I’ve recently migrated all my sites to use SSL (I know, it’s long overdue) and despite the SSL-Certificates being valid and working, Chrome and Firefox would show my sites as “not secure”. (No padlock icon.)
After some digging, I discovered that WordPress really doesn’t play very nicely with SSL. Lots of themes, plugins, etc will use hard-coded or generated, absolute, http:// URLs, with no regards to what the site is actually using. Worse, posts may include absolute URLs in links to content.
Instead of fixing all themes, plugins, and content manually (or with a clever script), one easy solution is to include the following line in your .htaccess:
Header always set Content-Security-Policy "upgrade-insecure-requests;"
This will cause the users’ browsers to convert all insecure http-Links to https automatically. So far, it seems to work perfectly fine.