The push to secure peoples website connections is going a lot further. At first it was login forms that where getting labeled as insecure (most prominently in Firefox). Now Google, with Chrome is going a step further, from July this year all sites which are not using encrypted connections (old http) will be marked as not secure. From Googles security blog:
For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.
So now really is the time, even if what you have is a simple brochure site to make sure your site works with secure connections.
Most web hosting panels will give access to enable SSL if you don’t have technical expertise. Lets Encrypt provides free, auto renewable SSL certificates that work in all recent browsers, and there are also services such as Cloudflare that can offer upgrade connections to SSL, though this does open a person in the middle issue as Cloudflare decrypt the traffic and then make a further request for the page, which depending on settings may not be secure.
Once secure connections are enabled and the certificate is installed, its important to check any resources that load on the page are also set to load over https. Sometimes with platforms such as WordPress, when the initial install was over a standard http url, any images that where uploaded can be included in the page with the absolute URL. This will flag up warnings when loading the website under a secure connection (a mixed content warning). This will require a search and replace over all the old URLs, as well as changing the sites setting to use the secure version in the future (under Settings → General). There are also plugins that can silently rewrite insecure requests to the secure version as webpages are loaded. Similar plugins or modules are available for other platforms.
Same issue can happen with resources such as CSS and Javascript. If your not technically minded you may need to talk to the person who developed your website, or find a developer. In general its better to load resources relatively using /resource type uris instead of the full link. For external resources (scripts loaded from Google for example) then //api.google.com (just exclude the http: bit) will mean that the resources load on whichever type of connection the web connection the site was originally loaded with.
Upgrading to secure connections provides better reassurance to those who make use of your website, though its only one step. With GDPR coming into force then there is a lot more to make sure your website is secure. I have a feeling that soon enough it will not just be insecure warnings, but http will stop being supported altogether.