Most South African sites have SSL certificates now. AutoSSL is on by default in cPanel, Let's Encrypt is free, and browsers shame any site still on plain HTTP. But having a certificate and having a properly configured HTTPS site are two different things. The certificate is the easy part. The cleanup is where things break.
Mixed content warnings count as security failures in modern browsers. Redirect chains that pass through HTTP leak data and slow page loads. Forgotten subdomains running old WordPress installs become attack surfaces. Each one of these undermines the user trust your padlock icon is supposed to signal.
The six gaps
1. Mixed content
Mixed content means an HTTPS page that loads at least one resource over HTTP - an image, a script, a stylesheet, a font. Browsers block active mixed content (scripts, stylesheets) entirely and show a warning for passive content (images, video). On WordPress sites this usually happens because the database stores absolute HTTP URLs from before the site migrated to SSL.
To find it: open your homepage in Chrome, right-click and choose Inspect, then look at the Console tab. Any "Mixed Content" warnings list the exact HTTP resource. Fix the source. For WordPress, the Better Search Replace plugin runs a database-wide find-and-replace of http://yourdomain to https://yourdomain safely. Run it once, then verify with the console again.
2. HTTP redirects to HTTPS
Every HTTP request should redirect to HTTPS with a 301 permanent redirect. Test by visiting http://yourdomain.co.za (not the www version) and watching the address bar. If it lands on HTTPS, good. If it stays on HTTP, your redirect is missing.
For Apache hosts (the default on most South African cPanel servers), add to your .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
This catches every variant in one rule.
3. www vs non-www
Pick one canonical version - either yourdomain.co.za or www.yourdomain.co.za - and redirect the other to it. Google treats them as separate sites otherwise, which splits your ranking signals and creates duplicate-content concerns. Most SA agencies default to the non-www version, which is fine. Just be consistent and redirect the alternative.
4. Subdomains
Your main site has HTTPS. What about blog.yourdomain.co.za, staging.yourdomain.co.za, mail.yourdomain.co.za, or that old 2019.yourdomain.co.za microsite that everyone has forgotten about? Each one needs its own certificate (or a wildcard) and its own redirect rules. Forgotten subdomains are routinely how WordPress sites get hacked - an outdated install on a subdomain nobody is watching becomes a foothold for an attacker.
List your DNS records with dig yourdomain.co.za any or check your registrar control panel. Any subdomain that resolves to a public IP needs HTTPS and an audit. Subdomains you no longer use should be removed from DNS entirely.
5. Certificate expiry
AutoSSL handles renewals on cPanel, but it does fail occasionally - usually because the renewal cannot validate the domain (the validation file is blocked, the DNS is wrong, the site is behind Cloudflare with the wrong mode). A certificate that expires in production breaks your site visibly and immediately. Add expiry monitoring so you know about a failed renewal weeks before it happens, not the morning after.
The free scan checks certificate expiry on every scan. The Studio plan alerts you 30 days before expiry on any monitored site.
6. HSTS
HTTP Strict Transport Security tells the browser to remember that your site is HTTPS-only, so even if a user types the HTTP version, the browser never makes the insecure request in the first place. It also prevents downgrade attacks on public WiFi.
Add this header in your .htaccess or web server config:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Only enable HSTS once you are certain every subdomain has a valid certificate, because once the browser caches the policy, there is no easy rollback.
What good looks like
A well-configured site passes all six checks: HTTPS-only, no mixed content, single canonical host, every subdomain on HTTPS, certificates with at least 30 days remaining, and HSTS enabled. The perfect score sample shows what that looks like in a full health report. The poor score sample shows what missing redirects and mixed content look like.
Run the free scan on your homepage to check all six items in under two minutes. If you manage multiple sites for clients, the Studio plan runs the same checks on a schedule and alerts you the moment any of them regress.