Why is my website displaying a “Not secure” warning?
Firstly, don’t panic – nothing has changed with your website itself!
It’s a change to the way browsers label your website, so in the past few days both Chrome and Firefox have started displaying a new warning message (effective from the end of January 2017).
Your web browser is displaying this warning because potentially an attacker could eavesdrop on your password details that you type into the website. You may, therefore, be seeing this warning on your website editor / WordPress login screen.
Starting January 2017, Chrome [version number] 56 will label HTTP pages with password or credit card form fields as “not secure,” given their particularly sensitive nature.
Let us explain…
A very brief summary of HTTP and HTTPS
There’s two types of connection on the internet – HTTP and HTTPS. Most websites, typically, have always used HTTP (e.g. http://www.example.com). It’s just the way it’s been!
HTTPS is a secure connection, which means all the data transferred between the web server and your computer is encrypted. When shopping online, you’ll most likely notice the green padlock symbol in your browser’s address bar, which confirms your personal details (e.g. passwords, credit card numbers, etc) will be sent securely across the internet.
How can I tell if my website has HTTPS?
In your browser address bar, if you see a padlock symbol or a “secure” label, it means it’s running over HTTPS. This confirms you’re using a secure, encrypted connection.
If you don’t see a padlock symbol or “secure” label, it means it’s running over HTTP and isn’t using a secure connection.
If you’re unsure, feel free to contact us and we can help you check.
Why isn’t my website HTTPS already?
In the past, the vast majority of websites have been HTTP only.
To enable HTTPS on your website, it requires what’s called an SSL certificate, which most hosting companies have typically charged around £50+ per year. Some types of SSL certificates can cost several hundred pounds. An SSL certificate has to be issued by a licensing authority.
For most small websites, especially brochure or blog format websites, it’s an added cost that’s been hard to justify. It also involves a bit of technical work to convert your website to HTTPS. So, for most websites, it’s not been a big consideration.
For e-commerce or membership sites, having an SSL certificate has been more important because it protects your user’s personal data, especially when it comes to credit card details.
Why has this “not secure” warning only just started appearing?
Many of the big players on the internet, such as Google (who develop the Chrome browser), have decided to use their influence to convince website owners to move to a secure HTTPS connection. They believe this will be for the greater good for everyone who uses the internet.
SSL certificates have, in recent months, become much easier to setup and more affordable to website owners, so they believe now is the right time to convert the whole internet to HTTPS.
For most people, their web browser software gets updated automatically at regular intervals. Within the past few days, Chrome version 56 and Firefox version 51 have been released, which now contain a new warning for HTTP websites.
What benefits does HTTPS have?
As well as security, converting your website to a HTTPS connection is also better for SEO (search engine optimisation) and can make your site load faster. It also adds credibility to your business.
For details of how HTTPS can benefit your website, see our HTTPS conversion service.
What does it mean for my WordPress website?
If you website is running over HTTPS already, these web browser changes will have no impact and no warning will display, because you have a secure connection.
Until a few days ago, all HTTP webpages in the Chrome web browser looked like this:
Now, if Chrome loads a HTTP webpage that contains a password box or credit card form, it displays this “not secure” label:
Firefox too is now displaying its own warning icon, although it’s more subtle than Chrome’s notice:
If your website is running on HTTP, and not HTTPS, then:
- You will see a warning message on your website editor / WordPress login screen, because your password will be sent unencrypted over the internet.
- If a webpage contains a login facility for your visitors (e.g. if they have an account or access a members’ area), or your webpage has a credit card form, then your visitors will see a “not secure” warning too.
But if your website doesn’t have any login boxes or credit card boxes that your visitors use, then this change won’t affect them and they won’t see any warning message for the time being.
So in reality, for most websites, this change won’t affect your ordinary users for a while, but you might see this warning yourself on your WordPress / website editor login page.
What’s going to happen in the future?
Google, who develop the Chrome browser, have said their recent changes are only the start. Over time, they want to encourage all websites to move to HTTPS and make users think about the security of their internet connection.
In following [Chrome browser] releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.
To continue to promote the use of HTTPS and properly convey the risks to users, Firefox will eventually display the struck-through lock icon for all pages that don’t use HTTPS, to make clear that they are not secure.
So this means that every webpage on HTTP sites, not just those webpages that contain a login form, will be given a “not secure” label in the future. This will therefore impact on what your visitors see.
In coming months, Google say they will make the alert more prominent too, so it’ll look like this (with a red warning triangle):
Do I have to convert my site to HTTPS?
You’re not being forced to use HTTPS, but the internet is certainly going in the direction of every website being HTTPS in the future. As mentioned above, websites without an SSL certificate are going to become more noticeable as time goes on.
There are many benefits of moving your website to HTTPS, not just security, so check out our HTTPS conversion service for more details.
What we’re offering at Primary Image?
Most of our larger clients have already been converted to HTTPS already, or it’s included in our Business and Enterprise hosting packages by default.
If you host your website elsewhere, we can also do the conversion work for you – read more about our HTTPS conversion service.
Mike is the founding director of Primary Image. He specialises in the WordPress website platform and speaks regularly at national web design conferences. Mike became a member (MCIPR) of the Chartered Institute of Public Relations in 2015. Outside of work, his interests include photography and politics.