Google has recently released Chrome 56 (latest version) that triggers ‘Not Secure’ warning for websites that don’t use HTTPS on pages containing password and credit card input fields.
Originally announced in September last year, it’s a step towards Google Chrome’s ultimate plan of marking all HTTP sites as non-secure in long-term. Google considers HTTP pages particularly sensitive as it’s possible for someone to look and modify or temper the website on HTTP before it’s served to you by the browser.
The ‘Not Secure' warning, for non-HTTPS websites collecting sensitive information, appears in the address bar of Chrome and implies that the website is not secure or dangerous for users. It can easily make website users confused and make them interpret some security issues with the website. The warning can also seriously impact the bounce rate of the website.
It’s not surprising that more and more of the web is moving towards secure HTTPS (See the recent Google report of HTTPS on top 100 sites that form approximately 25% of the entire web traffic). Google, like other companies, is focused on building a secure web for all users and part of building a secure web is to have the secure HTTPS everywhere. HTTPS makes it difficult for your ISPs, Government, hackers, and others to see what you are doing online.
Let’s discuss the Not Secure warning in Chrome in details and move on to how you can secure your WordPress websites by moving to HTTPS. You can directly skip to the section of removing Not Secure warnings in Chrome for WordPress websites.
Table of Contents
- Not Secure Warning in Chrome
- WordPress Websites with HTTPS
- Remove Not Secure Warning in Chrome for WordPress
- Move WordPress Websites to SSL
Not Secure Warning in Chrome
Google has made it simple to understand the Not Secure warning in Chrome by series of announcement posts with further details. Besides, Chrome developers have also published an easy guide to help developers debug the issues of Not secure warnings.
The easy to understand version is that Chrome will flag your website with Not Secure in the URL bar if your pages contain password fields, credit card input fields, or any other sensitive information fields.
Pages with form elements like
<input type=password> or credit card information will be flagged as Not secure by Chrome.
There are, however, few complex situations when the sites can be flagged with the Not Secure warning.
HTTPS login frame Overlay on HTTP pages – Serving a login frame, despite on HTTPS, over a HTTP page will also trigger the Not Secure warning.
Eventual Treatment of HTTP Pages in Chrome
The Not Secure warning, displayed with grey information icon, is the first part of a bigger Google Chrome plan of trying to discourage old HTTP.
Eventually, Google Chrome plans to label all non-HTTPS pages with red Not Secure warning, similar to what you see currently when there are security issues with a website.
This warning will be triggered irrespective of whether your website contains any password/credit card input fields.
A red Not Secure warning is placed over a padlock in the URL bar making users think there’s something wrong with the security of your website. Learn more about what each security symbol means on Chrome.
Google doesn't want to implement this immediately as most of the web is still in the transition phase to HTTPS and users might become trained to ignore the warning.
If you are experimental, you can enable this future default setting using Chrome’s experiments.
chrome://flags” in the Chrome browser and go to the section “mark non-secure as” and select “Always mark non-secure origins as non-secure.”
WordPress Websites with HTTPS
WordPress has also urged its users to move to HTTPS and is, in fact, taking strict measures such as only recommending the web hosting companies that support free SSL certificate for their users.
According to Matt Mullenweg as presented in the State of The Word 2016, only 11.45% of all active WordPress websites use HTTPS. This figure is important as WordPress as a software further advances to have features only available for websites over HTTPS.
Remove Not Secure Warning in Chrome for WordPress
Apparently, the first step to help you avoid the Not Secure warning in Chrome is to have your website moved to HTTPS.
Serving all your pages over HTTPS will not trigger any Not Secure warnings and will make it future proof against the Red Flag warning coming ultimately for all non-HTTPs websites.
To move your websites to HTTPS, you will need to obtain an SSL certificate for your website.
There are basically three different levels of SSL certificates you can choose from depending on your needs – Domain Validation, Organization Validation and Extended Validation.
The cheapest and often free way is to get Domain level validation via Let's Encrypt (discussed below). For other levels of validation, you will need to invest in paid SSL certificate for your website.
Using Free SSL from Let’s Encrypt
Using free SSL from Let’s Encrypt is the easiest and absolutely free way to move your WordPress website over to HTTPS.
Let’s Encrypt is a free, automated, and open Certificate Authority that makes it painless to obtain an SSL certificate for your website. Several companies including Google (Chrome) Mozilla (Firefox) Facebook and Automattic (WordPress.com) have sponsored the project.
Several WordPress hosting companies have enabled support for Let’s Encrypt making it possible for you to get an SSL certificate instantly for your website.
For WP Engine users, from your User Portal, go to your install > SSL > Add Certificates > Get Let’s Encrypt.
You can also follow our detailed guide on how to enable Free SSL with Flywheel hosting account.
Cloudflare also provides free Shared SSL on its free plan. There are several WordPress users who use Cloudflare for free CDN, and it’s essential that pages served over CDN are also HTTPS.
If you have signed up for Cloudflare already, from your dashboard go to Crypto page to find the SSL option. Set the option to “Full” protection mode and Cloudflare will start the process of assigning you with the SSL certificate. The process can take up to 24 hours.
With Free Cloudflare account, the SSL certificate they provide will be a shared SSL certificate, but it will be a fully valid SSL certificate.
Paid SSL Certificates for HTTPS With Additional Features
SSL certificates used to be really expensive in the past. With the introduction and wide adoption of free options such as Let’s Encrypt, paid SSL certificates have significantly lowered their price.
Of course, paid SSL certificates come with additional features such as securing your website with an additional guarantee and providing you with a security seal, etc.
I am, however, not suggesting you should opt for paid SSL certificates in any way. It’s just that you know there are options out there if you need additional features.
And if you have an e-commerce website or take payments on your site, it might be worth investing in paid SSL solutions with additional validation levels such as Organization Validation or Extended Validation. It’s, in fact, crucial that you have a secure HTTPS enabled for e-commerce websites. Payment processing companies like PayPal and Stripe strictly require you to have a secure SSL connection.
Some of the top paid SSL providers include Rapid SSL (one that I use for this website from WP Engine), Symantec, GeoTrust and Godaddy among others.
The SSL Store is one of the leading marketplaces to buy world’s leading Certification Authorities (CAs), including Symantec, GeoTrust, Thawte, RapidSSL, Certum and Comodo.
You can compare the prices and features all in one place and buy the SSL certificate at discounted rate compared to buying it directly from CAs. All the SSL certificates come with a Best Price Guarantee and an extended 30 days money back guarantee.
I also use GoDaddy SSL for some of my websites hosted with GoDaddy WordPress hosting. Prices start from around £40/year, and they also provide UCC/SAN SSL for around £90/year that allows you to share the certificate and protect up to five websites.
Change Website URLs to new HTTPS
After you manage to install SSL on your domain, you will still need to update your website URLs to reflect the new HTTPs URL.
You will mostly need to do a search and replace for the existing HTTP URLs on your website (Use the popular plugin Search & Replace). You can again contact your WordPress host if you require further help.
Move WordPress Websites to SSL
To sum up, like other websites, any WordPress websites that contain password and credit card input fields will trigger the Not Secure warning on Chrome browser.
This mainly includes the WP login page and if you allow users to log in to WordPress websites, they might easily think that the security of your website is compromised following the Chrome's insecure flag.
As discussed earlier, many WordPress hosting companies are providing free SSL with Let’s Encrypt and making it easier and simpler to implement. You can start by searching your own WordPress host documentation or contacting them directly to see how you can enable the SSL feature.
HTTPS is definitely where the web is heading and make sure you comply with your websites to contribute in making the web a secure place.
Have you moved your WordPress website to HTTPS yet? Let us know about your thoughts on the Chrome’s Not Secure warning in the comments below.