime monitoring, brute force attack protection, activity logs, and much more.

If you want to keep your WordPress site safe, give the Jetpack Security suite a try. You can also choose to access select features through individual plugins, including Jetpack VaultPress Backup, Jetpack Protect, and Akismet Anti-Spam. Boost your site’s security today!