WordPress Fix Guide

WordPress Site Not Secure After Installing SSL Fix – WebFixHQ

Expert fix — from $59
Response in 2 min
No fix, no charge

Is Your WordPress Site Not Secure After Installing SSL? Find Your Symptom.

You've installed an SSL certificate, but your WordPress site still displays a "Not Secure" warning, or the padlock icon is missing. This is a critical issue that drives visitors away and hurts your search rankings. We've seen and fixed every variant of this problem hundreds of times. Identify what you're seeing:

Browser shows "Not Secure" but the certificate appears valid.

This is almost always a WordPress Mixed Content Error After SSL Migration. Your site is loading some resources (images, scripts, CSS) over http:// instead of https://.

Browser shows "Your connection is not private" or NET::ERR_CERT_COMMON_NAME_INVALID.

This indicates a fundamental problem with your SSL certificate itself: it's expired, issued for the wrong domain, or improperly installed on the server.

Site redirects to http:// or gets stuck in a redirect loop.

Your WordPress configuration or server rules (like .htaccess) are forcing http://, or there's a conflict between multiple redirect rules.

ERR_SSL_PROTOCOL_ERROR or browser cannot connect securely.

This points to a server-side SSL configuration issue, where the web server (Apache/Nginx) isn't correctly handling the SSL handshake, or the certificate chain is broken.

The padlock is missing only on specific pages, like the login page.

Often a specific mixed content issue or a hardcoded http:// URL within a plugin, theme, or wp-config.php affecting only certain sections like the WordPress SSL error on login page.

Understanding The Root Causes When WordPress HTTPS Not Working Properly

When your WordPress site is still http:// instead of https:// despite having an SSL certificate, it's rarely a single, simple issue. Here are the core technical reasons we commonly find:

CAUSE 01

Mixed Content Loading

Your site's primary URL is https://, but some assets (images, CSS, JavaScript, fonts, iframes) are still being requested over http://. Browsers block or flag these insecure requests, leading to the "Not Secure" warning and a missing padlock. This is the most common reason for a WordPress Mixed Content Error After SSL Migration and why your wordpress padlock not showing after ssl.

Most common

CAUSE 02

Incorrect WordPress Address Settings

The WordPress Address (URL) or Site Address (URL) in your wp_options table (or General Settings in the admin area) are still set to http://. WordPress will then generate all internal links and asset URLs using http://, causing your site to force http instead of https, even if the server is configured for SSL.

CAUSE 03

Server-Level Redirect Conflicts or Missing Rules

Your .htaccess file (for Apache) or Nginx configuration might contain outdated http:// redirects, or lack the necessary rules to force all traffic to https://. This can result in a wordpress http to https redirect not working, or even an infinite redirect loop.

CAUSE 04

Invalid or Misconfigured SSL Certificate

The SSL certificate itself might be expired (wordpress ssl expired site down), issued for a different domain (wordpress ssl showing wrong domain certificate), or not correctly chained on the server. This leads to severe browser warnings like "your connection is not private error" or NET::ERR_CERT_COMMON_NAME_INVALID, indicating a wordpress ssl certificate error visitors seeing warning.

CAUSE 05

Hardcoded HTTP URLs in Theme/Plugin Code or wp-config.php

Some themes, plugins, or custom code might directly reference assets or URLs using http://, bypassing WordPress's URL settings. Similarly, wp-config.php might have WP_HOME or WP_SITEURL constants defined with http://, or FORCE_SSL_ADMIN is missing or misconfigured, causing a wordpress ssl error on login page.

Immediate Fix Steps for WordPress Site Not Secure After Installing SSL

Follow these steps in order to diagnose and resolve the "Not Secure" warning. Remember to back up your site before making any database or file changes.

1

Verify SSL Certificate Installation & Validity

WHERE to look: Use an online SSL checker tool (e.g., SSL Labs SSL Server Test) or inspect the certificate directly in your browser (click the "Not Secure" warning, then "Certificate").

WHAT to look for: Ensure the certificate is issued for your exact domain (including www if applicable), is not expired, and the full chain is correctly installed. Look for warnings like "Certificate Name Mismatch" or "Chain Issues". If you see ERR_SSL_PROTOCOL_ERROR, this is often the first place to check.

WHAT it means: If the certificate is invalid or misconfigured, no amount of WordPress-side fixing will help. This is a server-level issue that needs to be resolved with your hosting provider or by re-issuing/re-installing the certificate.

✓ 5-10 minutes. Critical first step.

2

Update WordPress Address in Database & wp-config.php

WHERE to look: First, check WordPress Admin > Settings > General. Ensure both "WordPress Address (URL)" and "Site Address (URL)" are set to https://yourdomain.com. If you can't access the admin or changes revert, look in your database (via phpMyAdmin or similar) in the wp_options table for siteurl and home. Also, check your wp-config.php file.

WHAT to look for: Any instance of http:// in these settings. In wp-config.php, look for lines like define('WP_HOME', 'http://yourdomain.com'); or define('WP_SITEURL', 'http://yourdomain.com');. Ensure define('FORCE_SSL_ADMIN', true); is also present and active.

WHAT it means: WordPress relies on these settings to generate URLs. If they're http://, your site will continue to serve content insecurely, causing wordpress ssl installed but site still http. Update them to https://. If defined in wp-config.php, they override database values.

// In wp-config.php, add or update these lines:
define('WP_HOME', 'https://yourdomain.com');
define('WP_SITEURL', 'https://yourdomain.com');
define('FORCE_SSL_ADMIN', true);

✓ 10-15 minutes. Always back up wp-config.php and your database first.

3

Implement .htaccess Redirect for HTTPS

WHERE to look: Connect via FTP/SFTP or your hosting file manager and open the .htaccess file in your WordPress root directory.

WHAT to look for: Existing redirect rules that might conflict or are missing. You need a rule that forces all http:// traffic to https://. Place this rule before the standard WordPress rewrite rules (# BEGIN WordPress).

WHAT it means: This ensures all incoming requests are immediately redirected to the secure version, preventing wordpress http to https redirect not working. If you're seeing wordpress forcing http instead of https, this file is a prime suspect.

# BEGIN Force HTTPS
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
# END Force HTTPS

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

✓ 5 minutes. Clear browser cache after updating. Incorrect rules can break your site; see WordPress Broken After Editing .htaccess for recovery.

4

Scan and Fix Mixed Content Issues

WHERE to look: Open your site in Chrome or Firefox, right-click, and select "Inspect" (or "Inspect Element"). Go to the "Console" tab. Look for warnings or errors indicating resources loaded over http://. These often say "Mixed Content: The page at 'https://...' was loaded over HTTPS, but requested an insecure resource 'http://...'."

WHAT to look for: Specific URLs (images, scripts, CSS files) that are still using http://. This is the classic symptom of a wordpress insecure content warning on chrome and why your wordpress padlock not showing after ssl.

WHAT it means: Even one insecure asset can break the padlock. You need to update these URLs in your database, theme files, or through a plugin. For a deep dive, refer to our dedicated guide: WordPress Mixed Content Error After SSL Migration.

✓ 15-30 minutes. Can be time-consuming depending on the number of insecure assets.

5

Perform a Database Search and Replace

WHERE to look: This is a database operation. Use a plugin like Better Search Replace, or WP-CLI if you have SSH access.

WHAT to look for: Instances of http://yourdomain.com that need to be replaced with https://yourdomain.com. It's crucial to replace the full domain, not just http:// with https://, to avoid issues with other domains.

WHAT it means: Many plugins and themes store absolute URLs in the database. A search and replace ensures all these references are updated, preventing persistent mixed content or redirect issues. This is often the final step to fully resolve wordpress https not working properly.

# Example using WP-CLI (replace with your actual domain)
wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --skip-columns=guid --dry-run

# Remove --dry-run after verifying the changes
wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --skip-columns=guid

✓ 10-20 minutes. ABSOLUTELY BACK UP YOUR DATABASE FIRST.

Our Process: How We Fix Your "Not Secure" WordPress Site

When you're losing customers because your WordPress site is not secure after installing SSL, you need more than generic advice. Our engineers follow a precise, battle-tested methodology to get your padlock back and ensure your site is fully secure:

  • Initial SSL Health Check: We begin with a comprehensive scan using tools like SSL Labs to verify your certificate's validity, chain integrity, and server configuration. This immediately flags issues like a wordpress ssl expired site down or a wordpress ssl showing wrong domain certificate.
  • Server Configuration Audit: We inspect your web server's (Apache/Nginx) configuration files, including .htaccess, to identify conflicting redirect rules or missing HTTPS enforcement. This addresses issues where wordpress http to https redirect not working or wordpress forcing http instead of https.
  • WordPress Core Settings & Database Review: We manually verify your WordPress Address and Site Address in wp_options and wp-config.php. Then, we perform a targeted database search for hardcoded http:// URLs that are causing mixed content.
  • Deep Mixed Content Scan: Beyond browser console checks, we use specialized tools and manual inspection to find every single insecure asset (images, scripts, CSS, fonts, iframes) across your theme, plugins, and content. This is crucial for resolving a WordPress Mixed Content Error After SSL Migration.
  • Plugin & Theme Conflict Analysis: Sometimes, a specific plugin or theme can hardcode URLs or interfere with SSL redirects. We systematically check for such conflicts, similar to how we approach issues like WordPress Broken After Plugin Installation.
  • Browser Cache & CDN Flush: After implementing fixes, we ensure all server, WordPress, CDN (if applicable), and browser caches are thoroughly flushed to guarantee you're seeing the live, secure version of your site.
  • Post-Fix Verification: We don't just fix it; we verify it. We re-test your site across multiple browsers and devices, ensuring the padlock is present on all pages and no wordpress insecure content warning on chrome persists.

Stop Losing Business – Get Your Padlock Back NOW

Our senior WordPress engineers will diagnose and fix your "Not Secure" SSL issue, ensuring your site is fully encrypted and trusted.

Fix My WordPress SSL Issue →

FAQ

Common questions

Why is my WordPress site still showing 'Not Secure' after I installed an SSL certificate?
The most common reason is a mixed content error, where your site loads some resources (like images or scripts) over insecure HTTP connections. Other causes include incorrect WordPress URL settings, conflicting server redirects in .htaccess, or an improperly installed/configured SSL certificate itself.
How quickly can WebFixHQ resolve my WordPress 'Not Secure' SSL issue?
We understand the urgency. For most standard 'Not Secure' issues, our engineers can diagnose and implement a fix within 1-3 hours of gaining access to your site. Complex cases involving server-side reconfigurations might take slightly longer, but we prioritize rapid resolution.
Can I fix the 'Not Secure' warning on my WordPress site myself?
Yes, if you have technical expertise with WordPress, server configurations, and database management. Our guide provides detailed steps. However, incorrect changes to .htaccess or the database can break your site, potentially leading to issues like a WordPress crashed after PHP update or a WordPress broken after editing functions.php. If you're unsure, professional help is safer.
What is the typical cost for WebFixHQ to fix a WordPress 'Not Secure' SSL problem?
Our pricing for emergency WordPress bug fixes, including 'Not Secure' SSL issues, is transparent and fixed. You pay a one-time fee for a complete resolution, with no hidden charges. This covers diagnosis, fixing the root cause, and post-fix verification.
My site shows 'Your connection is not private' or 'ERR_SSL_PROTOCOL_ERROR' – is this a WordPress issue or server issue?
These specific errors (your connection is not private error, ERR_SSL_PROTOCOL_ERROR, NET::ERR_CERT_COMMON_NAME_INVALID) almost always point to a server-level SSL certificate problem, not a WordPress configuration issue. This means the certificate might be expired, incorrectly installed, or not matching your domain, requiring attention from your hosting provider or a server-savvy engineer.