"Not Secure" in the address bar means at least one resource on the page is loading over HTTP. Browsers warn visitors and search engines penalise the site.
Find the broken resource
- Open the affected page in Chrome.
- Right-click → Inspect → Console tab.
- Look for messages like "Mixed Content: The page was loaded over HTTPS, but requested an insecure resource…".
- The console shows the exact URL — that's what to fix.
Common fixes
- WordPress: install Really Simple SSL — it rewrites old
http://URLs tohttps://on the fly. - Hard-coded image URLs: edit the post/page and change
http://yourdomain.com/…tohttps://…(or use//…for protocol-relative). - Third-party widgets: get the HTTPS version from the provider (any modern widget has one).
- Custom theme: search the theme for
http://with a code editor — most matches will be CSS/JS includes that just need ans.
Database search-and-replace
If a long-running WordPress site has hundreds of old URLs in the database, run Better Search Replace (plugin) once — search http://yourdomain.com, replace with https://yourdomain.com, dry-run first, then real.