Why Does a Website Still Show Not Secure?

When a website still shows Not Secure in the browser, it usually means the page is being loaded in a way that the browser does not fully trust. In most cases, the site has an SSL certificate installed, but something on the page, in the redirect setup, or in the hosting control panel is preventing the browser from showing the secure padlock.

This can happen even on a correctly hosted website. The most common reasons are mixed content, a missing redirect from HTTP to HTTPS, an expired or misconfigured certificate, or pages loading resources from insecure URLs. In a managed hosting environment or control panel such as Plesk, these issues are usually straightforward to check and fix.

Why a browser shows Not Secure

Browsers display a Not Secure warning when they cannot confirm that the connection to the page is protected by HTTPS. That does not always mean the certificate is completely missing. It can also mean that the browser detected one of the following:

  • The page was opened over HTTP instead of HTTPS.
  • The SSL certificate is invalid, expired, or not trusted.
  • The website loads images, scripts, stylesheets, or fonts over HTTP.
  • The server is redirecting incorrectly or not forcing HTTPS.
  • The certificate does not match the domain name being visited.
  • The site uses outdated security settings or broken TLS configuration.

For visitors, the result is the same: the browser does not show a fully secure connection. For website owners, this can reduce trust, harm conversions, and affect SEO performance because HTTPS is a known ranking and usability factor.

Most common causes of the Not Secure warning

1. The page is still opening on HTTP

If a user types http:// or clicks an old link, the browser may load the unsecured version of the page first. Even if the site has an SSL certificate, the browser will show Not Secure until the request is redirected to HTTPS.

This is one of the most common issues on hosting platforms after a certificate is installed. The certificate exists, but the site is not yet configured to redirect all traffic to the secure version.

2. Mixed content is still present

Mixed content happens when the main page loads over HTTPS but some assets still load over HTTP. Typical examples include:

  • Images
  • JavaScript files
  • CSS files
  • Web fonts
  • Embedded videos or widgets
  • Links inside theme files or page builders

Even one insecure resource can make the page appear unsafe or break the padlock icon. Modern browsers may block some of these resources automatically, which can also affect page layout or site functionality.

3. The SSL certificate is expired or not active

Certificates have a validity period. If a certificate expires, the browser no longer trusts the connection. This is often seen when renewal did not complete correctly or the certificate was not reinstalled after changes in the hosting panel.

In managed hosting, auto-renewal usually reduces this risk, but it can still happen if DNS validation fails, the domain changes, or the certificate chain is not deployed properly.

4. The certificate does not match the hostname

If the certificate was issued for www.example.com but the user visits example.com, or the reverse, the browser may not trust the connection unless both names are covered. The same issue can appear with subdomains, staging sites, or alternative hostnames.

Make sure the certificate covers the exact version of the domain you want to use, including www if needed.

5. The redirect rules are incomplete or conflicting

A website can have multiple redirect sources: the web server, the application, the CMS, and sometimes the control panel. If one layer redirects to HTTPS and another sends users back to HTTP, the browser can behave unpredictably.

Common examples include:

  • Apache rewrite rules in .htaccess
  • Plesk redirect settings
  • WordPress or other CMS URL settings
  • CDN or reverse proxy rules

It is best to use one clear redirect method and avoid conflicting rules.

6. The site uses an old TLS or security configuration

If the hosting server supports outdated protocols or weak cipher settings, browsers may mark the connection as unsafe. This is less common on modern managed hosting, but it can still occur on older setups or custom server configurations.

Modern HTTPS should use current TLS versions and a valid certificate chain.

How to check what is causing the warning

Check the exact URL in the browser

Start by looking at the address bar. Confirm whether the page is loading on http:// or https://. If the browser is still using HTTP, the problem is likely a missing redirect or an old bookmark/link.

If the page already uses HTTPS but still shows a warning, the issue is probably mixed content, certificate mismatch, or a certificate problem.

Inspect the browser security message

Click the browser warning or padlock icon to see details. Browsers often indicate whether the problem is:

  • Not secure connection
  • Certificate not trusted
  • Certificate expired
  • Mixed content loaded

This gives a useful clue before you check the hosting settings.

Use your hosting control panel

In a control panel such as Plesk, check the following:

  • Whether the SSL certificate is installed for the correct domain
  • Whether the certificate is active
  • Whether the domain has a forced HTTPS redirect enabled
  • Whether the preferred domain version is set correctly

If your hosting platform provides SSL tools, they may also show certificate expiry status and installation details.

Look for mixed content in the page source

If the page loads over HTTPS but the warning remains, inspect the website source code or use browser developer tools to find resources still using http://. Pay close attention to:

  • Theme files
  • Custom code snippets
  • Image URLs in content
  • Third-party scripts
  • Hardcoded internal links

Many mixed content issues come from old absolute links stored in the database or inserted manually into pages.

How to fix Not Secure on a website

1. Install or renew the SSL certificate

First confirm that the certificate is valid and installed on the correct domain. If it has expired, renew it and verify that the new certificate chain is deployed fully.

In managed hosting, the certificate may be renewed automatically, but you should still check the status in the control panel if the browser warning persists.

2. Force all traffic to HTTPS

Set up a permanent redirect from HTTP to HTTPS so that every visitor lands on the secure version of the site.

Depending on your hosting setup, you can do this in one of several places:

  • In the control panel, if HTTPS redirection is available
  • In the web server configuration
  • In .htaccess on Apache-based hosting
  • In the CMS settings, if your platform supports canonical site URLs

Use one clear redirect path and make sure it does not create loops.

3. Replace all HTTP links with HTTPS

Update all internal links, image URLs, and asset references so they use secure URLs. This includes links inside:

  • Pages and posts
  • Header and footer templates
  • Menus
  • Widgets
  • Database content

If your site was migrated from an older platform, some content may still reference the old HTTP address. A search and replace operation may be required.

4. Fix mixed content

After switching to HTTPS, test the site carefully for insecure resources. If the browser console shows mixed content warnings, update each source to HTTPS or host the file locally over secure URLs.

Common fixes include:

  • Changing image paths from http:// to https://
  • Updating script and stylesheet references
  • Replacing insecure third-party embeds
  • Regenerating cached content from the CMS or page builder

If a third-party service does not support HTTPS, it should be replaced where possible. Insecure external content can undermine the entire page security status.

5. Check the preferred domain version

Choose one canonical version of the site and use it consistently. For example, decide whether the site should use:

  • https://example.com
  • https://www.example.com

Then redirect the other version to it. This helps avoid duplicate URLs, certificate mismatch issues, and inconsistent browser behavior.

6. Reinstall the certificate if needed

If the certificate was added incorrectly, reinstall it from the control panel. Make sure the full certificate chain is present, including any intermediate certificates provided by the certificate authority.

On hosting platforms with automated SSL tools, it is often worth removing the old certificate entry and reissuing it cleanly, especially after domain changes or DNS updates.

7. Clear cache after changes

Browser cache, CMS cache, and server cache can keep old HTTP references visible even after you have fixed them. Clear:

  • Browser cache
  • Website cache plugin or application cache
  • Reverse proxy cache if used
  • CDN cache, if applicable

Then reload the site in a private window to confirm the warning is gone.

How this looks in Plesk and managed hosting environments

In Plesk or similar hosting control panels, the most relevant checks are usually:

  • SSL/TLS certificate status for the domain
  • Whether the correct certificate is assigned to the site
  • HTTPS redirection settings
  • Domain aliases and subdomains
  • Web server configuration for Apache or Nginx

If the site is running on Apache, redirects may be handled through .htaccess. If Nginx is in front of Apache, HTTPS redirect behavior may need to be configured at the proxy level or through the hosting panel settings. In managed hosting, some of this is automated, but the application settings still need to match the server configuration.

For CMS-based sites, check the site URL settings inside the application itself. If the CMS still believes the site URL begins with HTTP, it may generate insecure links even when the certificate is installed correctly.

SEO and user trust impact

A website that shows Not Secure can lose user confidence quickly. Visitors may hesitate to submit forms, complete checkout, or log in. Search engines also expect secure delivery as part of modern website standards.

HTTPS supports:

  • Better user trust
  • Safer login and checkout pages
  • Reduced risk of content interception
  • Cleaner browser behavior
  • Improved compatibility with modern browser features

Even if the site is not collecting sensitive information, HTTPS should still be enabled site-wide. It is now a baseline requirement for professional hosting and website security.

Practical troubleshooting checklist

  • Confirm the site opens on https://, not http://.
  • Verify that the SSL certificate is active and not expired.
  • Check that the certificate matches the correct domain name.
  • Enable a permanent HTTP to HTTPS redirect.
  • Search for mixed content in the page source and browser console.
  • Update all internal links, assets, and CMS URLs to HTTPS.
  • Check the preferred version of the domain, with or without www.
  • Clear all caches after making changes.
  • Review control panel settings in Plesk or your hosting dashboard.

When to contact hosting support

Contact support if the certificate is installed but the warning remains and you cannot identify the cause. It is especially useful to ask for help when:

  • The certificate shows as installed but is not being served by the website
  • HTTPS redirects are not working from the hosting side
  • You use a proxy, CDN, or load balancer
  • The site has multiple subdomains or aliases
  • You need help identifying server-level mixed content or TLS issues

Providing a screenshot of the browser warning, the affected URL, and the certificate details can help support diagnose the issue faster.

FAQ

Why does my site still show Not Secure after installing SSL?

Most often, the page is still loading over HTTP, or the HTTPS page contains mixed content. It can also be caused by an expired certificate, a domain mismatch, or a missing redirect.

Is Not Secure always caused by a missing certificate?

No. A site can have a valid certificate and still show a warning if some resources load insecurely or if the redirect setup is incomplete.

How do I know if the problem is mixed content?

If the main page loads over HTTPS but the browser warning remains, open the developer tools or check the security details. Mixed content warnings usually identify the insecure file or resource.

Do I need HTTPS on every page?

Yes. The safest and most consistent setup is to use HTTPS site-wide, including all pages, assets, forms, and redirects.

Can a cached page still show Not Secure after I fixed SSL?

Yes. Browser cache, website cache, and CDN cache can keep old HTTP references visible. Clear caches and retest in a private browsing window.

Should I use www or non-www with HTTPS?

Either is fine, but you should choose one version and redirect the other to it consistently. The certificate must cover the version you use.

Does Not Secure affect SEO?

It can. HTTPS is a standard expectation for modern websites, and insecure pages can reduce trust and harm user engagement, which may indirectly affect SEO performance.

Conclusion

If a website still shows Not Secure, the root cause is usually not the certificate alone. The issue often lies in redirects, mixed content, domain mismatch, or cached insecure URLs. In a hosting environment with a control panel such as Plesk, the fix usually involves checking the certificate assignment, enforcing HTTPS, and making sure every resource loads securely.

Once the site serves only HTTPS, uses the correct certificate, and no longer loads insecure resources, browsers should display the secure connection normally. For the best result, review the full site after any certificate installation or migration, not just the homepage.

  • 0 Users Found This Useful
Was this answer helpful?