The short answer
Your Wix site gets a free SSL certificate. It is provisioned automatically and renewed automatically. There is no button to press, no yearly fee, and nothing to remember.
That means if an SSL check on your Wix site fails, you are almost certainly looking at one of three things: the certificate has not finished provisioning yet, your pages are loading something over plain HTTP, or you are trying to do something Wix does not allow.
If you just connected your domain, wait
Certificate provisioning on Wix can take up to 48 hours. During that window your site can show a certificate warning, and that is expected rather than broken.
This is the single most common "my Wix SSL is broken" situation, and the fix is patience. Do not start changing DNS records to hurry it along, because that usually restarts the clock.
If you are past 48 hours and still seeing warnings, then something is genuinely wrong and it is worth contacting Wix.
You cannot bring your own certificate
Wix does not support third-party certificates. If you already bought one, or your organisation requires a specific issuer, that is not going to work here. The free automatic certificate is the only option.
Note that Wix's pages on third-party SSL are feature-request pages actively collecting votes, so this is a "currently" rather than a permanent answer.
One related point: we are not going to name Wix's certificate authority, because we could not confirm it. If you are considering CAA records, which restrict which authorities may issue for your domain, do not guess. A wrong CAA record blocks renewal, and on Wix you have no manual override.
The real culprit: mixed content
Here is the situation that confuses people most. Your certificate is valid, HTTPS works, and the browser still shows the padlock as broken or missing.
That is mixed content. The page itself loaded over HTTPS, but something on it, an image, a font, an embedded widget, a script, was requested over plain http://. Browsers flag the whole page for it, and they will often block the resource outright, which is why an embed sometimes just vanishes.
What to look for:
- →Images and files linked with an http:// address, especially anything hosted somewhere other than Wix.
- →Embedded third-party widgets such as chat, booking, review or map embeds. Old embed snippets are the usual offenders.
- →Custom code you pasted in that references an http:// URL. If the snippet is old, it probably does.
- →Anything copied from an old site during a migration. Content brings its old links with it.
Fixing mixed content
The fix itself is simple. Find every http:// reference and change it to https://, or re-add the resource so it comes from a source that supports HTTPS.
Your browser tells you exactly where they are. Open the page, open developer tools, and look at the console. Mixed content warnings name the offending URL.
One thing to avoid: protocol-relative URLs, the ones written as //example.com with no http or https. They were a legitimate trick years ago. They are no longer recommended. Just write https:// and be explicit.
The order matters
If you are also working through the rest of your security checks, do them in this order. It is not a style preference, it is how you avoid locking visitors out of your own site.
- 1.Certificate first. Make sure it is issued and valid. On Wix this means waiting out the provisioning window.
- 2.Then HTTPS everywhere. Every page loads over HTTPS, and mixed content is gone.
- 3.Then HSTS. This tells browsers to refuse plain HTTP for your domain in future.
A note on HSTS
On Wix, this step is out of your hands and that is mostly good news. At the time of writing Wix sites already respond with HSTS, and you could not change it anyway. See our security headers on Wix page for the full picture, or the HSTS glossary entry for what it does.
While we are here: do not go looking for HSTS preloading. Preload lists require a year-long max-age, includeSubDomains, a valid certificate, an HTTP to HTTPS redirect, and every subdomain on HTTPS. Inclusion cannot easily be undone, and removal takes months to reach people as a browser update. It is not a casual toggle, and on Wix it is not yours to toggle regardless.
Run your site through our free safety check to confirm the fix is live, and see what else a shopper would notice.
Run a free checkFrequently asked questions
Do I need to buy an SSL certificate for my Wix site?
No. Wix provides a free certificate, provisions it automatically and renews it automatically. There is nothing to buy and nothing to renew.
My Wix site says not secure. What do I do?
If you connected the domain recently, wait. Provisioning can take up to 48 hours and a warning during that window is normal. If the certificate is already valid, the cause is almost certainly mixed content, meaning something on the page is loading over http:// instead of https://.
Can I use my own SSL certificate on Wix?
No. Wix does not support third-party certificates. Wix's pages on this are feature-request pages that are still collecting votes, so it is a currently rather than a never, but today the free automatic certificate is the only option.
How do I find what is causing mixed content?
Open the affected page, open your browser developer tools and read the console. Mixed content warnings name the exact URL that loaded over http://. The usual sources are old third-party embeds, images hosted elsewhere, and custom code snippets copied from an old site.
Does my Wix certificate renew automatically?
Yes. Provisioning and renewal are both automatic. This is one area where being on Wix genuinely removes work, since expired certificates are a common failure on self-managed sites.