How to Fix Mixed Content Warnings Error on WordPress

If you’ve installed an SSL certificate on your WordPress site and switched from HTTP to HTTPS, that’s a good step toward securing your website. But if you’re still seeing a broken padlock in your browser or getting browser warnings about insecure content, you’re likely dealing with a mixed content warning.

Mixed content errors occur when some parts of your site (like images, scripts, or stylesheets) still load using HTTP while the main page uses HTTPS. This confuses browsers and can make your website appear insecure, leading to lost trust and lower search engine rankings.

This article will walk you through everything — what the error means, how to identify it, how to fix it manually or with plugins, and how to avoid it in the future.

When a website runs on HTTPS, it’s expected that all resources (scripts, images, fonts, stylesheets, etc.) also load through HTTPS. A mixed content warning appears when:

• Your web page is served over HTTPS
• But it includes links to resources (like images, stylesheets, or JavaScript files) using HTTP

Types of Mixed Content:

• Passive mixed content: Refers to images, audio, or videos. Browsers may still load them but issue a warning.
• Active mixed content: Refers to JavaScript, stylesheets, or iframes. Browsers often block these entirely because they can be exploited by attackers.

Security Risk

Mixing secure (HTTPS) and insecure (HTTP) content defeats the purpose of using SSL. Attackers can intercept or manipulate HTTP-loaded resources.

Browser Warnings

Modern browsers like Chrome, Firefox, and Edge display security warnings or completely block HTTP elements. That can scare visitors away.

SEO Impact

Mixed content doesn’t just affect your site’s appearance or trustworthiness — it can directly hurt your search engine optimization (SEO). Google has been pushing secure browsing for years, and websites that don’t fully adopt HTTPS can lose visibility in search results.

Mixed content issues usually occur when you switch your site from HTTP to HTTPS, but some elements are still being loaded using the old, insecure protocol. WordPress may show the main page as secure, but if even one file or asset is loaded over HTTP, your browser will flag it as “mixed content.”

Let’s take a look at the most common sources that trigger this Issue:

Images Uploaded Before SSL Was Installed

If your WordPress website was running on HTTP and you uploaded images before enabling SSL, those image URLs were saved with http:// in your database. Even after switching to HTTPS, WordPress doesn’t automatically update those links. As a result, these older images are still loaded from the insecure version of your site, causing mixed content warnings.

Example:
 An image embedded in a blog post still points to:
http://yoursite.com/wp-content/uploads/2022/05/header.jpg

Themes or Plugins Loading Files Over HTTP

Some older or poorly coded themes and plugins may have hardcoded file links using http:// instead of using WordPress functions that adapt to HTTPS. These files might include:

• CSS stylesheets
• JavaScript files
• Custom fonts
• Image assets

Because these files are essential to the page design and layout, browsers may block them — leading to broken functionality or display issues.

Hardcoded URLs in Pages, Posts, or Theme Templates

When you manually add internal links in posts, widgets, or custom code with http://, they don’t automatically change when your site moves to HTTPS. Additionally, theme files like header.php or footer.php might contain full HTTP URLs instead of dynamic WordPress functions.

This is one of the most overlooked causes and often needs a manual or database-level fix.

External Scripts or Embeds Not Using HTTPS

If your site includes third-party resources like:

• YouTube videos
• Google Fonts
• Analytics scripts
• Chatbots or form embeds

…and they are linked using HTTP, your browser will consider these insecure.

Example:
 Embedding a script from http://examplecdn.com/script.js instead of the secure version can result in the browser blocking that resource entirely.

CDN or External Storage Services Serving HTTP Links

If you’re using a Content Delivery Network (CDN) or storing assets on external servers like Amazon S3 or Google Cloud, those links also need to be secure. Some CDNs don’t default to HTTPS, and older configurations may still be delivering files using HTTP, which can trigger mixed content alerts even if your main domain is secure.

Fix:
 Make sure your CDN is configured to use HTTPS and update all existing links accordingly

1. Use Browser Developer Tools

Open your site in Chrome > Right-click > “Inspect” > Click the Console tab.
Look for messages like:

Mixed Content: The page at ‘https://example.com‘ was loaded over HTTPS, but requested an insecure image ‘http://example.com/image.jpg‘. This content should also be served over HTTPS.

2. Use Online Scanners

• Why No Padlock?
• Jitbit SSL Checker
• SSL Shopper’s Tool

These tools check each URL on your page and highlight the ones not loading securely.

 3. Use WordPress Plugins

• Really Simple SSL: Automatically detects and fixes mixed content.
• SSL Insecure Content Fixer: Offers different levels of fixes depending on what’s causing the issue.
• Better Search Replace: Lets you replace all HTTP URLs with HTTPS in the database.

Before fixing anything:

• Backup your files (themes, plugins, media)
• Backup your database

You can use plugins like:

• UpdraftPlus
• All-in-One WP Migration
• BackupBuddy

If something goes wrong, you’ll be able to restore the site quickly.

1. Change URLs in Your WordPress Database

If your site was originally on HTTP, old links might still use it.

Install the Better Search Replace plugin:

• Search for http://yoursite.com
• Replace with https://yoursite.com
• Select tables like wp_posts, wp_postmeta, wp_options
• Run a dry run first

This replaces internal links, image paths, and other content pointing to HTTP.

️ 2. Fix URLs in Theme Files

Some themes include full URLs instead of using WordPress functions.

Open:

• header.php
• footer.php 
• functions.php

Search for:

http://

And replace with:

https://

get_template_directory_uri();

Which dynamically generates the correct URL.

 3. Update Media URLs

Old image and video files may be loading via HTTP.

Option 1:

• Reinsert the media via the WordPress editor to refresh the URL

Option 2:

• Use Velvet Blues Update URLs or Search & Replace plugin

Option 3:

• Use a plugin to regenerate thumbnails (like Regenerate Thumbnails)

1. Really Simple SSL

This plugin:

• Forces HTTPS on all pages
• Rewrites insecure URLs
• Sets necessary security headers

Steps:

1. Install and activate
2. Enable SSL via the plugin dashboard
3. Clear your browser and site cache

2. SSL Insecure Content Fixer

Offers flexible options:

• Simple: Fixes content in posts and widgets
• Content: Adds fixes for shortcodes and text widgets
• Widgets: Extends support to widget output
• Capture: Captures output and replaces links (useful if other levels fail)

Choose the right level from Settings > SSL Insecure Content Fixer.

3. Better Search Replace

As discussed earlier, it helps change all old HTTP references in your database to HTTPS in one go. This is especially useful if your theme or plugins have hardcoded links.

Update WordPress Settings

Go to Settings > General and:

• Change WordPress Address (URL) and Site Address (URL) to start with https://

Update .htaccess File

If your hosting uses Apache, add this to the top of your .htaccess:

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

</IfModule>

Update wp-config.php

Add this line:

define(‘FORCE_SSL_ADMIN’, true);

This ensures your WordPress dashboard is always accessed securely.

Sometimes the problem isn’t your code — it’s a third-party service like:

• YouTube videos
• Fonts from non-secure sources
• CDN links

How to Fix:

• Always use HTTPS URLs when embedding
• Replace http://www.youtube.com with https://www.youtube.com
• Update font and script links in headers or theme options

If Using CDN:

• Check your CDN settings to ensure it’s delivering via HTTPS
• Clear/purge the CDN cache after updates

Always Use HTTPS

When adding content — use the full https:// link or a relative path like /images/logo.png if applicable.

Educate Contributors

Train your team to use HTTPS when inserting images, links, or scripts.

Use Updated Themes and Plugins

Pick themes and plugins from reliable developers. They usually follow best practices and don’t hardcode insecure links.

Use Content Delivery Networks (CDNs) That Support HTTPS

Most popular CDNs like Cloudflare, BunnyCDN, and KeyCDN offer full HTTPS support. Make sure SSL is enabled in your CDN dashboard.

Clear Caches

• Clear browser cache
• Clear WordPress cache (via plugins like W3 Total Cache or WP Super Cache)
• Purge CDN cache

Disable Conflicting Plugins

Temporarily disable plugins to see if one is injecting HTTP links.

Use Real-Time Scanners

Re-scan your site using WhyNoPadlock or Chrome DevTools to catch anything you may have missed.

Mixed content warnings are common, especially when switching a WordPress site from HTTP to HTTPS. But fixing them is essential for:

• Better security
• Higher trust
• Improved SEO performance

You can fix mixed content errors manually, through the database, or by using powerful plugins like Really Simple SSL or SSL Insecure Content Fixer. The important thing is to act quickly — every insecure resource puts your site at risk.

Need Expert Help?

Still facing mixed content problems on your site?
Don’t worry. Our experts at 24×7 WP Support can take care of everything for you — quickly, safely, and professionally.

Chat with us now or call:
📞 US & Canada: 888-818-9916
 📞 UK: 800-069-8778
 📞 AU: 1800-990-217