← Back to Blog

Technical SEO

HTTPS & Site Security: The Padlock Isn’t Optional (Neither Is This Article)

Gather round. Subu needs to tell you about the website that was actively warning users away from itself.

A client came to me — decent brand, real products, proper marketing budget — and their traffic had been flatlined for months. I opened the site in Chrome. Right there in the browser bar, next to the URL, in letters that couldn’t be more visible if they were flashing: “Not Secure.”

Every single page. Every visit. Chrome was announcing to anyone who arrived that this website might not be safe to interact with.

The site was running on HTTP. Not HTTPS. The SSL certificate had expired fourteen months ago and nobody had noticed because nobody had been looking.

Fourteen months of Chrome telling their visitors: be careful here.

Google confirmed HTTPS as a ranking signal in 2014. That was twelve years ago. In 2026, running HTTP is not a technical oversight — it’s a statement that you’re not paying attention.

HTTP vs HTTPS — What’s Actually Different?

HTTP (HyperText Transfer Protocol) — data travels between the user’s browser and your server in plain text. Anyone positioned between the user and the server — an ISP, someone on the same Wi-Fi network, a malicious middleman — can theoretically read, intercept, or modify that data in transit.

HTTPS (HTTP Secure) — same protocol, but with an SSL/TLS encryption layer. Data is encrypted in transit. The same interception is now computationally useless without the decryption key. The padlock appears. Chrome doesn’t warn anyone away.

For a blog where users only read content, the practical risk of HTTP might seem low. But for any page with a form — a contact form, a search bar, an email signup, a checkout — data submitted over HTTP is transmitted unencrypted. For login pages and payment pages, running HTTP is not a best practice failure. It’s an active security liability.


Why HTTPS Is a Ranking Signal

Google announced HTTPS as a ranking signal in August 2014. At the time, it was described as a “lightweight” signal — a tiebreaker rather than a primary factor.

In the years since, the weighting has increased as HTTPS adoption has grown. Google now strongly prefers HTTPS across the board, and its crawlers default to crawling HTTPS versions of URLs. When Google discovers both HTTP and HTTPS versions of a site, it will typically canonicalise to the HTTPS version — but only if the HTTP version properly redirects to it.

The ranking signal works in both directions: HTTPS gets a small positive signal, and HTTP increasingly gets treated as a quality concern — especially combined with Chrome’s “Not Secure” warning, which damages user trust signals like bounce rate and session duration that Google also tracks.


What “Not Secure” Does to Your Traffic

Chrome holds approximately 65% of global browser market share. When Chrome displays “Not Secure” in the address bar, two things happen:

First, users see it. Maybe not every user, maybe not consciously — but Chrome has been making the warning increasingly prominent. For any form or login page, Chrome specifically warns “Your connection to this site is not private” in a full interstitial. Users who see that either leave immediately or proceed with deep scepticism.

Second, it signals to users — correctly — that this website hasn’t bothered with basic web standards from 2014. Trust is eroded before a user reads a single word of content.

The bounce rate impact of the “Not Secure” warning on form pages and checkout flows is severe. And bounce rate, session duration, and user engagement metrics — while not direct ranking factors — paint a picture of user satisfaction that Google absolutely observes.


SSL Certificates — What You Need to Know

An SSL certificate is what enables HTTPS. It’s issued by a Certificate Authority (CA), installed on your server, and tells browsers: “This is a verified, encrypted connection to the site you intended to visit.”

Types you’ll encounter:

  • Domain Validated (DV) — the basic padlock. Confirms the certificate holder controls the domain. Sufficient for most websites. Free via Let’s Encrypt.
  • Organisation Validated (OV) — verifies the organisation’s identity in addition to domain control. Shown in certificate details. Used by businesses and organisations where credibility matters.
  • Extended Validation (EV) — the most thorough verification. Used by banks and financial institutions. Browsers used to show the company name in green — most have since removed this visual distinction.

Let’s Encrypt — a free, automated Certificate Authority that issues DV certificates. Used by hundreds of millions of websites. Most managed hosting providers (Cloudflare, SiteGround, Kinsta, WP Engine) offer one-click Let’s Encrypt installation. There is no excuse for running HTTP on a managed hosting platform in 2026.

Certificate expiry — SSL certificates expire. Usually after 90 days (Let’s Encrypt) or 1–2 years (paid certificates). Expiry is fully automatable with modern hosting. But if your auto-renewal fails silently and nobody checks — see the story at the top of this article.

Set a calendar reminder. Check your certificate expiry date. Or use a monitoring tool that alerts you before it expires.


Mixed Content — The HTTPS Problem Nobody Talks About

You’ve installed your SSL certificate. Your site is on HTTPS. The padlock is there. You’re done, right?

Not if you have mixed content.

Mixed content happens when your HTTPS page loads resources — images, scripts, stylesheets, iframes — over HTTP. The page itself is secure, but it’s pulling in assets over an insecure connection. Browsers flag this. Some block it entirely.

Active mixed content (scripts, stylesheets, iframes loaded over HTTP) — browsers block this by default. Your page’s JavaScript or CSS fails to load. Things break visibly and confusingly.

Passive mixed content (images, audio, video loaded over HTTP) — browsers display a warning. The padlock changes to indicate “secure with warnings.” Not the clean padlock you want.

How it happens: you migrated from HTTP to HTTPS but hardcoded HTTP URLs remain in your content, your theme templates, your database, or your plugin configurations. The page is HTTPS but the image src still says http://yoursite.com/image.png.

How to fix it: run your site through a mixed content checker (the browser console is the quickest — open DevTools → Console and look for mixed content warnings). In WordPress, the Really Simple SSL plugin catches most of these. For others, a database search-and-replace for http://yoursite.com → https://yoursite.com handles the majority of cases.


Security Beyond the Padlock

HTTPS is the baseline. A secure website in 2026 also considers:

Security headers — HTTP response headers that instruct browsers on how to handle your content securely:

  • Strict-Transport-Security (HSTS) — tells browsers to always use HTTPS for your domain, even if someone types HTTP
  • Content-Security-Policy — controls what resources can be loaded on your page, preventing cross-site scripting attacks
  • X-Frame-Options — prevents your pages from being embedded in iframes on other sites (clickjacking protection)

Check your headers at securityheaders.com. It’s free and takes thirty seconds.

Malware and hacked content — if your site gets compromised and starts serving malware, injecting spam links, or redirecting users to scam pages, Google will flag it. Users will see a full-page warning before entering your site. You’ll be deindexed from search results.

Google Search Console’s Security Issues report alerts you if Google detects hacked content on your site. Check it. Set up email alerts. Don’t be the website owner who finds out their site has been serving malware for six weeks because a client mentioned it over email.

Keeping WordPress and plugins updated — the vast majority of WordPress hacks exploit known vulnerabilities in outdated plugins and themes. This is not a dramatic, sophisticated attack. It’s automated scripts testing for known weaknesses in software versions from 2022. Update everything. Remove unused plugins. Use two-factor authentication on admin accounts.


How to Check Your HTTPS Status

Your browser — load your homepage in Chrome. Look at the address bar. Padlock = good. “Not Secure” = fix this today.

SSL Labs (ssllabs.com/ssltest/) — enter your domain and get a detailed SSL certificate analysis including grade (A+ to F), expiry date, protocol support, and any configuration issues. Free and authoritative.

Google Search Console → Security Issues — shows whether Google has detected any security problems on your site, including hacked content and malware.

Mixed content: browser DevTools — open any page → right-click → Inspect → Console tab → look for mixed content warnings. Fix each URL flagged.

Certificate expiry monitoring — set up uptime monitoring with SSL certificate expiry alerts. UptimeRobot has a free tier that handles this. Get an email 30 days before your certificate expires. Fourteen-month lapses happen when nobody is watching.


How to Migrate from HTTP to HTTPS

If you’re still on HTTP — here’s the process. Do it in this order.

Step 1: Get your SSL certificate
Use your hosting provider’s built-in SSL (most offer free Let’s Encrypt installation). One-click setup on Cloudflare, SiteGround, Kinsta, WP Engine, and most modern hosts.

Step 2: Update your WordPress address settings
Settings → General → update both WordPress Address and Site Address from http:// to https://

Step 3: Set up 301 redirects from HTTP to HTTPS
Every HTTP URL must permanently redirect to its HTTPS equivalent. In Apache .htaccess:

textRewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Most hosting panels and plugins (Really Simple SSL) handle this automatically.

Step 4: Fix mixed content
Run a search-and-replace on your database to update all hardcoded HTTP URLs. Use a plugin like Better Search Replace in WordPress.

Step 5: Update Google Search Console and Google Analytics
Add your HTTPS site as a new property in Search Console. Update your Analytics property URL. Update your sitemap URL to HTTPS.

Step 6: Submit updated sitemap
Your sitemap URL should now be https://yoursite.com/sitemap.xml. Submit it fresh in the new HTTPS Search Console property.


The TL;DR

  • HTTPS encrypts data between your server and your users — HTTP does not
  • Google confirmed HTTPS as a ranking signal in 2014; running HTTP in 2026 is a ranking disadvantage and a trust problem
  • Chrome’s “Not Secure” warning actively deters users from engaging with HTTP pages
  • SSL certificates are free via Let’s Encrypt — there is no cost barrier to HTTPS in 2026
  • Mixed content (HTTP assets on HTTPS pages) triggers browser warnings even with a certificate installed — audit and fix with DevTools or Really Simple SSL
  • Monitor certificate expiry — automated alerts prevent the fourteen-month “Not Secure” disaster
  • Security extends beyond HTTPS: keep WordPress updated, check Security headers, monitor for hacked content in Search Console

The padlock is the minimum. Not the goal line.

Running into HTTPS migration issues or weird mixed content errors you can’t track down? Leave a comment. Subu has migrated dozens of sites and the errors are almost always the same three things.

— Subu, SEO by Subu

Subu Avatar

Written by the human behind Subu

(Usually typed between panic attacks and client calls)

  • Job: SEO Consultant, Comic Creator, and Content Writer
  • Diet: 90% Caffeine, 10% Panic
  • Mission: Fixing the internet's broken architecture, one ranking drop at a time.

If you need your traffic rescued, Hire the Human.

Need help with your SEO?

Book a project and get implementation-grade recommendations.

Hire Subu
Jump to section