The "Not Secure" warning in Zen Cart almost always means one of three things: your configure.php HTTP_SERVER is still set to http:// instead of https://, your store is loading resources (images, scripts, CSS) from hardcoded http:// URLs, or your SSL certificate doesn't match your domain.
Fix configure.php first — that resolves 70% of cases.
After installing an SSL certificate, many Zen Cart store owners find their browser still shows a padlock with a warning, or the URL still shows http://. This is almost always a configuration issue, not a certificate issue — and it's fixable without touching your server.
A "mixed content" error occurs when your page is served over HTTPS but one or more resources on the page (an image, a script, a stylesheet) is loaded over plain HTTP. Modern browsers block or warn about this because a single HTTP resource can compromise the security of an otherwise secure page.
Zen Cart stores can have mixed content from several sources:
configure.php files still pointing to http://This is the most important fix. Zen Cart's configure.php files define the base URLs for your store — if they point to HTTP, everything loads over HTTP regardless of your SSL certificate.
You have two configure.php files that both need updating:
/includes/configure.php — front-end store/admin/includes/configure.php — admin panelDownload copies of both configure.php files before editing. A syntax error in configure.php will break your store completely.
In both files, find and update these lines:
// Change this (HTTP): define('HTTP_SERVER', 'http://www.yourstore.com'); define('HTTPS_SERVER', 'http://www.yourstore.com'); // To this (HTTPS): define('HTTP_SERVER', 'https://www.yourstore.com'); define('HTTPS_SERVER', 'https://www.yourstore.com');
Make sure the domain in configure.php exactly matches the domain your SSL certificate is issued for — including whether it has www. or not. A certificate for www.yourstore.com will cause a warning if your configure.php says yourstore.com (without www).
Even after updating configure.php, direct HTTP visits to your store won't automatically redirect to HTTPS. Add these lines to your .htaccess file in the Zen Cart root to force all traffic to HTTPS:
# Force HTTPS redirect
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
If you already have a RewriteEngine On line in your .htaccess, don't add another one — just insert the two RewriteCond/RewriteRule lines directly below it.
Zen Cart has a dedicated SSL enable flag in configure.php. Check that it is set to true in both configure.php files:
// Should be true, not false: define('ENABLE_SSL', true); define('ENABLE_SSL_CATALOG', true);
If these constants don't exist in your configure.php (common in older Zen Cart versions), add them.
Even with configure.php correct, mixed content warnings can persist if your templates or modules reference HTTP URLs directly. Use your browser's developer tools to find them:
In Chrome or Firefox, press F12 and go to the Console tab. Mixed content warnings appear as red errors starting with "Mixed Content: The page was loaded over HTTPS..."
The console message will show the exact URL being loaded over HTTP. This tells you which file, script, or image is causing the problem.
Search your template files (in /includes/templates/) for the offending URL. Replace http:// with either https:// or a protocol-relative URL like //yourstore.com/....
Visit whynopadlock.com and enter your store URL. It will scan your page and list every mixed content resource, making it much faster to identify all HTTP URLs at once.
If you've updated configure.php and fixed mixed content but still see a browser warning, the SSL certificate itself may be the problem. Common certificate issues:
yourstore.com doesn't cover www.yourstore.com unless it's a wildcard or SAN certificate.Test your certificate at SSL Labs. An A or B rating means the certificate is installed correctly. If you score lower, the report will explain why.
Product images and other content URLs are sometimes stored directly in the database with http:// prefixes. This is common if you migrated from HTTP to HTTPS after products were already entered, or if you imported products with absolute URLs.
You can find and replace these using phpMyAdmin:
-- Find products with HTTP image URLs: SELECT products_id, products_image FROM products WHERE products_image LIKE 'http://%'; -- Replace HTTP with HTTPS in product images: UPDATE products SET products_image = REPLACE(products_image, 'http://www.yourstore.com', 'https://www.yourstore.com') WHERE products_image LIKE 'http://www.yourstore.com%';
Always take a full database backup before running UPDATE queries. An incorrect query can corrupt data across thousands of product records.
Run a SELECT first to see what will be affected before running the UPDATE. If you're not comfortable with SQL, we can do this safely for you — see below.
After making changes, verify your store is fully secure:
http://yourstore.com and confirm it redirects)A solid padlock on all pages, an A rating from SSL Labs, and no mixed content warnings from WhyNoPadlock means your SSL is fully working. PayPal and other payment gateways will now accept your store's SSL.
Some mixed content issues are buried deep in templates or databases. We can diagnose and fix your SSL configuration — most cases resolved same day.
Get a free diagnosis