Website Security - Shows My Website is Not Secure

Hi,

I just went to my website and at the top of my screen by the url, it showed a lock with a slash through it and said my website was not secure. It also said if you login to this website, your information could be compromised. I don't think it has ever done that before, so I was wondering if someone could take a look at it or if someone had any idea why it isn't secure anymore... thank you!

Carrie

  • Sajid
    • DEV MAN’s Sidekick

    Hello Carrie,
    Hope you are doing good today :slight_smile:

    That is because your site is not using Secure Socket Layer (SSL/HTTPS) at the moment. This is something required for sites that contains login/registration forms and more importantly credit card details, in case of self hosted shopping cart.

    And your site does both, since its an online shop that collects credit card information on checkout page. So HTTP is very important for you. Some gateways like stripe and authorize.net does not accept any details coming from non SSL/HTTPS sites.

    Luckily, it is very easy to acquire and install SSL certificates these days. You can get a free SSL certificate from letsencrypt.org and install on your site.

    Some modern host does this automatically for you and have easy plugin in cPanel to install and auto renew the certificate.

    If you don't have plugin (it is not WordPress plugin) in cPanel then please contact your host for further assistance.

    I am sure they would be able to do it for you in no time.

    Take care and have a nice day :slight_smile:

    Best Regards,
    Sajid - WPMU DEV Support

  • Carrie
    • Flash Drive

    Hi Sajid,

    I already have a SSL certificate for my website. I contacted my host and they said I need to enter my website as https: instead of http: on Wordpress. Do you know where all I need to make those changes at? Do I need to change every page url I have created and change my main page under the settings box or will doing any of that mess other things up? Thanks!

    Carrie

  • Nastia
    • Support Rock Star

    Hello Carrie , I trust you are doing well!

    You can force HTTPS on your site with a plugin. Here are some most commonly used plugins:
    https://wordpress.org/plugins/wp-force-https/
    https://wordpress.org/plugins/wp-force-ssl/

    If the plugin will not work, please add the following code to the .htaccess file, replace http://www.yoursite.com with your domain name:

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://www.yoursite.com/$1 [R,L]
    </IfModule>

    Let me know how it goes!

    Kind regards,
    Nastia

  • Sajid
    • DEV MAN’s Sidekick

    Hello Carrie,
    Hope you are doing good today :slight_smile:

    I see your site is not redirecting to HTTPS version automatically so we are good here.

    However, it still not completely HTTPS. This is because some resources specially log and one other image is loading over HTTP instead of HTTPS.

    You can fix this issue by using SSL Insecure Content Fixer

    Alternatively, please find some images on your website and change their URL from HTTP to HTTPS. You can also use a plugin like better search and replace. After installing the plugin, find http and replace with https (don't forget to take backup of your website first).

    Take care and have a nice day :slight_smile:

    Best Regards,
    Sajid - WPMU DEV Support

  • #Garth
    • Design Lord, Child of Thor

    Your hosting company had it correct: usually, after changing the images that you inserted into your content to https:// instead (ie. use SSL Insecure Content Fixer plugin), you can just change the website URL in your WP general settings to https://

    This will change the following settings in wp-config (in your root directory)
    define('WP_HOME','https://example.com');
    define('WP_SITEURL','https://example.com');

    Just set them back to http:// if there's a problem.
    Be sure to have access to your wp-config file (via FTP or your File manager in your hosting account) to set it back to http if you start getting 404 erorrs on your site.

    See the Wordpress.org article about this:
    https://make.wordpress.org/support/user-manual/web-publishing/https-for-wordpress/#implementing-https-for-wordpress

    Here is another full article that goes through most aspects of SSL setup.
    https://css-tricks.com/moving-to-https-on-wordpress/

    As to insecure images, if using the SSL Insecure Content Fixer plugin doesn't resolve it then you may need to identify which plugin is not properly supporting https:// (pretty rare, but can happen). Click the secure alert icon to see more details about what content is not being served securely and figure out where that content is and what's serving it (ie. which plugin would be using it) and replace that plugin with another or go back to the plugin manufacturer.

  • Carrie
    • Flash Drive

    Ok, so I installed and activated the SSL Insecure Content Fixer plugin and then I ran the test and it said that it came back with this message:

    Your server environment shows this:

    error
    Forbidden

    Any recommendations on what to do now?

  • Nastia
    • Support Rock Star

    Hello Carrie , I hope you are doing well!

    I've checked your site and see that yu are using a WooCommerece plugin. A similar issue was reported in WordPress.org forum here:
    https://wordpress.org/support/topic/403-forbidden-error-with-woocommerce-downloads/#post-8748092

    Please uncheck the force secure checkout in Woocommerce > Settings > Checkout > Checkout Options. Please see the screenshot:

    Let me know how it goes.

    Kind regards,
    Nastia

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.