A missing or misconfigured SSL certificate is one of the most damaging — and most overlooked — technical issues a website can have. It actively deters visitors before they read a single word of content, and it can cause prospective clients (and even agency partners) to dismiss the site as a scam.
When a site lacks a valid SSL certificate, or when it has an SSL certificate but serves mixed content (a combination of secure https:// and insecure http:// resources), browsers display a "Not Secure" warning in the address bar. Depending on the browser and its security settings, visitors may see:
These warnings signal unreliability and potential malice — regardless of how professional the site looks beneath them.
The SSL warning creates a conversion barrier at the very top of the funnel, before any messaging, imagery, or calls to action have a chance to work:
A site can have a valid SSL certificate and still display "Not Secure" warnings. This happens when the page loads some resources (images, scripts, stylesheets) over http:// rather than https://. Browsers treat this as mixed content and flag the page as insecure even though the certificate itself is valid.
This is a common state for older WordPress sites or sites that have been migrated to HTTPS without a full audit of embedded resource URLs.
Symptoms:
- SSL certificate shows as valid in browser inspection
- Page still shows "Not Secure" or a partial security indicator
- Browser console shows mixed content errors
| Step | Description | Effort |
|---|---|---|
| Audit mixed content | Use browser dev tools or a tool like Why No Padlock to identify insecure resource URLs | Low |
| Update resource URLs | Replace all http:// references in content, theme files, and database with https:// |
Low–Medium |
| Force HTTPS at server level | Add redirect rules in .htaccess or server config to redirect all HTTP traffic to HTTPS |
Low |
| Install/renew SSL certificate | If no certificate exists, install one via the hosting provider (Let's Encrypt is free) | Low |
| Verify in WordPress | If using WordPress, plugins like "Really Simple SSL" can automate the mixed-content fix | Low |
Time to fix: Typically under one hour for a competent developer with hosting/WordPress access.
This issue should be treated as a critical blocker — higher priority than any content, SEO, or advertising work. There is no point driving paid traffic to a site that browsers flag as insecure. Fix SSL before launching or optimizing any campaigns.
During an agency evaluation meeting, [2] discovered their site was displaying "Not Secure" warnings due to mixed content — despite having a valid SSL certificate. Neither the client nor their current SEO agency had noticed. The issue was identified by the prospective agency (AAG) during a live website review.
Immediate action taken: Anthemium's owners were advised to contact their current agency (Tony) to resolve the mixed-content issue. AAG offered to fix it at no charge if the current agency could not, requiring only WordPress and hosting credentials.
"When I clicked on your website, I got this warning, and so I wasn't sure that you were real."
— Mark Hope, AAG, describing his first encounter with Anthemium's website