21

Could you help me find out what to do with not fully secure message.

I have installed ssl certificate from let's encrypt, but my wordpress homepage has a message "Attackers might be able to see the images you're looking at on this site and trick you by modifying them".

The home page is still in development, with demo content. About what images chrome notification is telling? Something to do with cookies?

Thank you for your answers!

Edit: Does it have to do with the theme itself? Whole wordpress dashboard and login is served over proper secure ssl.

Tadas Stasiulionis
  • 1,316
  • 3
  • 16
  • 18

5 Answers5

24

Sending images via http protocol is what triggers this issue. Using any content from a cdn that does not use https will also trigger this issue. This quote explains it pretty simply (the yellow padlock / warning of unencrypted content/images):

If a yellow padlock appears with a mini yield sign, the likely cause is links in your site still refer to an unsecured page. Make sure that all your images, menu items and links use https in the URL. source

I would use a tool to help identify all non-encrypted file transports. One such tool would be something like Why No Padlock.

Martin Hollstein
  • 528
  • 4
  • 10
8

Did you enable https after installing WordPress? If so, you must change the WordPress address and Site Address under "General Settings" in WordPress. Make sure both addresses use https.

If your WordPress site address is set to use http, your server will force https but WordPress will serve certain images, like the favicon, over http. This triggers a "mixed content" warning.

Arnon
  • 2,074
  • 1
  • 13
  • 18
1

I too had run into this issue. It appears there are many http: that need to be replaced with https:

You typically do this using a plugin called Better Search and Replace. Make sure you are adding colon (:) at the end of both http and https.

I found a working answer here

Vivekanand P V
  • 861
  • 3
  • 13
  • 27
1

To check for issues on the chrome/opera inspection console (ctrl+shift+C) is also a great idea: I had setup all correctly and the issue was the footer image, not something you would check very often looking for this fix. I had applied SSL to many websites, sometimes the issue is just one simple link and this method helps find it.

Fogolin
  • 41
  • 2
0

I had the same problem where the home or index page was saying the page was not fully secure "Attackers might be able to see images blah blah blah"

After enabling https in general settings under site address and wordpress address I was still getting the insecure image warning on the index or home page.

The next step was to find out what images were not using the https ref on the index or home page.

In my case I viewed the page source of the page, by right mouse clicking the page in the chrome browser & looking for images url ref which were still showing http. I was using a sliding header and those images were showing http. So all I did was go into slider header in the appearance menu of the wordpress, and re-assign each of the header slider image for each frame. RE-checked the home page now the image urls were showing https. Bingo the secure lock symbol returned.

Obviously these image urls don't get updated via the general settings... which seems an oversight by whoever wrote the part of the word-press script.

Clay
  • 1,721
  • 2
  • 10
  • 18