Back to blog
/14 min read

No HTTPS? Google Flags Your Site as Dangerous

web-designsmall-businessaustraliaseo
No HTTPS? Google Flags Your Site as Dangerous

Your Website Is Actively Warning Customers Away

Open Google Chrome, visit any website without an SSL certificate, and you'll see it immediately: a grey padlock with a slash through it, or — worse — a full-screen red warning page that reads "Your connection is not private." Chrome estimates that users see this warning on roughly 0.2% of all page loads — but for the small business sitting behind that warning, the conversion rate collapse is very much 100%.

A 2021 GlobalSign survey found that 84% of online shoppers would abandon a purchase if the connection wasn't secure. For a local café, tradesperson, salon, or health practice, that statistic isn't about e-commerce. It's about every single person who Googles your business, clicks your link, and decides in under three seconds whether they trust you enough to book, call, or fill out a form.

This guide explains exactly what an SSL certificate is, what HTTPS actually does to your Google rankings, what it costs (including free options), and how to install it correctly so you stop losing customers to a padlock icon. By the end, you'll have everything you need to act today — no developer required for most cases.

What Is an SSL Certificate? (Plain-English Definition)

SSL stands for Secure Sockets Layer. In practice, the protocol most websites now use is its successor, TLS (Transport Layer Security), but the industry still calls the certificates "SSL certificates" out of habit. For our purposes, SSL and TLS mean the same thing.

An SSL certificate does three things:

  1. Encrypts data in transit. When a visitor types their name, email, or phone number into a contact form on your website, the data is scrambled before it leaves their browser. Only your web server can unscramble it. Without SSL, that data travels as plain text — readable by anyone on the same network (a café's Wi-Fi, a shared office connection, a mobile carrier).
  2. Authenticates your identity. The certificate is issued by a trusted Certificate Authority (CA) — organisations like Let's Encrypt, DigiCert, or Comodo — that verify you actually own the domain you're securing. This is how browsers know weauto.org is genuinely weauto.org and not an impersonator.
  3. Triggers HTTPS. Once your certificate is installed and active, your website's URL switches from http:// to https:// — the "S" meaning secure. Browsers reward this with a padlock icon. They punish the absence of it with warnings.

The padlock is the visible signal. The encryption is the actual protection. Both matter to your business.

What Google Actually Does to HTTP Sites in 2025

Google has been systematically disadvantaging non-HTTPS websites since 2014, when it announced HTTPS as a ranking signal. Here is the progression of what has actually happened since then — because most articles stop at "Google prefers HTTPS" without explaining the full picture:

The Ranking Signal (2014)

Google's original announcement described HTTPS as a "lightweight" ranking signal — a tiebreaker, not a major factor. That framing led many small business owners to deprioritise it. That was a mistake, for reasons that became clear in subsequent years.

Chrome's "Not Secure" Label (2017–2018)

In July 2018, Chrome 68 began marking all HTTP pages as "Not Secure" in the address bar — not just pages with forms or payment fields. This was the inflection point. Google's own data showed that Chrome users were clicking away from HTTP sites at significantly higher rates after the label appeared. The ranking signal became almost secondary to the user-behaviour signal.

Google's Crawl Preference (Ongoing)

Google's Search Central documentation states explicitly: "We recommend that sites adopt HTTPS to improve security for their users." Googlebot now prefers HTTPS URLs when it finds both an HTTP and HTTPS version of a page. If you've migrated to HTTPS but left HTTP redirects misconfigured, Google may still index the HTTP version — a common error covered in the installation section below.

Core Web Vitals and Trust Signals (2021–Present)

Google's Page Experience ranking system, which includes Core Web Vitals, treats HTTPS as a baseline requirement — not a bonus. A site without HTTPS cannot achieve a "good" page experience score regardless of how fast it loads or how well it performs on mobile. This means that every other optimisation effort — speed, mobile responsiveness, structured data — is partially undermined if SSL isn't in place.

The practical consequence: if two local businesses are competing for the same Google Maps or organic search position, and one has HTTPS and one doesn't, the HTTP site is fighting with one hand tied behind its back.

How SSL Affects Australian Local SEO Specifically

Australian small businesses competing for local search — "electrician Sydney," "hair salon Parramatta," "GP near me" — face a specific dynamic worth understanding.

Google's local ranking algorithm weights three factors: relevance, distance, and prominence. SSL doesn't directly feed into any of those three buckets. But it affects them indirectly through click-through rate and bounce rate — two user behaviour signals Google uses to calibrate prominence.

Here's the chain of events when your site lacks HTTPS:

  1. A potential customer in your suburb searches for your service category.
  2. Your Google Business Profile appears in the local pack. They click your website link.
  3. Chrome shows the "Not Secure" warning or red interstitial screen.
  4. They hit the back button and call your competitor instead.
  5. Google registers a high bounce rate and a short dwell time on your site.
  6. Over time, Google's algorithm interprets this as a signal that users don't find your site useful or trustworthy.
  7. Your local ranking dips.

This is the mechanism that small business owners almost never hear about — because it plays out over weeks and months, not instantly, and the cause-and-effect is invisible without proper analytics tracking.

For businesses like APX Trade Group — licensed electricians in Sydney, where customer trust is paramount and most leads start with a Google search, an SSL-less website isn't just a technical oversight. It's a direct leak in the customer acquisition pipeline.

What SSL Certificates Cost in Australia (2025)

The single most important thing to know: a perfectly adequate SSL certificate for most small business websites costs $0. Let's Encrypt, a non-profit Certificate Authority backed by Mozilla, Google, and the Electronic Frontier Foundation, issues free, auto-renewing SSL certificates that are cryptographically identical to paid certificates for standard use cases.

Here is the full cost landscape:

Certificate Type Typical Cost (AUD/year) Who It's For Example Providers
Domain Validated (DV) — Free $0 Most small business websites, blogs, portfolios Let's Encrypt (via your host), Cloudflare Free
Domain Validated (DV) — Paid $20–$80 Same use case as free; some hosting bundles include these Comodo Positive SSL, RapidSSL
Organisation Validated (OV) $80–$300 Businesses that want their company name verified in certificate details DigiCert, Sectigo
Extended Validation (EV) $300–$800+ Banks, financial institutions, large e-commerce — overkill for most SMBs DigiCert EV, Entrust
Wildcard Certificate $150–$600 Businesses with multiple subdomains (e.g. shop.yourbusiness.com.au) Comodo, DigiCert

The honest recommendation for 95% of Australian small businesses: A free Let's Encrypt certificate installed via your hosting control panel (cPanel, Plesk) or via Cloudflare's free plan is all you need. It encrypts data identically to a $600 EV certificate. The only thing paid certificates add is a layer of identity verification that matters to financial services and enterprise customers — not to a customer booking a haircut or a restaurant table.

Major Australian hosting providers that include free SSL via Let's Encrypt or Cloudflare as standard:

  • VentraIP — free SSL on all plans via cPanel's AutoSSL
  • Netregistry / Web24 — free SSL included
  • SiteGround — free Let's Encrypt SSL on all hosting plans
  • Cloudflare — free Universal SSL on its free CDN plan (works with any host)
  • WP Engine — free SSL on all managed WordPress plans

If your hosting provider is charging you separately for an SSL certificate that isn't an OV or EV certificate, you are being overcharged. Free DV certificates are equally secure for standard business websites.

How to Install an SSL Certificate: Step-by-Step

The installation process varies depending on your hosting environment. Below are the three most common scenarios for Australian small businesses.

Scenario 1: cPanel Hosting (Most Common in Australia)

  1. Log into your hosting account's cPanel dashboard.
  2. Navigate to Security > SSL/TLS Status (sometimes labelled "AutoSSL" or "Let's Encrypt SSL").
  3. Find your domain in the list. If it shows "Not Secured," click "Run AutoSSL" or the equivalent button.
  4. Wait 2–5 minutes. cPanel contacts Let's Encrypt, issues the certificate, and installs it automatically.
  5. Verify by visiting your site with https:// in the URL. You should see a padlock.
  6. Critical next step: Force HTTPS by adding a redirect in your .htaccess file (for Apache servers) or your Nginx configuration. Without this, visitors who type your domain without https:// will still see the insecure version.

The .htaccess redirect code:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Scenario 2: WordPress (With or Without cPanel)

  1. First, ensure your hosting has an SSL certificate installed using Scenario 1 or via Cloudflare (below).
  2. Install the free plugin Really Simple SSL (1M+ active installs, well-maintained).
  3. Activate the plugin. It will detect your certificate and offer to enable SSL sitewide with one click.
  4. The plugin handles the .htaccess redirect, updates WordPress's siteurl and home settings to HTTPS, and fixes mixed content warnings automatically.
  5. In WordPress Settings > General, confirm both "WordPress Address" and "Site Address" show https://.
  6. Submit the HTTPS version of your sitemap to Google Search Console to ensure Google indexes the correct URLs.

Scenario 3: Cloudflare (Any Host)

  1. Create a free Cloudflare account at cloudflare.com.
  2. Add your domain. Cloudflare will scan your existing DNS records.
  3. Update your domain's nameservers to point to Cloudflare's nameservers (provided in the setup wizard). This change propagates in 15 minutes to 48 hours.
  4. In Cloudflare's dashboard, go to SSL/TLS > Overview. Set encryption mode to "Full (strict)" if your origin server has a certificate, or "Flexible" if it doesn't yet (note: Flexible encrypts only the visitor-to-Cloudflare leg, not the full chain — use Full when possible).
  5. Enable the "Always Use HTTPS" toggle under SSL/TLS > Edge Certificates.
  6. Cloudflare's Universal SSL certificate is automatically provisioned — no purchase required.

Scenario 4: Hosted Website Builders (Wix, Squarespace, Shopify)

If your website is hosted on a platform like Wix, Squarespace, or Shopify, HTTPS is handled automatically. You don't install anything. These platforms provision SSL certificates for all connected custom domains. Squarespace (from approximately AU$24/month on their current pricing for the Personal plan) and Shopify (from AU$56/month on the Basic plan as of 2025) both include SSL. Wix (from approximately AU$22/month for the Core plan) also includes SSL automatically.

If you're on a website builder and your site still shows as HTTP, contact the platform's support — this is almost always a misconfigured custom domain, not a missing certificate.

After Installation: Checking for Mixed Content Errors

This is the step most guides skip, and it's where many businesses get caught out. Mixed content occurs when your page loads over HTTPS but some resources on the page — images, scripts, stylesheets, iframes — still load over HTTP. When this happens, browsers either block the insecure resource or show a warning, undermining the entire point of HTTPS.

How to check for mixed content:

  1. Open your website in Chrome.
  2. Right-click anywhere on the page and select Inspect.
  3. Click the Console tab.
  4. Look for any yellow or red warnings mentioning "Mixed Content" or "blocked:mixed-content."
  5. Each warning identifies the specific resource loading over HTTP. Update those URLs to HTTPS — usually by editing your CMS content, updating plugin settings, or replacing embedded media.

Free tools to scan your entire site for mixed content:

  • Why No Padlock? (whynopadlock.com) — pastes in your URL and lists every mixed content issue
  • SSL Labs Server Test (ssllabs.com/ssltest) — tests certificate configuration quality, not just presence
  • Google Search Console — the Security & Manual Actions section flags certificate errors

The Hidden HTTPS Issue That Destroys Rankings: The HTTP/HTTPS Duplicate Content Problem

Here is the insight that most SSL tutorials don't cover — and it's one of the most common technical SEO mistakes in Australian small business websites.

When you migrate from HTTP to HTTPS without implementing a proper 301 redirect, Google can see two versions of every page on your site:

  • http://yourbusiness.com.au/services
  • https://yourbusiness.com.au/services

If Google indexes both, your site's ranking signals — backlinks, engagement data, citation authority — are split between two versions. You're essentially competing against yourself. This is called duplicate content, and it dilutes your domain authority.

The fix is a sitewide 301 redirect from all HTTP URLs to their HTTPS equivalents, combined with setting your preferred domain (the HTTPS version) in Google Search Console. Here's the full checklist:

  1. Implement the 301 redirect (code above, or via your CMS plugin).
  2. Update your canonical tags to reference HTTPS URLs.
  3. Update your XML sitemap to list only HTTPS URLs, and resubmit via Google Search Console.
  4. In Google Search Console, add the HTTPS version of your site as a separate property (if it isn't already) and set it as the preferred version.
  5. Update any internal links in your content that still point to http:// URLs.
  6. Update your Google Business Profile website URL to the HTTPS version.
  7. Contact any websites linking to your HTTP URLs and request updated links — or rely on the 301 redirect to pass link equity (it passes approximately 99% of link value, so this step is lower priority).

For businesses in competitive local markets — from websites for health and wellness practices competing for medical search terms, to hospitality businesses serving corporate clients — getting this technical foundation right is what separates a website that generates leads from one that just exists.

What SSL Cannot Do (Common Misconceptions)

SSL certificates are frequently misunderstood, and some of those misunderstandings lead to false confidence. Be clear on these limits:

  • SSL does not protect your website from being hacked. It encrypts data in transit. It doesn't patch vulnerabilities in your CMS, plugins, or server configuration. A WordPress site with outdated plugins can be compromised even with a perfect SSL installation.
  • SSL does not mean the website is trustworthy. Phishing sites and scam websites use HTTPS. The padlock means the connection is encrypted — not that the business behind the site is legitimate. Scammers have been using free SSL certificates since they became widely available.
  • SSL is not a substitute for a privacy policy. Australian businesses collecting personal data via website forms are subject to the Privacy Act 1988 and the Australian Privacy Principles (APPs). Encrypting form submissions is good practice, but it doesn't replace the legal requirement to have a compliant privacy policy disclosing how data is collected, stored, and used. The OAIC (Office of the Australian Information Commissioner) has enforcement powers here.
  • SSL does not automatically improve your Google rankings overnight. It removes a ranking penalty, but it doesn't add a major ranking boost. Sites that were penalised for being HTTP and then migrated correctly will typically see recovery over 2–8 weeks as Google recrawls and reindexes the HTTPS versions.

SSL and Australian Consumer Trust: The Numbers

Australian consumers are increasingly security-aware online. The ACCC's Scamwatch reported Australians lost over $2.74 billion to scams in 2023 — a figure that has made browser security warnings more psychologically loaded than ever. When a potential customer in Penrith or Geelong or Townsville sees a security warning on your website, they don't think "SSL certificate misconfiguration." They think "this might be a scam."

Research from the Baymard Institute (one of the most-cited UX research organisations in e-commerce) found that 18% of users have abandoned a checkout specifically due to security concerns — and that's on pages that had HTTPS. The number is significantly higher when a browser warning actively appears.

For service businesses that use their website primarily to generate enquiries — websites for cafés and coffee shops collecting reservations, health practices taking appointment requests, consultants hosting contact forms — the conversion impact of a missing padlock is direct and measurable.

SSL Certificate Renewal: Don't Let It Lapse

SSL certificates expire. Let's Encrypt certificates expire every 90 days1 year (certificate authorities stopped issuing 2-year certificates in 2020 at the browser vendors' direction).

When a certificate expires, your website doesn't silently revert to HTTP. It shows a full-screen browser error to every visitor until the certificate is renewed. This is one of the most damaging things that can happen to a small business website's reputation — and it's entirely preventable.

How to ensure your certificate never lapses:

  • Let's Encrypt via cPanel AutoSSL: Renewal is fully automatic. cPanel renews the certificate 30 days before expiry. You do nothing.
  • Let's Encrypt via Certbot (manual installations): Set up a cron job to run certbot renew twice daily. This is standard practice and the Certbot documentation provides exact instructions.
  • Cloudflare Universal SSL: Renewed automatically. No action required.
  • Paid certificates: Your certificate provider should email you 30, 14, and 7 days before expiry. Don't ignore these emails. Add a calendar reminder as a backup.
  • Monitoring: Tools like UptimeRobot (free tier available) and StatusCake can monitor your SSL certificate expiry and send you an alert when it's within 30 days of lapsing.

If you're on a website care plan ($24.95 + GST/month), certificate monitoring and renewal should be included as a standard item — it's one of the most basic ongoing maintenance tasks a managed hosting or care plan service should cover.

Comparison: How Major Australian Business Website Platforms Handle SSL

Platform SSL Included? Auto-Renews? Any Action Required? Notes
Wix (~AU$22/mo Core) Yes Yes No Automatic on all connected custom domains
Squarespace (~AU$24/mo Personal) Yes Yes No Provisioned within 72 hours of domain connection
Shopify (~AU$56/mo Basic) Yes Yes No Includes for all storefronts and custom domains
WordPress on cPanel hosting Usually Yes (via AutoSSL) Yes (cPanel AutoSSL) Enable HTTPS redirect + plugin Depends on host; VentraIP, SiteGround include it
Custom-built site (agency/freelancer) Depends on hosting Depends on setup Varies Should be included and configured at handover
Cloudflare (added to any setup) Yes (Universal SSL) Yes Point nameservers to Cloudflare Free plan sufficient for SSL + basic CDN

The Real Business Impact: A Scenario-Based Breakdown

Consider a hair salon in Newtown, Sydney, running Google Ads and relying on their website for booking form submissions. Their site is on HTTP. Here is what that costs them in practical terms:

  • Google Ads Quality Score: Google's Quality Score for landing pages includes a "landing page experience" component. A page flagged as "Not Secure" by Chrome is rated lower, increasing the cost-per-click and reducing ad position. A salon spending $500/month on Google Ads might be paying 15–20% more per click than a competitor with an identical ad on an HTTPS site.
  • Organic ranking: As discussed, the HTTP/HTTPS ranking differential compounds over time with negative user behaviour signals.
  • Email marketing click-throughs: Gmail, Outlook, and Apple Mail all display warnings when links in emails point to HTTP pages. Customers clicking from an EDM may see a security interstitial before reaching the booking form.
  • Google Analytics data integrity: When a visitor travels from an HTTPS website to an HTTP website (e.g. clicking a link on an HTTPS directory listing to your HTTP site), the referrer data is stripped. Your analytics will show the visit as "direct" traffic instead of the actual source. This corrupts your attribution data and makes it impossible to accurately measure what's driving your leads.

For businesses like hospitality suppliers and food businesses — such as those working with ZenPacks Australia — eco-friendly food packaging — where wholesale accounts are opened via online inquiry forms, an HTTP site sends exactly the wrong signal to procurement contacts evaluating suppliers.

Frequently Asked Questions

Does my website actually need SSL if I don't sell anything online?

Yes, without qualification. Chrome marks all HTTP pages as "Not Secure" regardless of whether they collect payments. Any page with a contact form, an email address field, a newsletter signup, or a booking widget is collecting personal information, which means your users have a right to expect encryption. The ACCC and OAIC expect businesses to take reasonable steps to protect user data — SSL is the minimum reasonable step. Beyond compliance, the padlock (or its absence) affects customer trust on every page, including your homepage.

Can I get a free SSL certificate in Australia, and is it as secure as a paid one?

Yes. Let's Encrypt provides free DV (Domain Validated) certificates that use the same 256-bit encryption as certificates costing hundreds of dollars. The cryptographic security is identical. The only meaningful difference is that Let's Encrypt certificates don't carry a warranty (paid certificates include a warranty against certificate misissuance — relevant to financial institutions, not to a café or a tradie's website). Most Australian hosting providers (VentraIP, SiteGround, Netregistry) now include Let's Encrypt SSL automatically. If yours doesn't, Cloudflare's free plan provides Universal SSL at no cost.

My website already has HTTPS but Google Search Console is showing errors. What's wrong?

The most common causes are: (1) Mixed content — some page resources still loading over HTTP, detectable via Chrome's developer console; (2) Certificate chain errors — an intermediate certificate wasn't installed correctly, causing some browsers to show warnings even though the certificate is valid; (3) Mismatched domains — the certificate was issued for www.yourdomain.com.au but visitors land on yourdomain.com.au (or vice versa); (4) An expired certificate. Use SSL Labs' free server test (ssllabs.com/ssltest) to get a detailed diagnosis. It gives your site an A–F grade and explains every issue it finds.

Will switching to HTTPS hurt my existing Google rankings?

A properly executed HTTP-to-HTTPS migration should not hurt rankings. The key is implementing correct 301 redirects from every HTTP URL to its HTTPS equivalent, updating your canonical tags, resubmitting your sitemap to Google Search Console, and updating your Google Business Profile URL. Google treats a correctly implemented HTTPS migration as a URL change with a 301 redirect, which passes essentially all link equity to the new URL. Rankings may fluctuate slightly during the 2–4 week recrawl period, but should stabilise at or above their previous levels. Incorrectly implemented migrations — without redirects, with broken canonicals, or with mixed content — can cause temporary ranking drops.

How do I know when my SSL certificate is going to expire?

In Chrome, click the padlock icon in the address bar, then click "Connection is secure," then "Certificate is valid." The "Valid until" date is shown. Alternatively, use a free tool like SSL Labs or UptimeRobot to monitor certificate expiry across your site and receive email alerts before lapse. If you're on cPanel hosting with AutoSSL enabled, Let's Encrypt certificates renew automatically 30 days before expiry — you don't need to do anything.

Does having HTTPS help my Google Maps ranking?

Not directly — Google's local pack ranking algorithm (relevance, distance, prominence) doesn't list HTTPS as a direct input. Indirectly, yes: HTTPS affects user behaviour on your website, including bounce rate and time on site, which are signals Google uses in prominence scoring. More concretely, your Google Business Profile's website URL pointing to an HTTPS page is a cleaner signal than pointing to an HTTP page, and avoids the user experience interruption that causes potential customers to bounce before contacting you.

I'm on Wix or Squarespace — do I still need to think about any of this?

For the certificate itself, no — both platforms handle it automatically. What you do need to check: (1) If you connected a custom domain recently, verify the certificate has been provisioned (can take up to 72 hours on Squarespace); (2) If you embed any third-party widgets, iframes, or scripts from external HTTP sources, you can create mixed content issues even on a platform that handles SSL automatically; (3) Ensure your Google Business Profile, social media profiles, and any directory listings link to your https:// URL rather than http://. Small inconsistencies in how your URL is cited across the web can affect Local SEO NAP consistency.

Is there any reason NOT to use a free SSL certificate?

For a standard small business website — brochure site, contact form, booking system, portfolio — there is genuinely no meaningful reason to pay for a DV certificate when a free Let's Encrypt certificate provides identical encryption. The use cases where paid certificates add real value are narrow: banks and financial institutions need EV certificates for regulatory and trust reasons; businesses operating multiple subdomains may find a paid Wildcard certificate more convenient than managing multiple Let's Encrypt certificates (though Let's Encrypt does issue Wildcard certs); and some enterprise procurement processes require certificates from specific commercial CAs. None of these apply to the vast majority of Australian small businesses.

The Fastest Path to HTTPS for Australian Small Businesses

If you've read this far and your site is still on HTTP, here is the shortest path to resolution based on your situation:

  • You're on cPanel hosting: Log in, find AutoSSL or Let's Encrypt SSL in the Security section, run it, add the HTTPS redirect to .htaccess. Time: 15 minutes.
  • You're on WordPress and not sure about the server: Install Really Simple SSL plugin and follow its one-click wizard. Time: 10 minutes.
  • You're on any host and want the safest, most hands-off solution: Set up Cloudflare's free plan, point your nameservers to Cloudflare, enable Universal SSL and Always Use HTTPS. Time: 30 minutes + propagation wait.
  • You're on Wix, Squarespace, or Shopify: Check that your custom domain is correctly connected and the certificate has been provisioned. Update all external links to use HTTPS. Time: 10 minutes.
  • You don't have a website yet: Choose a platform or builder that includes HTTPS by default. Every modern platform does. This is not a decision point for new websites in 2025.

If you'd rather not handle any of this yourself, weauto builds professional websites for Australian small businesses from $99 + GST — live in 5 business days, with HTTPS correctly configured from day one.

Related reading


Ready to get online?

weauto builds professional websites for Australian local businesses — live in 5 business days for $99 + GST.