Website Not Secure: How to Fix the SSL Certificate Error

When a browser displays "Not Secure" in the address bar or shows a certificate warning, it means one of two things: your website is running on plain HTTP instead of HTTPS, or the HTTPS certificate has a problem.

This is both a security issue and a GDPR issue. Under Article 32, the GDPR requires appropriate technical security measures for websites that process personal data, and HTTPS is the baseline. Run our free HTTPS and security-header check on your site if you want to see exactly which problem applies before reading further.

What "Not Secure" Actually Means

Scenario 1: No HTTPS at all

Your website uses http://yourdomain.com instead of https://yourdomain.com. All data transmitted between your visitors' browsers and your server, including login credentials, contact form submissions and session cookies, travels in plain text. Anyone on the same network (public WiFi, internet service provider, corporate network) can read this data.

Chrome (since 2018) marks all HTTP sites as "Not Secure." Firefox shows a warning icon. Mobile browsers show similar warnings.

Scenario 2: Expired certificate

Your site uses HTTPS, but the TLS certificate has expired. Browsers refuse to connect by default and show a full-page warning ("Your connection is not private" in Chrome). Most visitors will leave immediately.

Scenario 3: Certificate name mismatch

The certificate is issued for www.yourdomain.com but your site also runs at yourdomain.com (or vice versa), and the certificate does not cover both. Browsers treat this as a separate security failure.

Scenario 4: Mixed content

Your site runs HTTPS, but some resources (images, scripts, stylesheets) are still loaded over HTTP. Browsers block or warn about these "mixed content" resources. The result: parts of your page may not load, or browsers show a degraded security indicator.

Understanding TLS/SSL Certificates

A TLS certificate (commonly still called an SSL certificate, though SSL is outdated) does two things:

1. Encrypts the connection between visitor and server, data cannot be read in transit
2. Authenticates the server, visitors can verify they are actually connecting to your server, not an impostor

Certificates are issued by Certificate Authorities (CAs). The most common for websites:

• Let's Encrypt, free, automated, 90-day certificates (auto-renewed)
• ZeroSSL, free, alternative to Let's Encrypt
• DigiCert, Sectigo, GlobalSign, paid certificates with longer validity and support

For most websites, a free Let's Encrypt certificate is fully sufficient. Paid certificates provide no security benefit for standard websites. The difference is mainly support and validation level (OV/EV certificates show company name in some browsers).

How to Fix Each Scenario

Fix 1: Enabling HTTPS from scratch

Step 1: Check your hosting provider's documentation

Most modern hosting providers offer one-click HTTPS activation via Let's Encrypt:

• TransIP: Control panel → SSL → Enable Let's Encrypt
• Antagonist: Hosting panel → SSL certificates → Let's Encrypt
• SiteGround: Site Tools → Security → SSL Manager → Let's Encrypt
• Cloudflare: Enable SSL/TLS in Cloudflare dashboard (if DNS is on Cloudflare)
• WP Engine, Kinsta, Flywheel: HTTPS is on by default

Step 2: Enable HTTPS redirect

After enabling HTTPS, ensure all HTTP traffic redirects to HTTPS. In most control panels this is a checkbox ("Force HTTPS" or "HTTP to HTTPS redirect"). Manually, add to .htaccess (Apache):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Step 3: Fix your WordPress site URL

If you run WordPress, update the URLs in Settings → General:

• WordPress Address (URL): https://yourdomain.com
• Site Address (URL): https://yourdomain.com

Step 4: Update internal links and resource URLs

Change hardcoded http:// links in your content and theme to https:// or relative //. The Better Search Replace plugin can help replace URLs in the database.

Fix 2: Renewing an expired certificate

If you use Let's Encrypt, certificates auto-renew every 60-80 days (out of the 90-day validity). If auto-renewal failed:

Using Certbot (command line):

sudo certbot renew --force-renewal

Via hosting control panel: Most panels have a "Renew" button next to the certificate. Click it.

Via Cloudflare: Cloudflare-managed certificates are automatically renewed, no action needed.

Set up monitoring so you receive an alert before certificates expire. Services like UptimeRobot (free tier) monitor certificate expiry and send email alerts 30 days before expiration.

Fix 3: Certificate name mismatch

Request a certificate that covers all variants of your domain:

• yourdomain.com (the apex/root domain)
• www.yourdomain.com (the www subdomain)

Let's Encrypt supports Subject Alternative Names (SANs), one certificate can cover multiple domains and subdomains at no extra cost.

If you run multiple subdomains (blog.yourdomain.com, shop.yourdomain.com), use a wildcard certificate: *.yourdomain.com. Let's Encrypt supports wildcards via the DNS challenge method.

Fix 4: Mixed content

Find all HTTP resources on your HTTPS page:

Using Chrome developer tools:

1. Open your site in Chrome
2. F12 → Console tab
3. Look for "Mixed Content" warnings, they list the specific resource URLs

Using tools:

• Mozilla Observatory, paste your URL and it inspects HTTPS plus mixed content along with security headers
• SSL Checker

Fixes:

• Change src="http://example.com/image.jpg" to src="https://example.com/image.jpg" (or src="//example.com/image.jpg" for protocol-relative)
• For external resources you do not control: check if HTTPS is available at the same URL
• For resources that only offer HTTP (old embeds, legacy widgets): replace them

HSTS: Locking in HTTPS

After HTTPS is working correctly, add an HTTP Strict Transport Security (HSTS) header to tell browsers to always use HTTPS for your domain, even if a user types http://:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Start with a short max-age (e.g., 300 seconds) to test, then increase to 31536000 (one year) once you are confident.

Warning: Once HSTS is set with a long max-age, your site must always serve valid HTTPS. If your certificate expires and you cannot renew it, visitors cannot access your site until the HSTS expiry time passes.

GDPR Implications of HTTP

If your website accepts contact form submissions, newsletter signups or login credentials over HTTP (without HTTPS), the personal data in those submissions is transmitted in the clear. This is a direct Article 32 GDPR violation, you are failing to apply appropriate technical security measures. The Autoriteit Persoonsgegevens (AP) lists encryption-in-transit as a baseline technical measure in its richtsnoeren beveiliging persoonsgegevens for Dutch controllers, alongside hashing of passwords and patching of known vulnerabilities.

The AP has not issued fines specifically for HTTP-only websites as of 2026, but:

• A data breach involving unencrypted form submissions would be treated as aggravated by the lack of HTTPS
• A website auditor or security researcher reporting your HTTP form to the AP would likely trigger an investigation
• HTTPS is now considered an absolute baseline, the AP's guidance on technical measures cites encryption as a required measure

Summary

Check your website's HTTPS status at SSL Labs for a detailed certificate analysis. Or scan your website for a complete compliance overview including HTTPS, security headers and cookie issues.

---

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.