Why Does My WordPress Site Say Not Secure?

Are you puzzled by the “Not Secure” warning on your WordPress site? This common issue often boils down to problems related to Secure Sockets Layer (SSL) certificates. SSL certificates are essential for encrypting data transmitted to and from your site, thus converting your website from the standard HTTP to the more secure HTTPS protocol. Let’s explore the common reasons for this warning and how to address them.

Common Causes and Solutions for “Not Secure” Warning

SSL Certificate Issues

  • The Problem: The most frequent cause of a “Not Secure” warning is the lack of an SSL certificate or having an expired or improperly configured one.
  • The Solution: Ensure you have a valid SSL certificate installed. Free SSL certificates are available through most web hosting providers, or you can purchase one from trusted providers like Symantec, GlobalSign, or Comodo.

WordPRess dashboard showing a plugin

Mixed Content Issues

  • The Problem: Your site might be loading both HTTP and HTTPS content, known as mixed content. This occurs even if your site has an SSL certificate, but some elements (like images or scripts) are still loaded over HTTP.
  • The Solution: Identify and resolve these mixed content issues. This can be done manually or by using a plugin.

Enforcing HTTPS

  • The Problem: Even after installing an SSL certificate, your site might not automatically redirect to HTTPS.
  • The Solution: Enforce HTTPS by editing the wp-config.php and .htaccess files or using plugins like Really Simple SSL to automate this process.

Updating WordPress and Plugins

  • The Problem: Outdated WordPress software and plugins can lead to security vulnerabilities.
  • The Solution: Regularly update your WordPress version and all plugins to minimize security risks.

Security Plugin Installation

  • The Solution: Enhance your site’s security by installing plugins like Wordfence, Sucuri, or iThemes Security.

Changing Login Page URL and Using Captchas

  • The Solution: To prevent brute-force attacks, change your WordPress login page URL and install a captcha on your login page.

From my personal experience, I’ve found that the plugin WP Captcha stands out as the best solution for this purpose.

WP Captcha, which I discovered at getwpcaptcha.com, offers a comprehensive and user-friendly approach to securing WordPress sites. What I particularly appreciate about this plugin is its diverse range of Captcha types. It includes options like Google reCaptcha v2 and v3, hCaptcha, Cloudflare Turnstile, and a simpler built-in Captcha. This flexibility allows you to tailor the security level to your site’s specific needs. Additionally, these Captchas are GDPR compatible, which is a significant advantage for sites with European users.

Another aspect of WP Captcha that I found impressive during my use was its advanced firewall. This feature operates at the server level, providing an additional layer of protection against various threats like malicious requests and bad bots. This is particularly beneficial for sites handling sensitive data and those looking to migrate from HTTP to HTTPS, as it helps maintain the integrity of SSL certificates. However, I did notice a slight drawback – WP Captcha can slightly slow down your site, but this is also not a problem if you know how to optimize your site. I would still recommend it over all other plugins that I’ve tried.

WP Captcha

Two-Factor Authentication

  • The Solution: Implement two-factor authentication for an additional security layer on your WordPress site.

Regular Backups

  • The Solution: Conduct regular backups of your WordPress site to safeguard against data loss or security breaches.

Browser Cache

  • The Problem: Persistent “Not Secure” warnings even after making necessary changes.
  • The Solution: Clear your browser cache and advise your users to do the same.

Informing Google

  • The Solution: If you’ve switched from HTTP to HTTPS, update your site’s URL in Google Analytics and Google Search Console.


Addressing the “Not Secure” warning on your WordPress site involves a combination of ensuring proper SSL certification, managing mixed content, and implementing robust security measures. Regular updates, monitoring, and adherence to best security practices are vital to maintaining your site’s integrity. By tackling these issues, you can enhance your WordPress site’s security and reassure your visitors that their data is protected.

Leave a Comment