The “not secure” warning at the top of the website is very frustrating. Unfortunately, it is also frustrating for your visitors.
I mean, put yourself in your visitor’s shoes. If you just land on a website and are abruptly welcomed by this massive WordPress login not secure error, that will definitely scare you away.
Therefore, we are here to help you avoid scaring your visitors away with “Website Not Secure Error”. Simply put, in this article we will show how to fix WordPress login not secure or “Not Secure” issues. All of these “Not Secure” issues can be traced back to Secure Socket Layer or—as we all know—SSL certificate.
But before the fixes, let’s understand why you might be witnessing this WordPress login not secure error. Simply put, let’s answer the burning question: why is my site not secure?
Understanding the “Not Secure” Warning
In essence, as the name suggests, this error is returned when your website is simply “not secure.” Let’s dive deep into the technologies of the error and understand why your WordPress is not secure.
When you land on a website, it stores limited information about you that helps the website with personalization. For instance, an online clothing store can use this information to show you articles that you are more likely to like and purchase. This is stored in the form of cookies.
This information is sent to and forth from your browser to the website in plain text.
SSL certificate helps preserve the information by making it incomprehensible. That way, even if the hackers are successful in spying on it, they do not understand the context of it, hence saving the integrity of the information.
Conversely, if you don’t have an SSL certificate, bad guys can easily gain access to this information. The sensitive information includes credit card information, form information, login credentials, and more.
Hence, you get this WordPress login not secure warning if your website does not use SSL. The only way to get rid of it is…to install an SSL.
Benefits of an SSL Certificate
We already discussed how SSL certificates prevent bad guys from eavesdropping on information. But the benefits of this amazing technology do not end here;
Apart from data encryption, SSL also offers the following benefits:
- Secured Certificate: SSL offers a certificate that flags your website as secure. Users love to interact and buy from secure websites that provide secure payment options. This is especially a massive plus point for online stores.
- SEO Boost: Search engines like Google love secured websites, and they give websites with SSL certificates a slight ranking boost.
- Compliance with Regulations: There are strict regulations about handling and storing customer data, especially for websites and stores that store sensitive customer information, such as credit card information. It is often necessary to comply with privacy regulations like GDPR, PCI DSS, and HIPAA.
- Protection Against Phishing: The padlock icon and the secured connection tag help visitors differentiate between a legitimate and a phishing site. Users can avoid entering sensitive information on websites that use HTTP and not HTTPS.
NOTE: Remember that having an SSL certificate doesn’t mean that the site is legitimate, so always check the website domain and URL carefully before entering any information.
How to Obtain an SSL Certificate [Free and Paid]
Now that you are convinced, here’s how to obtain an SSL certificate.
SSL certificates are usually free with most hosting plans.
All you have to do is go to your favorite hosting provider and purchase one of their plans. Alternatively, you can buy it from any SSL provider, such as Namecheap, CheapSSLShop, or SSLs.com. The price can vary, but usually, it’s around $3-$5 for a single domain SSL.
However, if you don’t like the idea of buying an SSL, the next section is for you.
How to Obtain a SSL Certificate For Free
You can use several services to obtain an SSL certificate for free. A few of them include:
- Let’s Encrypt
- ZeroSSL
- SSL for Free
- Cloudflare’s Free SSL
Here’s how you can use ZeroSSL to obtain and install your free SSL certificate.
ZeroSSL also has a paid plan starting from $10/month that automatically renews your SSL every 90 days. Alternatively, you will have to do that manually.
Here’s the process:
- Account creation: You need to create a ZeroSSL account to manage your certificates.
- Request Certificate:
- Generate a Certificate Signing Request (CSR) through ZeroSSL or manually.
- ZeroSSL provides an online tool to generate the CSR and private key.
- Domain Validation: Verify your domain ownership via DNS verification.
- Install Certificate: Once the certificate is issued, manually install it on your server.
Now, you have obtained the SSL, but only obtaining it is not enough to get rid of the “WordPress login not secure” warning; you also have to install it on your WordPress.
Installing the SSL Certificate on Your WordPress
Obtaining the SSL is not enough to get rid of “not secure.” However, installing it should be. In this section, we will guide you through the steps of installing the SSL certificate on your WordPress.
Use Your Web Hosting to Install SSL on Your WordPress
You can use your hosting provider to install an SSL in six easy steps. Here’s how to get started:
- Step 1 — Access Your Hosting Control Panel: Log in to your hosting account and navigate to your hosting control panel (e.g., cPanel, Plesk, or a custom dashboard provided by your host).
- Step 2 — Locate the SSL/TLS or Security Section: In cPanel, this is often under “Security.” Similarly, custom dashboards and Plesk may have a dedicated section for security or SSL certificates.
- Step 3 — Install a Free SSL Certificate: Several hosts, like Bluehost, provide one-click SSL installation.
- Step 4 — Verify SSL Installation: Finally, go to your website to verify newly installed SSL. Ensure your domain starts with HTTPS. Also, look for the padlock icon that indicates a secure connection.
- Step 5 — Update WordPress URL to HTTPS: Once SSL is installed, you’ll need to update your WordPress settings to use HTTPS instead of HTTP. Go to your WordPress dashboard and update the WordPress Address (URL) and Site Address (URL) fields to use HTTPS instead of HTTP.
- Step 6 — Save Changes: Don’t forget to save changes to store your settings.
Redirecting HTTP to HTTPS
It’s critical to set up your web pages in a way that ensures all your visitors land on the HTTPS version. Fortunately, that is very easy to do. You can do it with either a WordPress plugin or you will be required to make changes to your .htaccess file.
The file ‘.htaccess’ is critical for WordPress. Its corruption can prevent you from accessing your WordPress. We also discussed its consequences in this article, along with eight other common WordPress login issues and fixes.
Coming back to the topic, all you have to do is add the following code to your .htaccess file:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]
NOTE: Change “yourdomain.com” with your website domain in the above code.
Alternatively, you can use a WordPress plugin like Really Simple SSL or WP Force SSL to automatically handle the redirection and configuration of your site to use HTTPS.
Checking for Mixed Content Issues
Mixed content issues occur when a web page that uses a secured connection or HTTPS uses resources (such as code scripts or images) that load from a page that uses HTTP. Mixed content can be super deadly for website security. This gap can potentially allow attackers to gain unauthorized access or eavesdrop on user information.
Thus, checking for mixed content issues and fixing them promptly is imperative.
You can quickly check for such instances on your WordPress using a tool like “Why No Padlock.”
Enter your website URL in the Secure Address input box, and check the ‘I’m not a robot’ reCAPTCHA. Finally, press the Test Page button.
Depending on the traffic on the server, you might have to wait in a queue.
Once the wait is over, you can see the final results.
Enhancing WordPress Login Security with All-in-One Login
Even though an SSL certificate protects your and your customer’s data, it can not protect you from hackers. Thus, it’s essential to protect your WordPress login page with other security measures to ensure the safety of the most common way hackers use to gain unauthorized access.
But…how to secure WordPress login?
In this section, we will use the All-in-One Login—a complete WordPress login page security plugin.
If you haven’t installed it yet, make sure to do so and follow along!
Mask your Default Login URL
The default WordPress login is highly vulnerable because it can be easily accessible by adding /wp-login.php/ in front of your domain name. Once hackers reach your login page, they can perform cyberattacks like credential stuffing or brute force.
In essence, these attacks occur when hackers try to ‘guess’ your password by either trying common passwords or using stolen credentials from previous breaches. Hackers may also use automated scripts that use numerous password combinations on your login page repeatedly until your password is cracked.
Thus, changing your default login URL is vital. You can effortlessly do that using All-in-One Login. Navigate to AIO Login dashboard >> Login Protection tab >> Change Login URL subtab.
Enable the option using the toggle button and enter your new login URL in the Login URL input box.
Implement Limit Login Attempts
We already discussed how hackers use automated scripts or manually try thousands of different password combinations to guess your password. Thus, this cyberattack requires thousands of attempts to be successful.
By limiting login attempts, you are limiting the total number of attempts a user can make from one IP address. For instance, you can set that value to 3. Afterward, every IP address that exceeds the limit of 3 incorrect attempts will be temporarily blocked automatically. Hence, it mitigates the risk of a successful brute-force attack.
To enable this feature, go to AlO Login dashboard >> Login Protection tab >> Limit Login Attempts subtab.
Enable the feature using the toggle button, and set your maximum attempts.
Also, set the number of minutes you want an IP address to be blocked after a set of incorrect attempts. Finally, customize your lock-out message and save changes.
Adding 2FA or reCAPTCHA
2FA or reCAPTCHA are other fantastic measures to prevent bot traffic and malicious automated scripts that run around the internet.
We have detailed articles about adding two-factor authentication (2FA) and reCATPCHA. Check them out to enhance your WordPress login security.
If your reCAPTCHA is not working for some reason, refer to the following article, where we troubleshoot common reasons why this might happen.
These steps will improve your WordPress login security tremendously.
Final Remarks on WordPress Login Not Secure
Fixing a WordPress login that is not secure is all about installing or renewing your SSL. An SSL usually comes free with most WordPress or web hosting plans. If your plan doesn’t have that, you can buy one from SSL providers like Namecheap or SSLs.
There are also free alternatives like Let’sEncrypt or ZeroSSL that allow you an SSL certificate for free. For documentation and assistance, refer to the subheading in the third section. Furthermore, it’s necessary to always check for any mixed signal or any webpage that is not correctly set to HTTPS. You can do that with a tool like Why Not Padlock.
Lastly, an SSL certificate does not protect you from hackers. Thus, implementing best practices for WordPress login is essential to prevent WordPress login security issues. Change your default login URL, employ limit login attempts, and add 2FA and reCAPTCHA.
For all these security functions, download All-in-One Login today!
If you need help with installation or any other security aspect of your WordPress, contact our support team.
FAQs —WordPress Login Not Secure
How do I force SSL login in WordPress?
You can easily force SSL login in WordPress using a plugin like Really Simple SSL or WP Force SSL. These plugins force all your HTTP pages to HTTPS. Alternatively, you can do it manually by finding the unsecured pages using Why Not Padlock and then manually redirecting them to HTTPS.
What are the risks associated with a “Not Secure” warning on my WordPress site?
“Not Secure” means all the sensitive data the customers or users input on your website is insecure and could be eavesdropped or altered by hackers or perpetrators. Using an SSL certificate can help you get rid of it.
What steps should I take if I see a “Mixed Content” warning after switching to HTTPS?
If your webpage is already secured and you are still seeing the “Mixed Content” error, that means your web page contains elements or resources like code scripts, images, videos, etc., that were loaded from a webpage that does not use SSL. To fix it, migrate all the resources from HTTP to HTTPS server.
Will switching to HTTPS affect my site’s loading speed?
Yes! Switching to HTTPS can slightly impact your website speed because the HTTP version doesn’t involve additional encryption processes, which are absolutely necessary for the security of your website and users. Thus, the benefits outweigh the minor speed depletion.
Can I remove the “Not Secure” warning without using an SSL certificate?
No, you cannot remove the “Not Secure” warning without using an SSL certificate. This warning appears because browsers like Google Chrome require websites to use HTTPS for secure connections.