How to Fix Not Secure Warning on Contractor Website

Overview

The “Not Secure” warning appears in the browser address bar when a page is loaded over HTTP instead of HTTPS, or when an HTTPS page loads resources (images, scripts, stylesheets) over HTTP — a condition called mixed content. For a contractor website, this warning signals to every potential customer that the site is unsafe before they read a single word. Most will leave immediately.

Types of Not Secure Warnings

1. Full HTTP (no SSL at all) The site URL begins with http:// and no SSL certificate is installed. The entire site is unencrypted.

2. Mixed content The site loads over HTTPS but some resources (images, scripts, iframes) are referenced with http:// URLs in the HTML. The padlock icon shows a warning triangle instead of a clean lock.

3. Expired certificate The SSL certificate has passed its validity date. Browsers display a full-screen error page.

4. Certificate issued for wrong domain The certificate was issued for example.com but the site is accessed as www.example.com (or vice versa), causing a mismatch error.

Common Causes

• SSL certificate never installed on the hosting account
• SSL installed but HTTP-to-HTTPS redirect not configured
• WordPress site URL settings still reference http:// after migrating to HTTPS
• hardcoded http:// URLs in theme files, custom CSS, or the database
• embedded third-party content (maps, videos, forms) loaded over HTTP
• certificate expired or issued for the wrong domain variant

How It Is Diagnosed

• check the browser address bar — “Not Secure” vs. warning padlock vs. clean padlock
• open browser developer tools → Console tab — mixed content warnings list each insecure resource
• use an SSL checker tool to verify certificate validity, expiry, and domain match
• in WordPress, check Settings → General for http:// in the site URL fields
• use a tool like WhyNoPadlock to scan all resources on a page for mixed content

Typical Fix

If no SSL is installed:

1. Install a free Let’s Encrypt certificate via the hosting control panel
2. Configure the server to redirect all HTTP traffic to HTTPS (via .htaccess or server config)
3. Update WordPress site URL settings to https://

If mixed content is the issue:

1. In WordPress, run a search-replace on the database: replace http://yourdomain.com with https://yourdomain.com using a plugin like Better Search Replace
2. Update hardcoded URLs in theme files and custom CSS
3. Replace any third-party embeds that use HTTP endpoints with HTTPS equivalents

If certificate mismatch: Reissue the certificate to cover both the root domain and www subdomain (a SAN or wildcard certificate).

Related Technical Issues

• SSL Certificate Expired
• SSL Errors
• Website Security Issues
• Trust Signals on Contractor Websites

Technical Website Support

A Not Secure warning on a contractor website is a credibility problem that costs leads every day it remains unfixed. The cause is almost always a configuration issue — not a fundamental site problem — and can typically be resolved in under a day.