Even when SSL is installed to a domain, sometimes the site will show as "not secure" on WordPress sites. In this guide, we outline the steps to follow to ensure a website is showing as secured (green padlock in the address bar) if an SSL certificate is installed on the domain name for the website
Related Articles
Force HTTPS Using Really Simple SSL WordPress Plugin
Force HTTPS in .htaccess
Mixed Content Error in WordPress
Confirming the Error
- Log in to the cPanel account for the website experiencing this error
- Take a backup of the database before any changes are made to the site
- Confirm the current status for an SSL certificate on the account
- Locate the Security section and click the SSL/TLS Status icon
- Locate the appropriate domain/website
- If the domain is covered and secured by an SSL it will show a Green Lock
- If the domain is not covered by an SSL it will show a Red Lock
- To see more information about the domain's certificate look to the right of the domain name and it will tell if the domain is covered by a self-signed certificate, covered by the AutoSSL, or something else
EXAMPLE: - Click on View Certificate to see the type of SSL
NOTE: Typically self-signed certificates will not work on a domain and will show insecure in a browser. Using AutoSSL is free and will auto-renew within cPanel automatically. To install AutoSSL the domain must be pointing to the server via the A record and no current certificate should be installed. If a certificate is installed that is self-signed or expired start by removing the certificate and then Enable/Run AutoSSL.
- To see more information about the domain's certificate look to the right of the domain name and it will tell if the domain is covered by a self-signed certificate, covered by the AutoSSL, or something else
- If the domain is covered and secured by an SSL it will show a Green Lock
- Locate the Security section and click the SSL/TLS Status icon
- If the domain is covered by a valid SSL and the site is still showing insecure, use whynopadlock.com to determine the cause for the issue
- This site will give information on the SSL as well as if the site is forcing the use of https:// or if there is mixed content on the site
TIP: Mixed content is when the site is using a URL (typically an image URL) that is being called upon and it is using http:// in the database rather than using https://. This will cause the entire site to display as not secure.EXAMPLE:
- Reviewing the example above and the errors displayed, the following issues would need to be resolved to ensure the SSL was appearing as expected for this site:
TIP: Refresh the page on whynopadlock.com as you are resolving the displayed issues to ensure they're taking effect and no new issues appear.- Force HTTPS
- Invalid Intermediate
NOTE: An invalid intermediate error typically means the certificate is self-signed, as self-signed certificates lack an intermediate certificate. This can be resolved by installing a certificate to the site that isn't self-signed using any of the below options.- Use AutoSSL to install a free certificate
- Purchase a dedicated SSL certificate
- Purchase a third-party SSL certificate
- Expiration Date
- Mixed Content
- Once any needed issues are resolved, the website should show as secured with a green padlock in the address bar
TIP: Purge the browser cache, or use an incognito/private window in the browser to view the site after changes are made.
- This site will give information on the SSL as well as if the site is forcing the use of https:// or if there is mixed content on the site