You’ve just opened your WordPress website, only to be greeted by a browser warning that says “Not Secure.” It’s a message no site owner wants to see, one that can turn away potential visitors, harm your search rankings, and shake your brand’s credibility.

This isn’t just a minor technical glitch. This message typically appears when your website does not use HTTPS (Secure Sockets Layer, or SSL) encryption. It means your site is transmitting data over an unsecured connection, which attackers can intercept.

And, if your WordPress site displays “not secure,” it’s a sign that your connection lacks HTTPS protection, and sensitive data, such as passwords or credit card information, could be at risk.

In this guide, we’ll walk you through how to fix the “not secure warning” on WordPress, install SSL on WordPress, and ensure your site uses HTTPS correctly. If you’re a beginner looking for an easy way to fix the WordPress site not secure issue, or you need step-by-step help for a WordPress SSL fix, this guide has you covered.

How to Fix the ‘Not Secure’ Warning in WordPress (Step-by-Step)

If your WordPress site displays a ‘not secure’ warning, it’s a message you can’t afford to ignore. The good news is that this issue can be resolved, even without deep technical knowledge.

Let’s get started with securing your WordPress website with HTTPS.

Step 1: Verify the Status of Your SSL Certificate

The first step is to verify that your WordPress SSL certificate is installed and valid. A quick way to do this is by using the free tool at Qualys SSL Labs:

• Visit https://www.ssllabs.com/ssltest/
  
• Enter your domain name.

• Wait for the test to complete. It will provide you with a grade and display details about your SSL certificate status.

If your SSL certificate is missing or expired, move on to Step 2. 

If it’s installed but you’re still seeing the ‘WordPress site not secure’ warning, proceed to Step 3.

Step 2: Install a New SSL Certificate (If Expired or Missing)

Note: Follow this step only if your SSL certificate is expired or missing!

To install SSL on WordPress, you typically do this through your web hosting provider:

• Log in to your hosting dashboard (e.g., WP Engine, Bluehost, SiteGround).
  
• Navigate to the SSL or Security settings of your WordPress site.

• Choose to add a new SSL certificate.

• Select a free SSL certificate (Let’s Encrypt) or a paid option for more features and support.

Once added, activation can take a few minutes to a few hours. Keep refreshing your site to confirm that HTTPS is working.

Step 3: Fix Your Certificate If It’s Valid

Note: If your SSL certificate is valid but the site still isn’t redirecting to HTTPS, you need to force it. 

Here are three ways to do that:

Option 1: Use a Plugin (Recommended)

• Go to Plugins → Add Plugin in your WordPress dashboard.

• Search for Really Simple SSL and install it.

• Activate the plugin.

• Go to Security and click “Activate SSL.”

This plugin automatically handles most HTTPS migrations, including forcing SSL across all pages. If needed, their Pro version addresses more complex issues.

Option 2: Use FTP to Edit Files

• Use FileZilla or any FTP client and log in to your server.
  
• Locate your root folder, typically public_html.

• Find and edit the .htaccess file by adding:

<IfModule mod_rewrite.c>RewriteEngine OnRewriteCond %{HTTPS} offRewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]</IfModule>

• Next, find and edit wp-config.php and add:

define('FORCE_SSL_ADMIN', true);

• Save the files, re-upload, and reload your website.

Check your site to confirm it’s now running over HTTPS.

Step 4: Redirect Your Site’s URLs from HTTP to HTTPS

Even after enabling SSL, your WordPress address settings might still use HTTP. 

Fix that by:

• Going to Settings → General in your WordPress dashboard.

• Look for the WordPress Address (URL) and Site Address (URL) fields.
  
• If it starts with http, change both from http:// to https://.

• Save changes and refresh your site.

Step 5: Replace HTTP Entries With HTTPS in Your Database

Sometimes, your content still references HTTP, leading to mixed content errors. 

Some WordPress hosts help you with these technical aspects of certificate installation, such as replacing HTTP entries in your database.

In the case, yours don’t, we recommend using a plugin like BetterSearchReplace, a free plugin you can install and activate via WordPress.

• Head to Plugins > Add Plugin from your WordPress dashboard. 

• Search for Better Search Replace in the plugin search box and install the plugin. 

• Activate the plugin. 

Upon activation, 

• Go to Tools → Better Search Replace.

• In the Search For box, enter your http:// version.
  
• In Replace With, enter the https:// version.

• Select all tables.

• First, run a dry run to preview changes.

• Then run the actual replacement and hit Run Search/Replace.

This step helps you fix mixed content WordPress issues quickly and efficiently.

Step 6: Check for HTTP Errors and Mixed Content

Even after replacing URLs, some elements, such as images or scripts, may still load over HTTP.

To check for mixed content:

• Use https://www.whynopadlock.com

• Enter your domain and complete the CAPTCHA.

• Review results to identify insecure items.

If issues remain, install and activate the SSL Insecure Content Fixer plugin:

• Head to Plugins > Add Plugin from your WordPress dashboard. 

• Search for SSL Insecure Content Fixer in the plugin search box and install the plugin. 

• Activate the plugin. 

Upon activation,

• Go to Settings → SSL Insecure Content.

• Choose “Simple” to start.

• If problems persist, try higher fix levels, such as “Content”, “Widgets”, or “Capture All.”
  

Step 7: Update Google Analytics and Search Console

Finally, to preserve SEO and tracking:

• Log in to Google Search Console
  
• Add a new property with your https:// version.
  
• Submit your updated sitemap.
  

In Google Analytics, change your website URL to the HTTPS version under Admin → Property Settings.

With these 7 actionable steps, you now have a secure WordPress website with HTTPS, resolving the not secure warning once and for all. 

How to Further Secure Your WordPress Website (Advanced Tips)

Once you’ve fixed the “Not Secure” warning and enabled HTTPS, your WordPress site is on the right track. But if you want to fully secure your website from hackers, bots, and future threats, there are a few additional steps you should take.

Below are some powerful techniques to harden your site’s security, even if you’re not a developer. Think of these as advanced but essential WordPress security best practices:

Install a WordPress Security Plugin

A good WordPress security plugin can monitor, scan, and block malicious activities in real-time. Here are two excellent options like Wordfence and Solid Security. Both plugins are beginner-friendly and offer free versions with premium upgrades.

Use a Web Application Firewall (WAF)

A Web Application Firewall (WAF) acts as a protective shield between your site and malicious traffic. It filters out hacking attempts before they even reach your server. You can use Wordfence’s built-in firewall or opt for cloud-based options like Sucuri or Cloudflare WAF.

Keep WordPress Core, Themes, and Plugins Updated

Many hackers exploit outdated WordPress installations. To prevent this, you’ve to 

• Regularly update WordPress core, themes, and plugins.
  
• Remove unused themes or plugins to minimize vulnerabilities.
  
• Enable automatic updates when possible.
  

If you’re managing multiple websites, tools like ManageWP or MainWP can help automate updates across all of them.

Disable File Editing in wp-config.php

By default, WordPress allows admins to edit theme and plugin files from the dashboard, which can be dangerous if someone gains unauthorized access.

To disable this feature:

• Access your site via FTP or File Manager in cPanel.
  
• Open the wp-config.php file.
  
• Add the following line:

define('DISALLOW_FILE_EDIT', true);

This simple tweak prevents hackers from injecting malicious code via the built-in editor.

Enforce Strong Passwords and Limit Login Attempts

Weak passwords are one of the easiest ways for attackers to gain access.

To protect your site:

• Require strong passwords for all users.
  
• Use a plugin like Limit Login Attempts Reloaded or Loginizer to lock out users after several failed login attempts.
  
• Consider hiding the default login URL (/wp-login.php) with plugins like WPS Hide Login.
  

This makes brute force attacks much harder to pull off.

Enable Two-Factor Authentication (2FA)

Two-Factor Authentication adds an extra layer of login security.

With 2FA, users must enter a code from their phone or authentication app in addition to their password.

• Use plugins like WP 2FA, Google Authenticator, or Wordfence Login Security.
  
• You can enable this for all users or just for admins.
  

Even if your password is stolen, 2FA makes it nearly impossible for attackers to log in.

Set Up Regular Backups

In case something goes wrong, a recent backup is your best safety net.

We recommend, UpdraftPlus or BlogVault for this. Always store backups offsite (like Dropbox, Google Drive, or Amazon S3) and test restore points periodically.

Use reCAPTCHA on Forms

Spambots love to target contact and login forms.

To reduce spam and improve security:

• Add Google reCAPTCHA to your contact, comment, login, and registration forms.
  
• Most form plugins, such as WPForms, Gravity Forms, or Contact Form 7, support reCAPTCHA integration.
  

Use v2 (checkbox) or v3 (invisible) depending on your preference and user experience goals.

Disable XML-RPC (If Not Needed)

XML-RPC allows apps to connect to your WordPress site remotely, but it’s also a common target for DDoS and brute force attacks.

Unless you use remote publishing tools or the WordPress mobile app, it’s best to disable it:

• Add the following code to your .htaccess file:

<Files xmlrpc.php>  Order Allow,Deny  Deny from all</Files>

Alternatively, use a plugin like Disable XML-RPC or block it through your firewall settings.

By following these advanced tips, you can significantly enhance your site’s security and minimize the risk of being hacked. 

Just as installing an SSL certificate and enabling HTTPS are essential for keeping your website safe in the long term, these WordPress security hardening techniques are also crucial.

Conclusion

Securing your WordPress website is a crucial step in protecting your online presence, user data, search engine rankings, and business reputation. 

Thankfully, fixing this issue isn’t as complicated as it seems. 

By installing an SSL certificate, updating your site settings, removing mixed content, and implementing advanced security best practices, you can ensure your site operates securely on HTTPS and remains protected in the long term.

Have questions or run into issues while fixing the WordPress connection not secure error? Leave a comment below, and we’ll do our best to help you out!

Frequently Asked Questions (FAQs)