7 Ways to Fix Security Issues on WordPress Websites [SSL, HTTPS]

Security forms a vital part of the trust that visitors place on a website. This is even more relevant when dealing with confidential information, such as health records or payment method data. Those who have a WordPress site that is not secure will benefit a lot from reading this article.

The more measures website owners can take to keep their websites secure, the better. While there are ways to bypass security-related warnings faced when visiting a website, the annoyance spoils the user experience. Fortunately, there are many steps that one can take to make amends, free of charge.

Search engines, too, have begun to emphasize secure websites more while deciding the latter’s ranks. Security issues often create a feeling of panic among website owners. However, keep reading to find out how to fix such issues on a WordPress website.

Why is my WordPress site not secure?

Being a flexible and feature-filled CMS makes WordPress a lucrative target for hackers because there are many vulnerabilities and endpoints.

Visitors may see a warning about a WordPress site not being secure for various reasons. One of them is a missing SSL certificate. Sometimes, a misconfigured or expired certificate, also results in warnings issued by the browser.

Not all such certificates renew automatically. So, if one forgets to renew them manually, they will expire and will lead to warning.

How do I make my WordPress site secure?

A WordPress website often involves third-party code used in the form of themes, language packs, and plugins. These are in addition to the core files of the CMS. Website owners need to keep all of these up-to-date. Newer versions of plugins and themes often include patches that fix security loopholes.

Read more about this topic

• Event ID TPM-WMI 1796: What is This Error & How to Fix it
• 3 Ways to Fix The Power Button Lockout on Your Monitor
• Microsoft announces WordPress on App Service free hosting plan is generally available

There are also many tools available that can scan the website for security-related issues and suggest remedial measures.

Why is my WordPress site HTTP, not HTTPS?

It is not sufficient just to have an SSL certificate installed. One needs to force HTTP traffic to use HTTPS instead. The steps to do so will vary depending on the underlying software.

However, there are also plugins available that can help to set up the necessary redirection quickly. Using plain HTTP will make the website traffic more prone to eavesdropping by hackers.

How do I fix the WordPress site not secure?

1. Install an SSL certificate

If the website hasn’t installed an SSL certificate, one can obtain it by applying for fresh registration. Many domain name providers and web hosting agencies supply digital certificates as well.

Free SSL certificates are also available from sources such as Let’s Encrypt, GoGetSSL, ZeroSSL, Sectigo, etc. Hosting providers usually have better support for paid certificates.

2. Renew the installed SSL certificate

Free SSL certificates usually expire after 90 days, and paid ones after about a year, depending on the validity chosen while purchasing. Not all hosting providers support the automatic renewal of the certificates.

3. Force all traffic via HTTPS

If the browser is expected to use HTTPS automatically but instead uses plain HTTP only, the browser will consider the WordPress site not secure.

In this case, it is very likely that the traffic is not being forced through HTTPS, leaving visitors free to use plain HTTP if they wish to. This can be corrected by redirecting all HTTP traffic through HTTPS.

4. Make sure that the certificate is installed for the correct address

If there is a mismatch between the address mentioned in the certificate and the website where it is installed, the browser will take that as a warning.

Multi-domain and wildcard certificates can be used to cover more than one address in one go.

5. Get a certificate from a trusted provider

If the website had a Symantec digital certificate, Chrome will not trust it anymore. Consider getting an SSL certificate from another vendor.

Even Mozilla Firefox won’t consider such certificates as trustworthy, including Symantec’s other brands like Thawte, GeoTrust, and RapidSSL.

6. Adjust the clock of the system

If the system clock is not accurate, the browser will likely consider a valid SSL certificate invalid. Set the correct date and time in the system clock to correct this.

This will apply even to portable devices. If the clock in the phone/tablet is not set accurately, the browser in the OS too, might fail to recognize a valid SSL certificate.

7. Update the operating system and/or browser

Newer versions of operating systems and browsers contain code that can recognize trustworthy SSL certificates more reliably.

Even if visitors use a browser that has a slow update cycle, such as Firefox ESR, it is better to make sure that it is the latest version available.

Is the WordPress site not secure even with SSL?

Even if SSL is active on the website, visitors may still get a Not secure warning in the browser. One of the leading causes for this is content on the page that the server fetches from external sources. If that data is fetched without encryption, the browser will consider it insecure.

Visitors tend to get annoyed when they see an error on the website. Security-related errors may even create a feeling of panic.

When choosing to go for an SSL certificate, it helps to check what verification level it involves. Some certificates check who owns the domain, whereas others will require documents about the business.

If you are sure that the website has a valid and properly configured SSL certificate but are still facing issues, check out this article on how to secure your certificate when Chrome says it’s not valid.

Another annoying WordPress issue is cURL error 28. To learn the probable causes and solutions to fix it; read this guide.

Let us know which solution worked for you in the comments area below.