If your website is showing a "Not Secure" warning in the browser or a broken padlock icon, visitors may lose trust and leave — but the fix is usually straightforward once you know the cause. This guide walks you through diagnosing the problem and applying the right solution for your Momo Cloud hosting account.
What Does "Not Secure" Actually Mean?
Modern browsers (Chrome, Firefox, Edge, Safari) display a warning when a page is loaded over http:// instead of the encrypted https:// protocol, or when an https:// page contains elements that are still loaded over plain http://. This is not a server error — it is the browser telling your visitors that the connection is not fully protected by an SSL/TLS certificate.
Diagnose Your Situation First
Start by identifying which symptom matches your site, then jump to the fix that applies.
| Symptom | What You See in the Browser | Likely Cause | Fix |
|---|---|---|---|
| Full "Not Secure" warning on every page | Red warning or "Not Secure" label in the address bar | No SSL certificate installed, or AutoSSL has not yet issued one | Fix 1 — Issue SSL via AutoSSL |
Site works on http:// but not redirected to https:// |
Padlock appears when you manually type https://, but the site opens on http:// by default |
SSL is installed but no HTTPS redirect is in place | Fix 2 — Force HTTPS Redirect |
| Broken or grey padlock icon on an otherwise secure page | Padlock with a warning triangle; browser console shows "Mixed Content" | SSL is active but some images, scripts, or stylesheets still load over http:// |
Fix 3 — Fix Mixed Content |
| "Your connection is not private" / certificate error | Full-page browser block with error code like NET::ERR_CERT_DATE_INVALID |
SSL certificate has expired | Fix 1 — Re-run AutoSSL |
Fix 1 — Confirm SSL Is Issued and Run AutoSSL
Momo Cloud provides free AutoSSL (powered by Let's Encrypt) for all shared hosting accounts. Before AutoSSL can issue a certificate, your domain must be pointing to Momo Cloud nameservers (ns1.momo.tz and ns2.momo.tz). If the domain resolves elsewhere, AutoSSL cannot verify ownership and the certificate will not issue.
Check your SSL status
- Log in to cPanel on your Momo Cloud account.
- Under the Security section, click SSL/TLS Status.
- You will see a list of all domains and subdomains with a status column. A green padlock means a valid certificate is in place. A yellow or red icon means SSL is missing or expired.
- If any domain shows as unprotected, tick its checkbox and click Run AutoSSL.
- AutoSSL contacts Let's Encrypt and usually issues the certificate within a few minutes. Refresh the SSL/TLS Status page to confirm the green padlock appears.
Tip: If AutoSSL consistently fails for your domain, go to cPanel → Zone Editor and verify that your domain's A record points to your Momo Cloud server IP. DNS propagation can take up to 48 hours after a nameserver change, so if you recently moved your domain, wait and try again.
Fix 2 — Force HTTPS So Every Visitor Uses the Secure URL
Even with a valid SSL certificate, visitors who type just yourdomain.com (without https://) may still land on the unencrypted version. You need to redirect all http:// traffic to https:// automatically.
Option A — cPanel Force HTTPS Redirect (easiest)
- In cPanel, open Domains (or Domains → Domains in newer cPanel versions).
- Find your domain in the list.
- Toggle the Force HTTPS Redirect switch to ON.
- Wait 30 seconds, then open a new browser tab and visit
http://yourdomain.com. The browser should automatically redirect tohttps://yourdomain.com.
Option B — .htaccess Redirect (manual, for Apache)
If you need more control or the cPanel toggle is not available for your setup, add the following rules to your .htaccess file in the website's root folder (usually public_html):
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Tip: Always make a backup of your .htaccess file before editing it. A syntax error in this file can take your site offline. You can edit it via cPanel → File Manager.
Fix 3 — Find and Fix Mixed Content
Mixed content happens when your page is served over https:// but it still loads resources — images, scripts, stylesheets, iframes, fonts — using http:// URLs. Browsers block or warn about these requests even though your SSL certificate is valid.
Find mixed-content items using the browser console
- Open your website in Chrome or Firefox.
- Press F12 (or right-click → Inspect) to open Developer Tools.
- Click the Console tab. Mixed-content warnings appear in yellow or red and say something like "Mixed Content: The page was loaded over HTTPS, but requested an insecure resource…"
- The console shows the exact URL of every insecure resource. Note each one — it tells you exactly what to fix.
Fix mixed content in a standard HTML site
Open each affected HTML, CSS, or JS file and change every http:// asset URL to https://. For external resources (like Google Fonts or CDN libraries), you can also use a protocol-relative URL — omit the scheme entirely and start with //, for example:
<!-- Before -->
<script src="http://cdn.example.com/library.js"></script>
<!-- After (explicit https) -->
<script src="https://cdn.example.com/library.js"></script>
<!-- After (protocol-relative) -->
<script src="//cdn.example.com/library.js"></script>Fix mixed content in WordPress
WordPress stores your site URL in the database, so a simple find-and-replace in files is not enough. Follow these steps:
- Log in to your WordPress admin dashboard (
https://yourdomain.com/wp-admin). - Go to Settings → General and make sure both WordPress Address (URL) and Site Address (URL) start with
https://. Save changes. - To fix hardcoded
http://links stored in the database, install the free plugin Better Search Replace (or Velvet Blues Update URLs). Run a search forhttp://yourdomain.comand replace withhttps://yourdomain.comacross all tables. - If you prefer not to use a plugin, you can use the WP-CLI command via SSH:
wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --skip-columns=guid - Also check your active theme's files and any page builder content for hardcoded
http://image or script URLs, and update them manually.
Tip: After updating URLs in WordPress, go to Settings → Permalinks and click Save Changes (without changing anything). This flushes the rewrite rules and often resolves redirect loops.
Clear Cache and Re-Test
After applying any of the fixes above, cached versions of your pages may still show the old behaviour. Clear all layers of cache before re-testing:
- Browser cache: Press
Ctrl + Shift + Delete(Windows/Linux) orCmd + Shift + Delete(Mac) and clear cached images and files. - WordPress cache plugins: Go to your caching plugin (WP Super Cache, W3 Total Cache, LiteSpeed Cache, etc.) and purge all cache.
- CDN cache: If you use Cloudflare or another CDN in front of your site, purge the CDN cache from your CDN dashboard.
After clearing cache, visit https://yourdomain.com in a private/incognito window to see the result without any locally cached content.
Still Not Secure? Troubleshooting Tips
| Problem | What to Check |
|---|---|
| Padlock still missing after AutoSSL ran | Check that your DNS has fully propagated and your domain is pointing to ns1.momo.tz / ns2.momo.tz. Use a tool like whatsmydns.net to verify global propagation. |
Certificate covers yourdomain.com but not www.yourdomain.com |
In cPanel → SSL/TLS Status, check that both the bare domain and the www subdomain have a valid certificate. Run AutoSSL again if www is missing. |
| Site is behind Cloudflare and still shows warnings | In your Cloudflare SSL/TLS settings, set the encryption mode to Full (Strict) so Cloudflare encrypts the connection all the way to your origin server, not just to the visitor. |
| Mixed content persists after search-replace | Some themes or plugins store URLs in serialised PHP arrays. Use a tool like Search Replace DB (available at interconnectit.com) which handles serialised data correctly. |
SSL warnings are one of the most common issues website owners encounter, but with Momo Cloud's built-in AutoSSL and cPanel tools, every shared hosting account can run fully secure https:// without any extra cost. If you have worked through all three fixes above and your site still shows a warning, open a support ticket with Momo Cloud and include your domain name and the exact error message — our team will investigate the certificate status and server configuration on your behalf.
Was this article helpful?