The short version
HTTP is how web pages move around. It is plain text, which means anyone between you and the site can read it and change it.
HTTPS is the same thing wrapped in encryption. The S is the TLS layer doing the wrapping, and it works because the site presents an SSL certificate your browser can check.
That is genuinely all the padlock means. Encrypted connection, correct certificate for that domain, not expired.
What it does protect you from
Real protection, worth having on every page.
- →Nobody on the same wifi can read your password, your card number or what you are browsing.
- →Your network provider cannot inject ads or scripts into the page on the way through.
- →Nobody can quietly alter the page. If the content is tampered with in transit, the connection fails rather than delivering something changed.
- →You know you are connected to the domain in the address bar, and not something impersonating it on the network.
What it does not tell you
Here is where the padlock gets badly oversold, including by people who should know better.
HTTPS says nothing about who the business is or whether they are honest. A certificate authority issuing a free certificate checks one thing: that whoever asked controls the domain. It does not check that a company exists, that the products are real, or that anything will ever be shipped.
Scammers know this. A fake store set up this morning has a valid certificate and a perfect padlock by lunchtime, for free. The padlock is not lying to you. It is just answering a much smaller question than most people assume.
So read it in one direction only. No HTTPS is a serious red flag. HTTPS present proves very little on its own. Our guide on whether HTTPS means a website is safe goes through what to check instead.
If you are shopping
Two simple rules.
Browsers now mark plain HTTP pages as "Not secure" right in the address bar. If you reach a checkout, a login, or any form asking for card details and you see that, walk away. There is no good reason for a shop taking money in 2026 to be on plain HTTP. It is free to fix and every serious platform does it automatically, so its absence tells you something about who you are dealing with.
Then, once HTTPS is there, keep looking. Check how old the domain is, whether there is a real contact address, and whether the returns policy exists. The padlock has already told you everything it knows.
If you run the site
The order matters, and getting it wrong is how sites break.
- →Certificate first. Make sure a valid certificate is installed and HTTPS works everywhere before you change anything else.
- →Then force HTTPS. Redirect HTTP to HTTPS so nobody lands on the insecure version. On WordPress this also means setting Site Address and WordPress Address to https:// in Settings > General.
- →Then HSTS. Only once HTTPS is solid sitewide, add HSTS so browsers refuse to use HTTP at all. Never before.
- →Watch for mixed content. An HTTPS page still pulling an image or script over HTTP is mixed content, and it undermines the padlock.
Check your own site
Most hosted platforms do all of this for you and there is nothing to configure. If you are on your own server, or you have moved a domain recently, it is worth confirming rather than assuming.
A free check will tell you whether HTTPS is properly forced, whether the certificate is healthy, and what else is missing.
We have step by step instructions for every major platform, including the ones that will not let you.
See how to force HTTPS on your platform