Mixed content happens when your page loads over HTTPS but some resources (images, scripts, stylesheets) are still requested over HTTP. The browser blocks or warns about these insecure resources, breaking your padlock icon and potentially breaking site functionality.

Finding Mixed Content

Browser DevTools

  1. Open your site in Chrome
  2. Press F12 to open DevTools
  3. Click the Console tab
  4. Look for warnings like:
  Mixed Content: The page at 'https://yourdomain.com/' was loaded over HTTPS,
but requested an insecure resource 'http://yourdomain.com/wp-content/uploads/image.jpg'.

Each warning tells you the exact URL that’s still using HTTP.

Quick Check

Click the padlock (or “Not Secure” text) in the browser address bar. It will tell you if the page has mixed content.

Fix 1: Update WordPress URLs

Make sure WordPress itself is configured for HTTPS:

  1. Go to Settings > General in wp-admin
  2. Verify both URLs start with https://:
    • WordPress Address (URL): https://yourdomain.com
    • Site Address (URL): https://yourdomain.com
  3. Save Changes

Fix 2: Search and Replace HTTP URLs in Content

Your posts and pages may contain hardcoded http:// URLs in images, links, and embeds. The fastest fix is a database search-and-replace.

Using a Plugin

  1. Install Better Search Replace from the WordPress plugin directory
  2. Go to Tools > Better Search Replace
  3. Search for: http://yourdomain.com
  4. Replace with: https://yourdomain.com
  5. Select all database tables
  6. Run a dry run first to see how many replacements it finds
  7. If the number looks right, uncheck “Dry Run” and run it for real

Using WP-CLI (SSH) 

  wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --all-tables --dry-run
# Check the output, then run without --dry-run:
wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --all-tables

Fix 3: Check Your Theme

Some themes hardcode HTTP URLs in their templates:

  1. Go to Appearance > Theme File Editor (or check via File Manager)
  2. Look in header.php, footer.php, and functions.php for http:// references
  3. Replace with https:// or use protocol-relative URLs (//yourdomain.com/path)

Better yet, use WordPress functions like get_template_directory_uri() instead of hardcoded URLs.

Fix 4: Check Plugins and Widgets

  • Widget content: check sidebar widgets for hardcoded HTTP links
  • Slider plugins: image URLs in slider settings are often hardcoded
  • Custom CSS: check Appearance > Customize > Additional CSS for HTTP references
  • Page builders: Elementor, Divi, and others store URLs in their own format. Use their built-in tools to update URLs

Fix 5: External Resources

If the mixed content comes from an external source (a font service, CDN, or embedded content):

  • Update the URL to use https:// if the service supports it (most do)
  • If the service doesn’t support HTTPS, find an alternative
  • For embedded content (iframes), update the src attribute to https://

After Fixing

  1. Purge your cache: go to LiteSpeed Cache > Purge All (or your cache plugin’s equivalent)
  2. Recheck in DevTools: open the Console tab and reload. There should be zero mixed content warnings
  3. Test in multiple browsers: some browsers cache mixed content warnings aggressively

Use the GoZen SSL Auditor to verify your SSL configuration is clean.

What to Do Next

Last updated 07 Apr 2026, 00:00 +0200. history

Was this page helpful?