E-Mail has been successfully sent.
FAQ #4192
Artikel editieren
Artikel weiterleiten

Why is my website shown as insecure despite having an SSL certificate?

By implementing an SSL certificate, you encrypt the connection to your website and signal to visitors that it is secure. In addition, the presence of an SSL certificate has a significant influence on the ranking of websites in search engines.


In this article, we explain why a website may be categorised as "insecure" by the browser despite the use of an SSL certificate and what measures you can take to improve this situation.

Table of contents Table of contents

I can't use my certificate - why is that?

If you use a specific DNS configuration, such as a name server record (NS record), the domain automatically retrieves predefined settings from another server. However, if you would like to use the STRATO certificate instead, you can customise your DNS configuration via your customer login:

→ Which DNS records are available at STRATO and how can I manage them?

You have the option of resetting the existing settings and making new ones. Please note that these settings have probably been set for a reason and may affect the operation of your website and/or other services.

Why is my website still shown as insecure?

If your website is still shown as "not secure" in the web browser after activating, assigning and possibly forcing the SSL certificate, then you are probably using mixed website content ("Mixed Content"). This means that you have integrated content from sources that are not secured via https. This can be passive content such as images, audio, video files or active content that influences the website, e.g. links, CSS files, scripts and other content from other sources.

Theoretically, the HTTP and HTTPS variants are two different websites.

Identify Mixed content

To identify the content that is still integrated via http://, you can, for example, right-click on your website, select "Show page source text" and search for "http" using the key combination CTRL+F5. The developer mode of the web browser (usually via the F12 key) can also be helpful here. You can often determine which content is still using the http:// path in the developer tool under the "Network" section based on the information in the "Scheme" column or the specified path.

You can also use the online tool Why No Padlock to check which content is affected.

Handling Mixed content

You can fix mixed content by replacing all paths beginning with http:// with https://. For local file links, it is best to use relative references ("/file.jpg" instead of "http://www.domain.com/folder/picture.jpg"). These adjustments can either be made manually in an editor (e.g. Notepad++) or with the help of a plugin in the respective CMS (e.g. Wordpress, Joomla & Co.).

The problem of "mixed content" is solved as soon as all content on your website is integrated via https://. Fully encrypted delivery of all website content via HTTPS can be recognised by the green lock in the browser address bar.


Activating SSL (HTTPS) in WordPress
Web applications such as WordPress also use absolute path specifications, which can be customised using the WordPress settings or plugins (e.g. Better Search Replace).

Open the admin area of your WordPress and go to Settings > General. There, simply add the "s" to http in the WordPress address (URL) and Website address (URL) fields. Save the change.


Activating SSL (HTTPS) in Joomla!
Open the admin area of your Joomla application and navigate to the configuration settings (System » Configuration). Under the "Server" tab, set the "Force HTTPS" option to "Entire website". Finally, click on Save & Close. After this setting, your website will be protected by the SSL certificate.


Setting up an automatic forwarding
If SSL is activated, it is recommended to set up redirects for all links. With this permanent 301 redirect, for example from http://www.my-website.com to https://www.my-website.com, all http:// links already ranked by Google are redirected to the https:// version.

To do this, adjust the forwarding in the .htaccess file in the root directory as follows:

RewriteEngine On
RewriteCond %{SERVER_PORT} !=443
RewriteRule ^(.*)$ https://www.my-website.com/$1 [R=301,L]

Alternative way with check whether HTTPS was used:
RewriteCond %{HTTPS} !=on OR RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} www\.domain\.com [NC]
RewriteRule ^(.*)$ https://www.my-website.com%{REQUEST_URI} [R=301,L]

When managing multiple websites with one installation (WordPress Multisite):
RewriteEngine On
RewriteCond %{SERVER_PORT} !=443
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,L,R=301]

The redirection takes effect immediately and takes all visitors to the https page.

→ More about 301 redirects


Make adjustments in Webmaster Tools and Google Analytics
After switching to HTTPS, it is important to also register the HTTPS version in the Webmaster-Tools in order to update the search results to the new links.

If your browser continues to display mixed content warnings, this could be due to images, iFrame content, CSS and JavaScript files from external sites that are not served over HTTPS. To solve this problem, you should remove the affected content from your website.


Related FAQ articles:
Domain forwarding via Redirect 301
Can I use the rewrite engine (mod_rewrite) for my PHP scripts?

Was this article helpful?
Info: e86b7dba992efb098b534789cf66d226f58b4534