When your website is suddenly marked by Google with a “Not Secure” red flag, and visitors see warning popups on login and payment pages, over 63% of users will close the page directly—this means traffic loss and a crash in brand trust!
This article provides actionable fix solutions that can be implemented without professional development skills. Get your site back to a “Secure” state within 2 hours!
Why Your Website Gets Marked as “Not Secure”
Since 2018, Google hasmandated that all pages with user input (such as login, payment, forms) must deploy SSL certificates, or they will be directly marked as insecure.
What’s even trickier is that even if you’ve already installed an SSL certificate, certificate expiration (e.g., free certificates not renewed after 3 months), domain mismatch (main site uses www domain but certificate is bound to non-www version), or even pages with mixed HTTP links for images or scripts (such as calling external ad code) will cause HTTPS to fail.
HTTP Protocol Equals “Birthday Suit” Data Transmission
An online store of a certain offline chain once had user registration information hijacked by hackers because HTTPS wasn’t enabled. The technical team found during review that attackers captured over 200 plaintext passwords in just 5 minutes using Wireshark tools over public WiFi.
Core Issues:
- Under HTTP protocol, all data (passwords, payment information) is transmitted in plaintext
- The probability of unencrypted page tampering is 3.6 times that of HTTPS (Source: 2024 Sucuri Security Report)
- Google has reduced search ranking weight for HTTP pages by 15%-20% (SEMrush experimental data)
The “Fatal Details” of SSL Certificates
During a major e-commerce promotion in 2023, a clothing website had its SSL certificate expire, causing the payment page to be forcibly blocked by the browser, resulting in a direct loss of 370,000 yuan in orders.
- Certificate expiration: Free certificates (such as Let’s Encrypt) need renewal every 90 days, expiring directly if overdue
- Domain mismatch: Certificate bound to
domain.com, but users accessingwww.domain.comwill still trigger warnings - Missing intermediate certificate: Android devices are especially sensitive, which can cause “incomplete certificate chain” errors
Industry Status: Among websites that have deployed HTTPS, 43% still have certificate configuration errors (SSL Labs 2024 data)
Mixed Content: “One Rotten Apple Spoils the Whole Barrel”
A WordPress site owner reported: “I clearly installed an SSL certificate, but the backend still shows insecure!” The final discovery was HTTP-linked images built into the theme polluting the entire page.
Common Scenarios:
- Image external links in old articles (e.g.,
http://image.com/1.jpg) - Third-party plugins calling non-HTTPS interfaces (such as customer service popups, ad code)
- HTTP links hardcoded in the database
Self-Check Tools:
- In Chrome, press F12 → Console panel to view specific error files
- Use SSL Checker to scan certificate completeness
Hidden Mine: Regional Network Hijacking
Some regional ISPs hijack HTTP traffic, forcibly inserting ads or redirecting links. For example, users of a certain Yunnan enterprise’s official website reported “gambling ads automatically popping up on the page,” which was actually caused by local ISP hijacking.
This issue triggers the browser’s security mechanism, causing users to mistakenly think it’s the website’s behavior, with complaint rates soaring by 280% (Source: Website Admin Home case library).
Quickly Apply for Free SSL Certificates (3 Channels)
“Setting up SSL requires server折腾? Too expensive?” — This is the misconception that causes 90% of small-to-medium site owners to give up fixing the “Not Secure” warning.
In fact, over 430 million websites worldwide have already used free SSL solutions (BuiltWith data), including Amazon, WordPress, and other major platforms’ sub-businesses.
The security of free certificates is completely identical to paid versions; only the verification method differs.
1. One-Click Installation from Hosting Control Panel (Best for Beginners)
Applicable Scenarios: Virtual hosting/cloud server users (such as Alibaba Cloud, Tencent Cloud, SiteGround)
Operation Steps:
- Log into the hosting provider’s backend and find the “SSL/TLS” or “Security” module
- Select “Free Certificate,” check the domains to encrypt (supports batch operations)
- Click “Deploy” and wait 3-5 minutes for automatic activation
Success Rate: 98% (domestic mainstream hosting providers have pre-installed compatible environments)
Advantages: Zero technical threshold, automatic renewal, nearly 0% failure rate
Pitfalls to Avoid:
- Some hosting providers limit the number of free certificates (e.g., West.cn only gives 1)
- Ensure domain DNS is already pointed to the current host IP
2. Let’s Encrypt + Certbot (Recommended for Developers)
Applicable Scenarios: Self-managed servers (such as Nginx/Apache), requiring multi-domain management
Real-World Case: A blog site with 100,000+ daily active users completed encryption for 100 subdomains in 3 minutes via command line
Operation Process:
# Install Certbot (Ubuntu+Nginx example)
sudo apt-get update
sudo apt-get install certbot python3-certbot-nginx
# Apply for and auto-configure certificate (replace yourdomain.com)
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
# Enable auto-renewal (90-day validity)
sudo certbot renew --dry-runSuccess Rate: 92% (depends on server environment configuration)
Common Error Solutions:
Failed to connect to host for DVSNI challenge→ Check if firewall has ports 80/443 openThe server experienced an internal error→ Domain DNS not propagated, wait for DNS refresh
3. CDN Service Provider Includes HTTPS (Traffic Acceleration + Encryption 2-in-1)
Applicable Platforms: Cloudflare, Baidu Cloud Acceleration, Tencent Cloud CDN
Operation Diagram (Cloudflare as example):
- Register an account, add your website domain
- On the “SSL/TLS” settings page, select “Flexible” mode (force full-site HTTPS)
- Enable “Always Use HTTPS” and “Automatic HTTPS Rewrites”
Activation Time: Instant (global nodes already covered)
Core Advantages:
- No need to install certificates on origin server, CDN edge nodes auto-encrypt
- Compatible with old HTTP origin sites, perfectly solves mixed content issues
- Free version supports wildcard certificates (*.domain.com)
Solutions
| Constraints | Impact Scope | Solutions |
|---|---|---|
| Short validity period | Let’s Encrypt only 90 days | Configure auto-renewal (crontab scheduled tasks) |
| Domain ownership verification only | Company name not shown in address bar | Corporate websites can upgrade to OV certificates (starting at ¥300/year) |
| Single domain limitation | Some hosting providers limit binding quantity | Use wildcard certificates (*.domain.com) |
Must-Check “Mixed Content” Issues
“I clearly installed an SSL certificate, why does it still show insecure?” — This is the biggest confusion for 78% of site owners after fixing HTTPS (Source: SSL Labs).
The root cause is “Mixed Content” contamination, like a drop of ink in a glass of clean water—the entire page’s encryption status gets compromised.
1. The Fatal Impact of Mixed Content
- User trust collapse: Even if the website itself is secure, browsers will still display yellow triangle warnings (upgraded to red after Chrome 94)
- Function failure: Some browsers will block HTTP resources (e.g., images fail to load, JS script errors)
- SEO penalty: Google explicitly classifies mixed content pages as “partially secure”, with search rankings dropping by approximately 11%-15% (Ahrefs experimental data)
2. Locate the Root Problem in 3 Minutes
Method 1: Chrome Developer Tools
- Open the website, press F12 to enter developer tools
- Switch to the Console panel and view red error entries
- Click the link in the error message to directly jump to the Sources panel to locate the problem code
Method 2: Third-Party Scanning Tools
- Why No Padlock: Enter URL, generate pollution resource list in 5 seconds
- Jitbit SSL Check: Deep scan for CSS/JS embedded links
Method 3: Database Global Search
For WordPress/Shopify and other website builders, check historical content in the database:
-- Find HTTP links (replace your_db_prefix with actual table prefix)
SELECT * FROM your_db_prefix_posts
WHERE post_content LIKE '%http://%' AND post_status='publish'; 3. High-Frequency Pollution Sources and Fix Solutions
| Problem Type | Percentage | Typical Scenario | Permanent Fix |
|---|---|---|---|
| Image external links | 52% | Article images uploaded before 2018 | Download images → Upload to your site’s CDN |
| Third-party code | 23% | Customer service popups, ad network scripts | Contact vendor for HTTPS version code |
| Themes/Plugins | 17% | Font libraries in old themes, AJAX requests | Update plugins or manually replace http:// with // |
| Database hardcoded | 8% | Manually inserted video links on product detail pages | Batch replace SQL data (plugins are safer) |
4. Permanent Mixed Content Defense Strategy
- Protocol-relative links: Change
http://example.com/image.jpgto//example.com/image.jpg - Content Security Policy (CSP): Add to Nginx/Apache configuration:
add_header Content-Security-Policy "upgrade-insecure-requests"; Force Full-Site Redirect to HTTPS (Code Examples)
“Why did I install a certificate, but users can still access the HTTP version?” — This is the most fatal vulnerability after mixed content fixes.
A mother-and-baby e-commerce site once failed to configure forced redirects, causing 40% of mobile users to still access HTTP pages via old links, triggering Google’s duplicate crawling and search rankings plummeting by 30%.
The core logic of forced redirects is: intercept all HTTP requests and use 301 status code for permanent redirect to HTTPS.
1. Universal Code Templates (Compatible with Apache/Nginx/IIS)
Apache Server (.htaccess file)
RewriteEngine On
# Force main site redirect
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Fix www/non-www mixing
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301] Applicable Scenarios: Virtual hosting, WordPress, Joomla, and other PHP sites
Pitfall Guide:
- Ensure the server has the
mod_rewritemodule enabled - File needs to be uploaded to website root directory
- If redirect fails, check for multiple
.htaccessfile conflicts
Nginx Server (nginx.conf configuration block)
server {
listen 80;
server_name example.com www.example.com;
# 301 full-site redirect
return 301 https://$server_name$request_uri;
# Block HTTP sensitive operations
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
} Debugging Tips:
- After modifications, run
nginx -tto test configuration syntax - Reload config:
nginx -s reload - Block non-essential HTTP methods to prevent data leakage
Windows IIS Server (web.config rules)
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Force HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration> Common Errors:
- IIS hasn’t installed “URL Rewrite” module → Official download link
- Chinese path encoding errors → Add
encode="false"in the rule
2. CMS System-Specific Solutions
WordPress Users
- Log into backend → Settings → General
- Change WordPress Address and Site Address from
http://tohttps:// - Install the plugin Really Simple SSL → One-click fix for mixed content in database
Shopify/Laravel and Other Frameworks
Force HTTPS in the environment variable file (.env):
APP_URL=https://www.example.com
FORCE_SSL=true
SESSION_SECURE_COOKIE=true 3. Special Mobile Handling (AMP/WeChat Browser)
- AMP page redirect: Add
<meta http-equiv="refresh" content="0; url=https://new-link">in AMP HTML - WeChat caching issues: Add random parameters to URLs, such as
?v=2024, to force refresh HTTPS version
4. Self-Test if Redirect is Working
Browser Testing:
- Visit
http://example.com→ Address bar should automatically change tohttps:// - Check if the padlock icon after redirect is green
Command Line Verification:
curl -I http://example.com
# Correct response should include:
# HTTP/1.1 301 Moved Permanently
# Location: https://example.com Online Tool Detection:
Error Warnings:
Wrong configuration → Infinite redirect loop (ERR_TOO_MANY_REDIRECTS)
Common causes:
1. CDN also has HTTPS redirect enabled (conflicts with server rules)
2. Load balancer not correctly passing protocol headers
Solution:
Add to Nginx configuration:
proxy_set_header X-Forwarded-Proto $scheme; SEO-Friendly Redirect Principles:
- Use 301 redirects (permanent redirect) across the entire site—100% link equity preserved
- Avoid chained redirects (e.g., http:// → http://www → https), maximum 1 redirect allowed
- Submit HTTPS version sitemap in Google Search Console
Since 2018, Google has progressively included HTTPS as a search ranking factor. Unencrypted websites’ traffic averages a 12%-15% annual loss, and this loss rate continues to accelerate as user security awareness improves.
