Click here to sign up for my free Rick’s Tech Tips Newsletter!
Question from Carol: I have a blog and my web host recently installed a free Let’s Encrypt security certificate on it for me.
When I try to access the blog with https: in the URL instead of http: Chrome displays a warning that the site is insecure.
The strange thing is this doesn’t happen on every page, just on some pages (including the Home page). The rest of the pages are marked as secure.
I sent my web host a message a couple of days ago and another one last night asking what the problem could be but so far I haven’t heard back from them.
Do you have any idea what could be causing Chrome to flag my blog as being insecure?
Rick’s answer: Carol, this issue typically occurs when a “secure” page is calling one or more resource files (i.e. images, CSS files, Javascript files or some other type of external content) from an insecure URL.
In most cases, the problem resource is being called from a URL that begins with http: instead of https:.
Every resource call on a secure web page must be called from a secure https: URL or you won’t get the padlock in the address bar and the browser will flag the page as being insecure.
Just one insecure resource call will result in the entire page being marked as insecure.
This situation is referred to as a “Mixed Content” issue and the exact cause(s) of this issue can be very difficult to track down and fix without a little help.
Luckily, that help is readily available via an amazing free online tool called “Why No Padlock?“.
Using “Why No Padlock?” is easy. Simply follow the steps below:
1 – Visit https://www.whynopadlock.com with your preferred web browser.
2 – Type (or copy and paste) your blog’s URL into the “Secure Address” box.
3 – Check the box to prove that you’re a human instead of a robot.
4 – Click the Test Page button.
The tool will now run a test on your page to track down and identify any insecure resource calls or other types of issues that could be causing the page to fail the security test.
After the test is complete (which could take anywhere from several seconds to several minutes) you’ll see a list of all the issues that were found printed on the screen.
If your blog is typical most or all of the issues found will be resources that are being called from insecure http: pages.
Luckily, those are usually very easy to fix simply by finding those URLs in the page’s source code and changing the http: part of the URL to https:.
Of course that will only work if the page the flagged resource is being called from is actually encrypted (i.e. secure) itself.
If you need help with making the needed change(s) your web host might be able to help. If not, you might need to hire a pro to help you fix the issue(s).
I hope this helps, Carol. Good luck!
Cick here to ask me a tech question.