Have you been wondering why your website is not secure? Are you losing sales and leads as a result of an unsecured site? In this article, I will help you understand site security and provide guidance towards fixing this problem.
Having a fully secured website is critical to your business reputation. GlobalSign conducted a study that found up to 84% of users would abandon a purchase on an unsecured connection.
So, your browser is reporting that your website is not secure, or someone has notified you of this problem, and now you need to find out why and more importantly how you can quickly fix this issue.
An unsecured site results in a major hit to your website’s conversion rate. You simply cannot let this problem persist when fixing it is often very simple and inexpensive.
I will go over common reasons your site might be unsecured even with an SSL certificate installed. And I will show you how to quickly find and fix these issues.
I guess if your site does not have an SSL certificate installed on the server, then none of the information below will apply to you – you simply need to head to your web hosting provider and purchase an SSL certificate. You can ask your host to install it or get an expert to do it.
If the site is still not secured after installing a cert, bookmark this page, and come back to get the details on why and how to fix it easily.
Common reasons your website is not secure
Is the SSL certificate valid?
Your SSL certificate may not be valid. This can happen when a certificate expires, is revoked, or is not issued by a trusted institution. It could also not be installed correctly.
Does the site load from HTTPS?
A site secured with an SSL certificate should load from HTTPS rather than HTTP. This means data from the server will be transported over a secure layer to and from the user’s device. While HTTP is a normal unsecured connection.
Are your images and videos linked securely?
Just using HTTPS is not enough to secure everything on a website. Objects such as images incur additional calls to the server. While the main site’s HTML might be transferred securely, these additional calls require the URL structure to also start with HTTPS.
If your site is coded correctly, and only uses local resources (meaning resources on its own server), then this should not be a problem. And you will not have to worry about a per-object linking issue.
Are other critical resources linked securely?
Just like images, these also need to use HTTPS in the first part of their URLs to make them secure.
Does the site load external 3rd party resources securely?
You might get frustrated with this part. Besides images and other objects that your site must load, it is most likely pulling files from other servers like Google Analytics, Jquery, and many others.
Each of these must be set up to load from HTTPS, which calls those resources securely over an encrypted connection.
These are the most common reasons browsers report a site as not secure. But how do you find and isolate these issues – where do you look to uncover all these security problems?
How to find specific reasons your website is not secure
How to check if your site loads from a secure URL
Check the address bar when viewing your website. Click into the address bar to reveal the full URL or copy it to a text pad. Look at the first 5 letters – does it say HTTPS?
If it does not, then your site is not secure. I will show you how to fix this issue shortly.
How to inspect a website’s SSL certificate
Next, you need to verify the SSL certificate of your website is valid. To do this you will have to look at the address bar again. To the left of the URL is a lock, a broken lock, or a crossed-out lock.
Quickly, if the lock is broken or crossed out then the SSL certificate is not valid, or not installed at all.
Click on the lock. This will provide additional details and controls. Although a little cryptic, you can use this information to see an expiration date, issuing organization, and other useful information.
How to find unsecured resources on your website
The faster way to find unsecured resources on your site is to view the site information. On a PC you can do this by clicking Ctrl + I, or clicking Tools then Page Info from the browser menu.
Then navigate to the media tab. There you will find a list of resources (images, scripts, stylesheets) that the page loads. You can quickly ascertain which object is secure or not based on whether it uses HTTP vs HTTPS.
These methods are the easiest to uncover the specific reasons your site is not reporting as secured. There are other tools you can also use like Google’s Lighthouse that can automatically scan your site and provide a report about security issues on the site.
How to fix SSL security issues on your site quickly and cheaply
Fixing SSL issues on your site is not as hard or expensive as you might expect. In many cases, you can easily handle these issues yourself, but in other cases, you will need to get an expert’s help. Either way, it should not take too much time or cost too much to resolve these problems.
How to get your site to load from HTTPS
If you are using WordPress you can easily change how your site loads with regard to HTTP vs HTTPS.
In the WordPress admin, from the left menu, click Settings->General. There you will see two URLs, one is for the WP installation package, and the other is for the frontend loading of the site. Both need to have HTTPS. You can easily make these changes.
After changing it you may be logged out. At this point, you can easily check the URL in the address bar to see if HTTPS has been activated for the domain.
If you are using another platform or software package for your site, you will have to find similar controls for the site’s URL structure. You might have to contact tech support to get them to do it if you cannot.
If none of these options exist for your specific case, you can update the URL using the .htaccess file. This file sits on the root of your website and can easily be edited.
You can find more information on how to update the .htaccess file here. If this is still not something you can do I would suggest getting an expert to help you with this part.
How to fix unsecured images on your site
At this point, you should have an SSL installed, and your site is properly configured to use the SSL. But now how do we fix these broken images?
If your site runs on any CMS, like WordPress, Shopify, Joomla, or similar, you can go to each content page within that system and change the URL for any images where it is not configured correctly.
You can use the raw HTML view of a page’s content to quickly find image links and update it from HTTP to HTTPS.
If this option is not available, you may need to click on each image to edit it. Clicking an image usually shows a popup where you can update the image URL, or swap the image out. You can choose the same image as before, and resetting it in this way often corrects the URL problem.
If none of these work or is an option, you can ask a developer to handle it for you. It should take less than 5 minutes for a developer to update all the images on a page.
With this approach, you might be able to update all the problematic images on your site. However, not all images are within the body content of pages. There are often images in the header for things like a logo and other graphics. This is often the case with the footer as well.
In cases where there are unsecured images outside of the normal body copy, you can try to edit them yourself using the template editing tools provided by your CMS. Otherwise, this is usually a job for a developer.
How to fix other unsecured resources on your website
Again using the template editor provided by your CMS, you may have access to some of these URLs and can easily update them in the same way you did images.
The problem is often these resource links are not directly accessible from the template editor. They may be buried in plugins, addons, or modules. You can try to edit these, but again this is very technical and I would suggest using a developer to take care of these for you.
Generally, when using a Developer for these updates, you can expect it to take a few hours at most and cost just under $300 based on your website’s size.
Almost all 3rd party resource links can be updated to use HTTPS, but in the rare case you cannot, I would suggest using an alternative solution or building the same solution in-house.
Fixing SSL issues on your site is not hard or expensive. It often takes just a few hours at most and costs just a few hundred dollars at most.
The owner or editor of a site can easily fix all of these issues using page editing features if provided by the CMS or system that runs the site. In the case where editing tools are not provided or do not apply to certain parts of the site, a developer can come in and update these quickly.
When all is said and done, your site should now be fully secured. The Page Info report shows no URLs that are using HTTP and all using HTTPS.