Why Does My Website Say "Not Secure"? (And How to Fix It)
Your website shows "Not Secure" because the browser couldn't verify a valid HTTPS connection. In almost every case it's one of a few things: there's no SSL certificate, the certificate has expired, the certificate doesn't match your domain, or the page loads some content over insecure http:// ("mixed content"). All of them are fixable, usually for free, in under an hour.
If Chrome, Safari, or Edge shows "Not Secure" in the address bar next to your website, it's not a virus and your site probably isn't hacked. It's a trust warning — the browser is telling visitors it couldn't confirm the connection to your site is encrypted. Since 2018, Google Chrome has flagged every page that isn't served over HTTPS this way, so a huge number of small-business sites trip the warning without their owners ever touching anything.
What "Not Secure" actually means
When you visit a website, your browser and the site's server have to agree to encrypt the connection so no one in between can read what's sent. That encryption is provided by an SSL/TLS certificate (the thing that turns http:// into https:// and shows a padlock). "Not Secure" simply means that handshake didn't happen, or didn't happen completely.
The 4 reasons it happens
1. No SSL certificate at all. The site was set up over plain http:// and a certificate was never installed. Common on older sites and cheap hosting.
2. The certificate expired. Certificates have an expiry date (often 90 days for free ones) and are supposed to auto-renew. When auto-renewal silently fails, the site flips to "Not Secure" overnight.
3. The certificate doesn't match your domain. The site has a certificate, but it was issued for a different address — a classic case is a cert that covers www.yoursite.com but not the bare yoursite.com, or a leftover certificate from your hosting company. A browser won’t trust a certificate that doesn’t match the address in the bar, so it warns every visitor.
4. Mixed content. The most confusing one: you do have a valid certificate, but the page still loads an image, script, or font over insecure http://. The browser flags the whole page until every resource loads securely. This is why a site can say "Not Secure" right after you "installed SSL."
How to check which one it is
You don't need to guess. Paste your address into our free scanner — it tells you in plain English whether your certificate is missing, expired, or valid (so you know if it's a mixed-content problem instead), with no signup.
Is your site flagged "Not Secure"?
Free 30-second check — see your certificate status and exactly what's wrong.
Run the free scan →How to fix it
- Confirm what's wrongRun the scan above so you know whether it's a missing cert, an expired cert, or mixed content. The fix differs for each.
- Install or renew the SSL certificateMost hosts offer a free Let's Encrypt certificate — turn it on in your hosting panel, or ask your host to enable it. You should never pay just to be secure.
- Force HTTPSRedirect all
http://traffic tohttps://so visitors always land on the encrypted version of every page. - Fix mixed contentUpdate any images, scripts, or links still pointing at
http://tohttps://. On WordPress a search-and-replace handles most of it. - Re-checkOpen your site in a fresh tab. The padlock should be closed and the "Not Secure" label gone.
If your host won't enable a free certificate, or the mixed-content hunt turns into a rabbit hole, that's exactly the kind of thing we fix — the first fix is free.
Sources
- Google Chrome — marking HTTP sites as "Not Secure" (Chrome Security Blog)
- Let's Encrypt — free, automated SSL/TLS certificates (letsencrypt.org)
- Google web.dev — fixing mixed content (web.dev)