Pull up your website right now. Look at the address bar — the place where your URL is. What do you see next to it?
If there's a little padlock icon, you're fine. Keep reading anyway, because there's more to it than the lock.
If there's no padlock — or worse, if it says "Not Secure" in plain text right next to your web address — every single person who visits your site sees that too. Every potential customer. Every person who clicked your Google listing. Every referral who typed your URL into their phone.
They see the words "Not Secure" before they see anything you've built.
What that warning actually means
The "Not Secure" warning doesn't mean your website has been hacked. It doesn't mean someone is stealing your data right now. It doesn't mean your site has a virus.
It means your website doesn't have an SSL certificate — a small piece of technology that encrypts the connection between your site and the person visiting it. Without it, any information someone types into your site — a contact form, an email address, a phone number — travels across the internet in plain text. Readable by anyone who knows how to look.
The simplest way to tell: look at your web address. If it starts with https:// — that "s" stands for "secure" — you have SSL. If it starts with http:// without the "s," you don't. And every modern browser will flag it.
Google Chrome started showing the "Not Secure" warning years ago. Firefox, Safari, and Edge followed. It's not new. But a surprising number of small business websites — especially ones built a few years ago or done on the cheap — still don't have it.
Why this matters for your business (not just your website)
There are three reasons this matters, and only one of them is about actual security.
It kills trust instantly. A customer searches for your service, finds your website, and the first thing they see is a browser warning telling them the site isn't secure. Most people don't know what SSL means. They don't know the difference between "not encrypted" and "not safe." They just see the word "Not Secure" and hit the back button. You lost a lead and you never knew it.
Google uses it as a ranking signal. HTTPS — the secure version of your website — is a confirmed ranking factor. Google prefers to show secure websites in search results. If your competitor has SSL and you don't, that's one more thing tilting the results in their direction. It's not the biggest ranking factor, but it's the easiest one to fix.
It blocks modern features. Some browsers restrict what insecure websites can do. Forms on HTTP sites may trigger extra warnings. Some payment processors won't work without HTTPS. And if you ever want to run Google Ads, your landing pages need to be secure.
SSL isn't an upgrade. It's the floor. It's the minimum standard for any website in 2026.
Wondering if this applies to your site?
A $500 SEO Health Check gives you a clear, prioritised action plan — tailored to your business. No jargon. No contracts.
What "Not Secure" costs you: the trust hit nobody talks about
The technical fix for the "Not Secure" warning is well-documented (install an SSL certificate). What's not well-documented is what the warning actually does to your business while it's still showing.
Most analytics platforms don't capture this directly. You won't see a line item in Google Analytics that says "lost conversions due to security warning." But the data you can find suggests it's significant.
Studies on form abandonment consistently show drop-offs of 15-30% on pages flagged as not secure, with the largest impact on forms asking for any kind of personal information — contact details, email signups, payment info. For a service business that depends on contact form submissions, that's the difference between getting 7 leads a week and getting 10. Across a year, you're losing dozens of potential clients to a fix that takes an afternoon.
The harder-to-measure part is reputation. A first-time visitor who lands on a "Not Secure" page may not just bounce — they may also assume your business is sloppy, outdated, or not actively maintained. They might mention it to someone. They probably won't mention you positively. For a small local business that depends on referral and trust, this kind of soft damage compounds.
There's also the SEO cost. Google has flagged HTTPS as a ranking signal since 2014. The lift from going secure isn't massive on its own, but combined with the bounce-rate damage from visitors who turn around at the warning, it's a double penalty. Your competitors with SSL look more professional, get more conversions, and rank slightly higher. Three small disadvantages stack into a real one.
The math is simple. If your site is converting at 2% and you fix the security warning to recover 20% of abandoned visitors, you don't get a 20% lift in revenue — you might get a 50% lift, because the people who didn't bounce were the ones most ready to buy. Securing your site is one of the few SEO tasks where the technical effort is small, the cost is fixed (often free with most hosts), and the recovered revenue starts the same week.
How to check if your site is secure
Two ways, both take about five seconds:
Look at the URL bar in your browser when your site is open. If you see a padlock icon or the URL starts with https://, you have SSL. If you see "Not Secure" or the URL starts with http://, you don't.
Or type your full website URL into Google — https://yourdomain.com. If the page loads normally with the padlock, SSL is active. If it redirects to http:// or throws an error, it's not set up correctly.
If your site loads with https:// on some pages but http:// on others, you have what's called "mixed content" — partially secure, which browsers still flag as a problem.
How to fix it
Here's the good news: this is usually one of the cheapest, easiest fixes in all of web maintenance.
If you're on a modern hosting provider — SiteGround, GoDaddy, Bluehost, Squarespace, Wix, Shopify — most of them include a free SSL certificate and will turn it on with a single click. Log into your hosting dashboard, look for an "SSL" or "Security" section, and flip it on. Some hosts do this automatically for new sites.
If you have a developer or someone managing your site, send them this article and ask them to enable SSL and force HTTPS across all pages. This should take them less than an hour. If they quote you hundreds of dollars for it, get a second opinion.
If your SSL was active but expired, that's usually an auto-renewal that failed. Your host can reissue the certificate. It happens — but it needs to be fixed immediately because an expired certificate actually looks worse than no certificate at all. Browsers show a full-page warning that many users won't click past.
After SSL is enabled, there's one more step most people miss: making sure your entire site redirects from http:// to https://. Without this redirect, your old URLs still exist in their insecure form, and some visitors (or Google) might land on the wrong version. Your developer or host can set this up with a simple rule — it's a one-time fix.
"My website developer set up SSL already — am I good?"
Maybe. Here's how to double-check:
Visit your homepage. Look for the padlock. Then visit your contact page, your services page, and any other page on your site. If all of them show the padlock, you're set. If even one doesn't — or if clicking the padlock shows any warnings about "not fully secure" resources — something is misconfigured.
The most common issue is mixed content: your site loads securely, but one image, one script, or one embedded widget is still pulling from an http:// source. That's enough to break the padlock on the entire page. It's a five-minute fix for anyone who knows what they're looking at — but it's invisible to you unless you check.
This is a baseline, not a bonus
SSL isn't an upgrade. It's the floor. It's the minimum standard for any website in 2026. Every legitimate hosting provider offers it — most of them for free. Every browser expects it. Google rewards it. And your customers, whether they know the technical term or not, absolutely notice when it's missing.
If your website doesn't have it, that's the first thing to fix before you worry about title tags, content, or rankings. Because none of that matters if people bounce before they read a single word.
And if you're not sure what else might be off — beyond the SSL — that's what the SEO Health Check is for. I look at the full picture: your security, your Google Business Profile, your technical visibility, your content, and your local presence. All of it, in plain English.
→ Learn about the SEO Health Check
FAQ
Does "Not Secure" mean my website has been hacked?
No. It means your site doesn't have SSL encryption — the technology that protects data between your website and your visitor's browser. It's a setup issue, not a security breach. Your site content is fine; the connection just isn't encrypted.
Does SSL affect my Google rankings?
Yes. Google confirmed HTTPS as a ranking signal. It's not the strongest factor, but it's one of the easiest to fix. More importantly, the "Not Secure" warning increases your bounce rate — and bounce rate can indirectly hurt your rankings.
Do I need to pay for an SSL certificate?
Usually not. Most modern hosting providers include free SSL certificates through services like Let's Encrypt. Free certificates provide the same level of encryption as paid ones. Paid certificates add extras like warranties and extended validation badges, which most small businesses don't need.
Will I lose my Google rankings when switching to HTTPS?
You might see a brief fluctuation as Google processes the URL change. With proper redirects from http:// to https://, rankings typically stabilize within a few weeks and often improve. The long-term effect is positive.
How do I know if my SSL is working correctly?
Visit your website and look for the padlock icon in the address bar. Click it — your browser should say the connection is secure. If you see any warnings about "not fully secure" or mixed content, something on the page is still loading over HTTP and needs to be fixed.