You have paid for hosting, your website looks great, and then a customer mentions something unsettling: their browser is showing “Not secure” next to your address, with no reassuring padlock in sight. It is a small icon, but it carries a lot of weight, and a missing one can quietly cost you trust and sales. If your website padlock has gone walkabout, take heart; it is almost always a fixable configuration issue rather than a sign your site has been compromised. We talk small business owners down from this particular ledge all the time.
This guide explains what the padlock actually means, why it sometimes vanishes, how to get it back step by step, and how to keep it there. Plain English throughout, no security-expert vocabulary required.
What the website padlock actually tells visitors
The website padlock is the little icon in the browser address bar that signals a secure, encrypted connection between your visitor and your site. It appears when your site is served over HTTPS, backed by a valid SSL certificate, which scrambles any information passing back and forth so it cannot be intercepted. In short, the padlock is a visible promise that whatever a customer types, such as an email address or card details, travels safely.
When it is missing, or replaced by a “Not secure” warning, browsers are telling visitors that the connection is not fully protected. Even if nothing is actually being stolen, the perception alone is enough to make people hesitate, abandon a form, or leave entirely.

Why the padlock sometimes disappears
There is rarely anything dramatic behind it, and the causes are usually straightforward. An expired SSL certificate is the classic reason; certificates have a shelf life, and once one lapses the padlock goes with it. Mixed content is another very common culprit, where your page loads over the secure HTTPS connection but pulls in an image, script or font over the old insecure HTTP, so the browser withholds the full padlock as a caution. A missing or misinstalled certificate on a new site or after a migration will do it too. Sometimes the site simply is not set to redirect visitors from the insecure version to the secure one, so people land on the unprotected address by default. And occasionally a caching layer or content delivery network is serving an outdated, insecure version of a page.
How to get your padlock back step by step
Work through these in order; most sites are fixed within the first couple of checks.
Check your SSL certificate is valid
Click the “Not secure” text or the site information icon in your browser to see certificate details, or use a free online SSL checker. If it has expired, renewing and reinstalling it, usually a quick job for your host, brings the padlock straight back.
Hunt down mixed content
If the certificate is fine but the padlock still will not show, the issue is often a single insecure element on the page. Your browser’s developer console will flag mixed content warnings, pointing you to the offending image or script. Updating those links from http to https resolves it.
Force HTTPS with a redirect
Make sure every visitor is sent to the secure version of your site automatically. On many platforms this is a simple setting or a small rule in your configuration, and plenty of hosts offer a one-click “force HTTPS” toggle.
Clear caches
If you have made changes and the padlock is still shy, clear your website cache, your content delivery network cache, and your own browser cache. Stale cached pages are a surprisingly frequent reason a fix does not appear to work.
Ask your host
If none of this lands, your hosting provider can confirm the certificate is installed correctly at server level and spot anything unusual. It is often the fastest route to a definitive answer.
The usual causes compared at a glance
When you are trying to work out where to start, it helps to know which cause is most likely. Here is a quick comparison.
- Expired certificate: very common and quick to fix by renewing and reinstalling, usually via your host.
- Mixed content: the most frequent reason on otherwise-secure sites, solved by switching insecure page elements to https.
- Missing certificate: typical right after a new build or migration, fixed by installing a valid certificate.
- No HTTPS redirect: common and easily resolved by forcing all traffic to the secure version.
- Cached insecure page: less obvious but simple, cleared by flushing your site, CDN and browser caches.
Best practices to keep your padlock in place
A little routine care keeps the “Not secure” warning at bay for good. Enable auto-renewal on your SSL certificate so it never quietly expires. Always add new images and embedded content using https links, which stops mixed content creeping in over time. Set up a permanent redirect so nobody can reach the insecure version by accident. And check your site periodically, ideally on both desktop and mobile, so a problem is caught by you rather than reported by a worried customer.
Common mistakes people make
The biggest one is assuming a missing padlock means the site has been hacked, which sends people into a panic when the fix is usually mundane. Another is fixing the certificate but forgetting to hunt for mixed content, so the padlock stubbornly stays away despite a valid certificate. People also frequently forget to clear caches after making changes, then conclude wrongly that the fix failed. And many overlook mobile entirely, checking only their desktop while phone visitors, who are often the majority, still see a warning.
Where website security signals are heading next
Browsers are steadily raising the bar, and that shapes what your visitors see. The trend is towards treating encryption as the baseline rather than a bonus, with unencrypted pages flagged ever more prominently as unsafe. Some browsers are experimenting with removing the positive padlock icon altogether, on the logic that secure should be the silent default and only insecure pages deserve a warning; the practical upshot for you is unchanged, since you still need a valid certificate and clean HTTPS. Automated, free certificates and one-click hosting setups are making all of this easier to get right and harder to get wrong. The direction is clear: a secure connection is no longer optional, it is simply expected.
Does a missing padlock mean my website has been hacked?
Almost never; it usually points to an expired certificate or a stray insecure element on the page, not a breach. That said, if it appears suddenly alongside other odd behaviour, it is worth asking your host to rule out a security issue for peace of mind.
Will a missing padlock affect my search rankings?
It can, indirectly. Search engines favour secure sites and may treat a lack of HTTPS as a negative signal, and visitors bouncing off a “Not secure” warning sends unhelpful engagement signals too. Restoring the padlock protects both trust and visibility.
How quickly can I fix a missing padlock?
Often within an hour. Renewing a certificate or flipping on a redirect can be near-instant, while tracking down mixed content takes a little longer. Only server-level certificate problems that need your host tend to stretch out.
Your quick website padlock checklist
Keep this handy so the next “Not secure” warning is a calm fix rather than a fright.
- Verify the certificate: confirm it is valid and not expired, and renew if needed.
- Scan for mixed content: switch any insecure page elements to https.
- Force HTTPS: redirect all visitors to the secure version automatically.
- Flush caches: clear site, CDN and browser caches after any change.
- Test on mobile: check the padlock shows on phones as well as desktops.
Ready to get your website secure and trusted again?
A missing website padlock is one of those small problems that looks alarming and is usually simple to put right, but it is also worth getting right, because trust is hard won and easily dented. If you would rather not wade through certificates and console warnings yourself, that is completely understandable, and it is exactly the kind of thing we sort out for small businesses quickly and calmly. Whether you need a secure website built properly, reliable hosting, or just a friendly hand getting that padlock back, we are here to help. Contact Us and let us make your site feel safe for every visitor.


































