"Not Secure" warning


(tim schultz) #1

I have a couple of questions about “not secure” warning.

Whenever someone comes to my website they are presented with a “not secure” warning. Other than just making users nervous does this warning cause anything else to happen?

Would a warning like this actually cause someone’s browser to reject the page and make it not openable?


(scott williams) #2

it could, and it also has an effect on your page rankings in Google. With free SSL certificates, now there really is no excuse not to have secure web pages.


(Rob D) #3

I agree with Scott.

I just want to add that in our present reality, in which digital gangsters become more and more of a threat to all website creators and all website users, it is a natural and very welcomed trend among browser creators to implement a slew of security measures. This trend will only add tighter security measures with time. So, at some point, your unsecured website may become completely unreachable in some/all browsers.

So, you should definitely get a SSL/TLS certificate (for example, from Let’s Encrypt), as the first step to make your site hacker-proof. Next, you should implement a series of security and integrity rules in your .htaccess file.


(LJ) #4

100% agree with Scott and Rob. You need to deal with this, and fortunately pretty easy and free these days. Any decent host will offer free basic SSL certificates - if yours doesn’t, find one that does. Your host should also install it for you.

Once done you should ‘force’ https in your htaccess file to make sure all versions of your website (www, non www, http and https all resolve to the secure version. If you need any help just shout.


(Joe Workman) #5

Check out…


(Tom Murray) #6

For you guys that are deeply into this on a regular basis, it may seem simple. But for me as an ordinary person, it is too complicated.


(Dave Farrants) #7

@TomM Sorry but that’s a head in the sand attitude. If you have a website, very soon it’ll show on all browsers as insecure and scare visitors away. There are many posts on here about HTTPS, most ISP’s offer HTTPS for free and some even offer a simple checkbox to implement it (I use one.com, HTTPS is free and a checkbox on the Control Panel to turn it on). You’ll also need an HTACCESS file, again many posts on here on how to do it. I’m a latecomer to website production ( I’m now an OAP!) and run 12 sites for various church and charity organisations. Yes, it was a bit difficult to understand at first but there is more than enough info on here and the web to help you.


(tim schultz) #8

Thanks guys. Will pay attention to this soon.


(Tom Murray) #9

Not head in the sand just hard to understand esoteric information.
So I emailed my host ( GlobalHost) about a SSL certificate. They wrote back to offer an SSL certificate for $100 a year. A few minutes later another person wrote to say that they have installed a certificate for free from Let’s Encrypt.
So I guess that part is done although I have not seen or uploaded a certificate file.

I don’t see a .htaccess file or C panel on the sever.
But I have found this code if I can figure out where to put it.


(Don H) #10

Okay, let’s take things a step at a time. The first thing to do is verify that your website will now load if you go to https:// instead of http://. If so, then you know that the SSL certificate is installed correctly.

The next thing to do would be to make sure that when it loads, you see the padlock icon in the browser address bar. If not, post back here and we’ll offer more specific advice on this part.

After those are checked and good, then you should change your website address in RW to be https:// and republish all files.

The final step will be to force all users to the SSL version. We can get to that once the above is done.

If you want to post a link to your website, we’ll be able to help you check things with you and offer better help.

Don’t get discouraged. If you get stuck at any steps, just post back here. There are plenty of users who will help guide you in the right direction.


(Tom Murray) #11

The padlock appears using this address:
https://www.janehamiltonfineart.com

Will republishing all files under these circumstances interrupt the site access?
Because the business is using the site during the day.


(Don H) #12

It shouldn’t. If you feel more comfortable, you can wait and re-publish later tonight.

Once that’s done, you’ll just need to add redirect commands to htaccess, so that anyone who goes to http:// gets redirected to https:// @teefers as posted a lot of useful information on redirecting to SSL. Here’s one of his posts with code that should work for you. You’ll need to past that code into an .htaccess file. This can be done in your hosting control panel or through RW. I always use my host’s control panel.


(Tom Murray) #13

I will change the website address under the RW publishing tab to https, then republish all files.

The host seems to think that the redirect is taken care of on their end.
See the attachment from the site’s hosting page.


(Don H) #14

It does not appear to redirect. If you go to the plain http:// link, you end up at the site with the not secure warning. Below is the non-ssl link. It should redirect you to the ssl version and it does not. You could ask their support to look into that.

http://www.janehamiltonfineart.com

edit: btw, you’re almost there. Good job!


(Tom Murray) #15

I am getting the redirect. But Firefox and Chrome think there are some unsecure scripts.

Edit: I think it’s a page where I imported a weather website.


(Don H) #16

It’s now redirecting for me.

You probably need to make a change to the code that imports the weather. Anything loaded on a https site should be loaded via https. Check the code that loads the scripts. You probably just need to change http:// to https:/.

If you don’t find the code, let us know what page it’s on, and I’ll take a look.


(Tom Murray) #17

You are correct but I decided to just delete the page.
I would have undertaken this security install before now, had I known that the hosting provider would basically do it for me.
Thank you for the guidance.


(stewart lyman) #18

My company gave me a discounted SSL certificate for the first year, but they hit me up for a $40 set up fee, as well as a $50 per year fee afterwards. Who gives free certificates? I’m only paying $50/year to have them host two websites. Does this pricing sound reasonable? Thanks!


(Mathew Mitchell) #19

This seems unreasonable to me. My host is $30 per year, very good service, free SSL certificate, free set up fee, etc. Nor is my hosting company unique in that way. Unfortunately the company I use is for academic institutions and academics only. But others can surely chime in here on their recommendations.

https://www.chillidoghosting.com is one company several using RW use. But there are others also.


(Doug Bennett) #20

Who doesn’t anymore heres a few to start shopping