Insecure form call - still Google chrome shows a green padlock!

Having a <form -tag which has an action which a hard-coded http:// -URL as destination
Where? -https://www.seohacks.net/basic/terms/html/

Domain Name: -www.seohacks.net
URL Tested: -https://www.seohacks.net/basic/terms/html/
Number of items downloaded on page: 71

Valid Certificate found.
Certificate valid through: Jul 20 23:59:59 2017 GMT

Certificate Issuer: GeoTrust Inc.
SSL Protocols Supported: TLSv1 TLSv1.1 TLSv1.2
All 71 items called securely!
Secure calls made to other websites:
-www.googletagmanager.com is valid and secure.

-www.facebook.com is valid and secure.

-b.st-hatena.com is valid and secure.

-cdn-ak.b.st-hatena.com is valid and secure.

-fonts.googleapis.com is valid and secure.

-www.googleadservices.com is valid and secure.

-googleads.g.doubleclick.net is valid and secure.

-www.google.com is valid and secure.

-static.xx.fbcdn.net is valid and secure.

Insecure <form> call. 

Found on line # %2F%2FwXw.seohacks.net%2Fbasic%2Fterms%2Fhtmlã%81¨ã%81¯%2F&width=72&layout=button&action=like&size=small&show_faces=false&share=false&height=65&appId in file: wXw.facebook.com/plugins/like.php?href=https
Insecure call.
Found on line # %2F%2FwXw.seohacks.net%2Fbasic%2Fterms%2Fhtmlã%81¨ã%81¯%2F&width=72&layout=button&action=like&size=small&show_faces=false&share=false&height=65&appId.orig in file: wXw.facebook.com/plugins/like.php?href=https

(Note: Chrome will show a security error for any secure page with an insecure call on the page)


quote from a report via https://www.whynopadlock.com/check.php

3 issues: http://retire.insecurity.today/#!/scan/4de99b4e6e7fd45349e498b8ce9e5a178c43df024e9f22f231843b686b645933

WordPress Version
4.6.1
Version does not appear to be latest 4.7.1 - update now.

Check: The following plugins were detected by reading the HTML source of the WordPress sites front page.

duplicate-post latest release (3.1.2)
http://lopo.it/duplicate-post-plugin/ (still being supported?).

Warning User Enumeration is possible
The first two user ID’s were tested to determine if user enumeration is possible.

ID User Login
1 None nyl-admin
2 None otani
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

F-F-X-status: https://observatory.mozilla.org/analyze.html?host=www.seohacks.net

polonus (volunteer website security analyst and website error-hunter)

Another example of an insecure connection where we see a green padlock in Google Chrome browser…

In this case the server cannot produce a secure connection: -https://server-52-85-142-226.iad12.r.cloudfront.net/
This for -sensepost.com (Pretoria SA).

Warnings
Root installed on the server.
For best practices, remove the self-signed root from the server.
RSA remove cross certificates
The certificate chain contains a cross root (primary intermediate) certificate that should be removed.
Use Symantec CryptoReport to remove cross root certificates.
This server is vulnerable to:
Heartbleed
This server is vulnerable to Heartbleed. Certificate valid through: Feb 16 23:59:59 2017 GMT
Certificate Issuer: GeoTrust Inc.
SSL Protocols Supported: TLSv1 TLSv1.1 TLSv1.2

Website is insecure by default
100% of the trackers on this site could be protecting you from NSA snooping. Tell -sensepost.com to fix it.

Identifiers | All Trackers
Insecure Identifiers
Unique IDs about your web browsing habits have been insecurely sent to third parties.

v1%3a14826XXXXX24722342 -Twitter guest_id

polonus (volunteer website security analyst and website error-hunter)