If your browser shows a 'Not Secure' warning or a broken padlock even after installing SSL, here is how to fix it.
Cause 1: Mixed Content (Most Common)
Mixed content means your page loads over https:// but some resources (images, scripts, CSS files) are still loaded via http://. This breaks the padlock.
How to Check for Mixed Content
- In Chrome: right-click > Inspect > Console tab. Look for 'Mixed Content' warnings.
- Use whynopadlock.com — enter your domain and it will list all insecure resources.
Fix for WordPress Sites
- Install the Really Simple SSL plugin from the WordPress plugin directory.
- Activate it and click Go ahead, activate SSL!
- The plugin automatically updates your WordPress URLs and fixes mixed content.
Fix Manually in the Database
- In cPanel, open phpMyAdmin and select your WordPress database.
- Click SQL and run this search-replace query:
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
- Also update the options table:
UPDATE wp_options SET option_value = REPLACE(option_value, 'http://yourdomain.com', 'https://yourdomain.com');
Cause 2: SSL Certificate Not Installed
If SSL was not installed at all, see How to Install a Free Let's Encrypt SSL Certificate (SEC-01).
Cause 3: Expired SSL Certificate
cPanel's AutoSSL renews certificates automatically, but if it failed, run AutoSSL manually (cPanel > SSL/TLS Status > Run AutoSSL).
Cause 4: HTTP Not Redirecting to HTTPS
If visitors can still access your site on http://, add a redirect. See How to Force HTTPS on Your Website (SEC-02).
