Security certificate invalid warning for my paid for WordPress site

  • Unknown's avatar
    unobservableflight · Member ·

    Dear WordPress Support, I have recently encountered a security issue when trying to view my site. I get a security warning for an invalid certificate, informing me that information could be intercepted by a third party trying to steal sensitive information. I get a two button option to “leave” or “proceed anyway”. Naturally, this sort of warning will deter anyone from visiting my WordPress site. (Interesting). I am a long-time WordPress user and pay a subscription fee for a site without advertising. Please can you tell me why this is suddenly happening? It occurs when I enter the following URL into any browser:

    https://unobservableflight.wordpress.com/chapters/

    Thanks in advance for any help.

    The blog I need help with is: (visible only to logged in users)

  • Unknown's avatar
    unobservableflight · Member ·

    Addendum to self (or how to display my own ignorance).

    After looking up this issue on Google, I found that WordPress flags a security warning with https when including the “www” as part of the URL. But when omitting “www” the warning does not appear. I find this strange, because “www” magically appears as part of the URL when clicking in the browser’s address bar (to edit the URL). I would expect WordPress to automatically redirect any WordPress URL that includes “www”, rather than show this ominous security certificate warning. For example:

    https://www.somesite.wordpress.com/ Flags security intercept warning (even though this is the actual expanded URL when clicking to edit the address bar.

    https://somesite.wordpress.com/ No warning appears

  • staff-totoro · Staff ·

    Hi there,

    As an SEO best practice we do not use the ‘www’ subdomain on WordPress.com sites. This may cause an invalid certificate warning since the SSL certificate on your site (which gives it the secure https address) is specific to unobservableflight.wordpress.com as a matter of security. Depending on your browser security settings, using an “unofficial” URL like this that does not match the SSL can appear as a phishing or URL spoofing attempt

    I find this strange, because “www” magically appears as part of the URL when clicking in the browser’s address bar (to edit the URL)

    I also find this strange. You appear to be using Chrome as your browser, as am I. When I click on the URL of your site to edit or copy it it shows in the following format:

    If you click on the URL here in the direct link I am adding to my reply, do you somehow get redirected to a ‘www’ version of the URL if you try to edit in the browser window? Do you have this issue if you use an alternate browser like Firefox instead?

    Thanks for the additional info!

  • Unknown's avatar
    unobservableflight · Member ·

    Thanks for your reply. The problem is intermittent. I tried again this morning and everything worked as expected. Confused, I visited another secure site that uses the https protocol, namely Google. Sure enough, the bug re-appeared (screenshots below). I can confirm that I’m using Chrome, but the bug also manifests on Windows 10 using Firefox – but in this case, the security warning is not shown.

    You can see that clicking in the address bar magically shows “www” as part of the URL. This is exactly what was happening with my site – but I can no longer reproduce the issue with my URL this morning. Possibly this bug is unique to my system, but I really appreciate your response. In future I shall ommit “www” as part of the URL when using the https protocol.

  • Unknown's avatar
    dragstor · Member ·

    Thank you both for providing the details! 🙌🏻

    @unobservableflight, I’d like to provide more context on the issue 😊

    • The “www” part of the URL is hidden by default in most modern browsers:
      • To clear the clutter when browsing the web (UI/UX)
      • It’s outdated/obsolete in the majority of cases
    • The “www” part of the URL is technically irrelevant unless the site is configured to explicitly load on the “www” subdomain
    • On WordPress.com, we redirect all “www” traffic to the non-www version, for example: www.example.com will be redirected to example.com, as @staff-totoro explained, but only for sites with a custom domain set as a primary site address

    💡 When a WordPress.com site uses a free WordPress.com URL, like your site, the “www” part is unnecessary and won’t work — this is by design.

    This is why you’re getting the “Your connection is not private” error in Chrome (or any other browser, with a different wording, but the same context):


    (if you can’t see the screenshot, click here)

    This is because we’re not issuing an SSL certificate for the “www” sub-subdomain when a WordPress.com site does not use a custom domain as a primary site address, which you can consider. 🙂

    🎁 If you’d like to claim a free domain (it’s free to register it, but you’ll be renewing it according to the prices listed on this link with each next renewal), you can do this by clicking on the “Claim” button from your dashboard sidebar, as seen in the screenshot below:


    (if you can’t see the screenshot, click here)

    In short — there’s nothing to worry about (regarding the browsers hiding the “www” from the URL field), and you shouldn’t use “www” if you’re using a free site URL for your site as a primary site address.

    I hope this helped! 😊

  • The topic ‘Security certificate invalid warning for my paid for WordPress site’ is closed to new replies.