Skip to content
Tanner
Preserve
All guides
Security and trust

HTTPS: kill the "Not secure" warning in five steps

5 min readUpdated July 1, 2026
01

Check your site right now

Open Chrome and type your website address with http:// in front, like http://yourbusiness.com. If the address bar changes to https:// on its own, you're mostly done and just need to run the checks in steps 3 and 5. If it stays on http and shows a Not secure label next to your address, every customer who visits sees that same label sitting next to your business name.

This matters more than it looks. Chrome has flagged every plain http page as Not secure since 2018, and Google confirmed back in 2014 that https is a ranking signal. Worse, any contact form on an http page sends the customer's name and phone number across the internet unencrypted. The fix is an SSL certificate: a small file your web host installs that encrypts traffic between your site and the visitor's browser. It's free almost everywhere now, and the whole job fits in 30 minutes.

02

Step 1: turn on a certificate

Where you flip the switch depends on where your site lives. Find your setup in this list:

  • Wix: nothing to do. Every Wix site includes HTTPS automatically. If you still see Not secure on a Wix site, the problem is step 3 (mixed content), so skip ahead.
  • Squarespace: go to Settings > Developer tools > SSL and pick Secure (Preferred). Newer sites have this on by default, but a site built years ago may still be set to Insecure.
  • GoDaddy Websites + Marketing builder: included automatically, same as Wix.
  • WordPress or any site on shared hosting (Bluehost, SiteGround, HostGator, and most others): log in to your hosting dashboard, open cPanel, and go to Security > SSL/TLS Status. Select your domain and click Run AutoSSL. The host installs a free Let's Encrypt certificate, usually within a few minutes. Some hosts skip cPanel and put a one-click Free SSL or Let's Encrypt button right on the main dashboard instead.
  • Your host wants money for SSL: don't pay it. Some hosts still sell certificates for $70-$100 a year that do the same thing as a free one. Sign up for a free Cloudflare account at cloudflare.com, add your site, and follow its prompts to change your nameservers at your registrar. The free plan includes a certificate (Cloudflare calls it Universal SSL). The nameserver change can take up to a day to finish, so start this one first and come back.
Field note

SSL, TLS, and HTTPS get used interchangeably and that's fine. The certificate is the file, https is what your address bar shows once it's working.

03

Step 2: force everyone onto https

A certificate alone doesn't finish the job. Your site now exists at both http:// and https://, and old links, bookmarks, and business listings still point at the http version. You need a redirect that pushes every visitor to the secure address automatically.

  • WordPress: install the free Really Simple SSL plugin (Plugins > Add New, search 'Really Simple SSL'), activate it, and click the Activate SSL button it shows you. It sets up the redirect and updates your site address in one shot.
  • cPanel hosting without WordPress: open the Domains page in cPanel and flip the Force HTTPS Redirect toggle next to your domain.
  • Cloudflare: go to SSL/TLS > Edge Certificates and turn on Always Use HTTPS.
  • Wix, Squarespace, GoDaddy builder: the redirect happens automatically once SSL is on. Nothing to configure.
Field note

Test it: type http://yourbusiness.com into the address bar and hit enter. It should land on https:// without you doing anything. If it doesn't, the redirect isn't live yet.

04

Step 3: fix mixed content warnings

Mixed content means the page itself loads over https but something on it (an image, a font, an old script) still loads over plain http. The browser reacts by dropping the secure indicator or showing Not fully secure, which reads the same as broken to a customer.

If you're on WordPress, Really Simple SSL fixes most of this automatically. For everything else, go to whynopadlock.com, paste in your page address, and run the free check. It lists the exact files still loading over http. The usual culprit is an image that was pasted in with its full http:// address years ago, often the logo in the header or footer. Open that page in your site editor, delete the image, and re-insert it from your media library. Repeat the check until it comes back clean, then spot-check your home page, services page, and contact page the same way.

05

Step 4: update Google

Your redirect catches visitors, but tell Google directly so it treats the https version as the real one:

  • Google Search Console: if you verified your site as a URL prefix property, the https version counts as a separate property. Click Add property and verify https://yourbusiness.com the same way you did the first one. If you used a Domain property, it already covers both and you can skip this.
  • Google Business Profile: open your profile manager, go to Edit profile > Contact, and check that the Website field starts with https://. Update it if not.
  • Google Analytics: in Admin > Data streams, open your web stream and update the URL to https.
Field note

Your rankings won't take a hit from the switch. Google treats a proper redirect as the same site at a new address, and https itself counts in your favor. Positions can wobble for a short stretch while Google recrawls, then settle.

06

Step 5: confirm it sticks

Run your domain through the free test at ssllabs.com/ssltest. It takes a couple of minutes and grades your setup. An A is great, a B is fine for a local service site. An F or a T means something is wrong, and the report says what.

The one way this breaks later is expiration. Let's Encrypt certificates last 90 days and your host renews them automatically, but auto-renewal fails sometimes. When it does, visitors get a full-page 'Your connection is not private' error instead of your website, which is far worse than the old Not secure label. Put a repeating reminder on your calendar every couple of months: open your site in a private browser window and confirm the address bar shows https with no warnings. Thirty seconds, and you'll catch a dead certificate before a customer does.

Common questions

Questions that come up

Do I need to pay for an SSL certificate?

No. Let's Encrypt certificates are free and do the same encryption as paid ones. Browsers stopped displaying any visible difference for expensive certificates years ago, and Google doesn't rank paid certificates higher. If your host only offers paid SSL, that's a reason to use the free Cloudflare route, or a reason to change hosts at your next renewal.

I don't see a padlock in Chrome, even on big sites. Is something wrong?

No. Chrome retired the padlock icon in 2023 and replaced it with a small tune icon (two sliders). What matters now is what you don't see: no Not secure label and no privacy error page. If the address starts with https and there's no warning, you're set.

Will switching to https hurt my Google rankings?

The move helps you, since https has been a ranking signal since 2014. The redirect from step 2 passes along the value your old http pages earned. You might see positions move around briefly while Google recrawls the site, and that settles on its own.

My site suddenly shows 'Your connection is not private.' What happened?

Your certificate expired, almost every time because auto-renewal failed. On cPanel hosting, go to Security > SSL/TLS Status and click Run AutoSSL again, or contact your host's support chat and say your SSL certificate failed to renew. They deal with this daily and can usually fix it while you're on the chat.

Or skip the homework

Rather I just did this?

Fair. The audit shows where your site actually stands in about a minute, then you decide. No email required, no pressure, just the truth.