Fixing Mixed Content in WordPress: Properly Enforcing HTTPS

Have you activated an SSL certificate, but the browser still displays your WordPress website as "Not secure"? Or is the padlock icon not appearing correctly? If so, the cause is often what is known as Mixed Content.

Mixed Content means: Although the website itself is loaded via https://, individual components of the page are still integrated via insecure http:// addresses. These can be images, CSS files, JavaScript files, fonts, videos, iframes, or external resources.

Briefly explained: Mixed Content occurs when an HTTPS page still loads individual pieces of content over HTTP. This can cause the browser to display security warnings or block insecure content.

Why Mixed Content is Problematic

HTTPS protects the connection between visitors and the website. However, if individual elements continue to load via HTTP, the page is not fully encrypted. This can impact security, trust, SEO, and user experience.

Mixed Content can have the following consequences:

  • The browser displays "Not secure" or warning messages,
  • The padlock icon does not appear correctly,
  • Images or scripts are blocked,
  • The layout may look broken,
  • Forms appear insecure,
  • Visitors lose trust,
  • Tracking or external functions do not work properly,
  • Technical SEO quality suffers.

Mixed Content should be consistently resolved, especially for contact forms, login pages, customer areas, and WooCommerce shops.

Typical Causes of Mixed Content

Mixed Content often arises after converting an existing website from HTTP to HTTPS. Old links remain stored in the database, theme, widgets, or page builders.

Common causes:

  • Images were previously integrated with http://,
  • Internal links still contain HTTP addresses,
  • Theme options save old URLs,
  • Page builders save paths in their own data structures,
  • CSS files contain absolute HTTP paths,
  • JavaScript files are loaded externally via HTTP,
  • Google Fonts or other external fonts are integrated insecurely,
  • Widgets contain hardcoded HTTP links,
  • Old shortcodes or HTML blocks contain HTTP addresses,
  • Cache files still contain old paths.

Active and Passive Mixed Content

Not every Mixed Content error is equally critical. A fundamental distinction is made between passive and active content.

Type Examples Risk
Passive Mixed Content Images, videos, audio files Can trigger warnings and negatively impact trust.
Active Mixed Content JavaScript, CSS, iframes, external scripts More critical, as features and security can be directly affected.

Modern browsers often automatically block active insecure content in particular. As a result, a website can suddenly look broken or certain features may stop working.

1. Checking if SSL is Properly Active

Before fixing Mixed Content, the SSL certificate itself must work correctly. Access your website using https://:

https://www.yourdomain.ch

Check:

  • Does the website generally load via HTTPS?
  • Is the certificate valid?
  • Does HTTPS work with and without www?
  • Is HTTP automatically redirected to HTTPS?
  • Does the browser display a specific certificate warning or Mixed Content warning?

If the certificate itself is faulty, the SSL and domain configuration must be checked first. Mixed Content is only the next step.

2. Setting the WordPress Address to HTTPS

Check the website URLs in WordPress:

Settings > General

Both fields should begin with https:// there:

  • WordPress Address (URL)
  • Site Address (URL)

Example:

https://www.yourdomain.ch

Caution: Only change these URLs if you are sure that SSL is properly active. Incorrect URL settings can prevent you from logging in correctly.

3. Finding Mixed Content in the Browser

The fastest way to troubleshoot is by using your browser's developer console.

How to proceed:

  1. Open the affected page in the browser.
  2. Press F12 or right-click and select Inspect.
  3. Open the Console tab.
  4. Look for messages containing Mixed Content.
  5. Take note of the affected HTTP addresses.

Typical message:

Mixed Content: The page at 'https://www.yourdomain.ch/' was loaded over HTTPS, but requested an insecure image 'http://www.yourdomain.ch/wp-content/uploads/image.jpg'.

This message usually points out directly which file is still being loaded insecurely.

4. Checking Mixed Content with Online Tools

In addition to the browser console, external checking tools can help. These scan a URL and display insecure content. Such tools are particularly helpful if you want to check multiple pages.

However, keep in mind: A tool usually only checks the specific URL provided. If Mixed Content occurs only on subpages, blog posts, product pages, or landing pages, these must be checked separately.

5. Simple Solution: Using an SSL Plugin

For many WordPress websites, an SSL plugin is the easiest solution. Plugins like Really Simple SSL can detect typical HTTPS problems, set up redirects, and partially fix Mixed Content automatically.

Typical workflow:

  1. Install a suitable SSL plugin.
  2. Activate the SSL configuration.
  3. Check the plugin's recommendations.
  4. Clear the cache.
  5. Test the website again in the browser.

This method is especially convenient for beginners. The downside: Some corrections occur dynamically at runtime and do not always resolve the root cause in the database.

6. Clean Solution: Replacing HTTP URLs in the Database

If your website was previously run under HTTP, old URLs may be stored in the database. A clean solution is to replace internal URLs from http:// to https://.

Suitable plugins for this include:

  • Better Search Replace,
  • Search & Replace Everything,
  • WP-CLI search-replace for advanced users.

Example:

Search for Replace with
http://www.yourdomain.ch https://www.yourdomain.ch
http://yourdomain.ch https://www.yourdomain.ch
Important: Always create a full backup before performing any database replacement. Run a dry run first before changes are permanently saved.

7. Using Better Search Replace Safely

How to proceed carefully with Better Search Replace:

  1. Create a full backup of files and the database.
  2. Install the Better Search Replace plugin.
  3. Go to Tools > Better Search Replace.
  4. Enter your old HTTP address under Search for.
  5. Enter the new HTTPS address under Replace with.
  6. Select the relevant tables.
  7. Activate the Run as dry run? option first.
  8. Check the number of matches found.
  9. If everything looks plausible, execute the replacement without the dry run.
  10. Afterwards, clear the cache and check the website.

Use fully qualified domain names if possible. Do not blindly replace every http:// with https://, because external URLs could be affected that might not be accessible under HTTPS.

8. Checking Page Builders and Theme Options

Page builders such as Elementor, Divi, WPBakery, or other layout systems often save URLs in their own data fields, CSS files, or cache structures. Therefore, Mixed Content can persist despite a database replacement.

With page builders, check:

  • Global theme options,
  • Header and footer templates,
  • Background images,
  • Custom CSS,
  • Templates,
  • Popup builders,
  • Saved library elements,
  • Regenerated CSS files.

For Elementor, this often helps:

  • Elementor > Tools > Regenerate Files & Data,
  • Clear Elementor cache,
  • Clear website cache,
  • Clear browser cache.

9. Checking Theme Files and Widgets

Some HTTP links are not stored in the database but are hardcoded directly in theme files, widgets, or custom code. This particularly affects older websites or custom-tailored themes.

Possible locations:

  • header.php,
  • footer.php,
  • functions.php,
  • Custom HTML Widgets,
  • Theme options,
  • Customizer fields,
  • Footer copyright fields,
  • Tracking code fields,
  • Embedded fonts or scripts.

Hardcoded HTTP links must be corrected manually. If possible, use a child theme for this so that changes are not lost during theme updates.

10. Checking External Resources

Not every Mixed Content error comes from your own domain. Sometimes external files are integrated insecurely.

Examples:

  • External images,
  • Old tracking scripts,
  • Fonts,
  • iframes,
  • Videos,
  • Review widgets,
  • Chat widgets,
  • Old CDN addresses.

If an external service does not support HTTPS, you should no longer integrate it via HTTP. Look for an HTTPS-capable alternative or remove the integration.

11. Redirecting HTTP to HTTPS

In addition to fixing the content, HTTP should be permanently redirected to HTTPS. This prevents visitors or search engines from using old HTTP addresses.

Depending on the setup, a redirect can be implemented via:

  • cPanel,
  • .htaccess,
  • WordPress plugin,
  • Server configuration,
  • CDN or proxy, if used.

It is important that the redirect is clean and straightforward. Avoid redirect chains like HTTP without www → HTTPS without www → HTTPS with www, if a direct redirect is possible.

12. Clearing the Cache Completely

After correcting Mixed Content, all caches should be cleared. Otherwise, old HTTP references may continue to be served.

Clear the:

  • WordPress cache,
  • Caching plugin,
  • Page builder cache,
  • Theme cache,
  • Server cache, if present,
  • CDN cache, if used,
  • Browser cache.

Afterwards, test the website in a private browser window or on another device.

13. Checking WooCommerce with Extra Care

HTTPS is particularly crucial for WooCommerce shops. Shopping carts, checkouts, customer accounts, and payment processes must be fully encrypted.

After switching to HTTPS, check:

  • Product pages,
  • Shopping cart,
  • Checkout,
  • Customer account,
  • Payment providers,
  • Order confirmation,
  • Email links,
  • Webhooks,
  • Tracking and conversion scripts.

Always place a test order on a shop website.

14. Updating Google Search Console and Sitemap

After switching to HTTPS, you should check whether your sitemap contains HTTPS URLs. SEO plugins usually generate sitemaps automatically using the current website address.

Check:

  • Does the sitemap contain only HTTPS URLs?
  • Has the sitemap been updated in the Google Search Console?
  • Are there any 404 errors or redirect issues?
  • Are old HTTP URLs being redirected correctly?
  • Are canonical URLs set to HTTPS?

A clean HTTPS structure helps search engines index the correct URLs.

15. Common Mistakes When Fixing Mixed Content

  • Only activating an SSL certificate: Old HTTP links still remain.
  • No database backup: Faulty replacements are difficult to undo.
  • Blindly replacing http://: External URLs can be broken.
  • Not clearing the cache: Old content continues to be displayed.
  • Forgetting the page builder: CSS files and templates continue to contain HTTP paths.
  • Only checking the homepage: Mixed Content can occur on subpages.
  • Not testing WooCommerce: Checkout problems go unnoticed.
  • No 301 redirect: The HTTP version remains accessible.

SEO and Trust

HTTPS is the standard for professional websites today. Mixed Content can damage trust, especially when browsers display warnings. Visitors expect forms, logins, and shops to function securely.

A clean HTTPS migration helps with:

  • Visitor trust,
  • Technical SEO quality,
  • Correct indexing,
  • Secure form transmission,
  • Professional public image,
  • Stable tracking and shop functions.

GEO: Secure and Consistent URLs

GEO (Generative Engine Optimization) benefits from clear, stable, and trustworthy website structures. If content is accessible via different HTTP and HTTPS addresses, or if insecure resources are blocked, it can negatively affect technical clarity.

Clean HTTPS structures help through:

  • Uniform URLs,
  • Fewer error pages,
  • Correct internal links,
  • Fully loading content,
  • Trustworthy technical signals,
  • Better accessibility of important resources.

Recommended Procedure

  1. Check SSL: The certificate must be valid and correctly active.
  2. Check WordPress URLs: Set the Site Address and WordPress Address to HTTPS.
  3. Open Browser Console: Identify sources of Mixed Content.
  4. Create Backup: Mandatory before making database changes.
  5. Clean Database: Replace old internal HTTP URLs with HTTPS.
  6. Check Page Builder: Regenerate CSS and templates.
  7. Check Theme and Widgets: Correct hardcoded HTTP links.
  8. Redirect HTTP to HTTPS: Set up a clean 301 redirect.
  9. Clear Cache: Check WordPress, plugin, server, CDN, and browser.
  10. Test Subpages: Do not just check the homepage.
  11. Test WooCommerce: Check checkout and payments.
  12. Check Sitemap and Search Console: Confirm HTTPS URLs.

Frequently Asked Questions About Mixed Content

What is Mixed Content?

Mixed Content occurs when a website is loaded via HTTPS, but individual files or resources are still integrated via HTTP.

Why does my browser say "Not secure" despite SSL?

This is often due to Mixed Content, an expired SSL certificate, incorrect domain configuration, or insecurely integrated external resources.

How do I find Mixed Content?

Open your browser's developer console using F12 and check the Console tab for Mixed Content warnings.

Can a plugin fix Mixed Content?

Yes, in many cases SSL plugins help. However, a permanently clean solution is often to correct old HTTP URLs in the database, theme, and page builder.

Should I use Better Search Replace?

Yes, if old internal HTTP URLs are stored in the database. Create a full backup beforehand and run a dry run first.

Why does the error persist after the fix?

This is frequently due to cache, page builder CSS, theme options, widgets, or external resources that continue to load via HTTP.

Do I need to pay extra attention to HTTPS with WooCommerce?

Yes. The shopping cart, checkout, customer account, and payment processes must work completely securely via HTTPS.

Is Mixed Content bad for SEO?

Mixed Content can affect trust, technical quality, and user experience. A clean HTTPS structure is clearly recommended for professional websites.

Still no secure padlock icon?

Sometimes HTTP links hide in page builders, theme files, widgets, or old database entries. CURIAWEB will gladly assist you with the analysis and resolution of persistent Mixed Content issues on your WordPress website.

Request Mixed Content Analysis
Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

How to Install WordPress via Softaculous Auto-Installer

How to Install WordPress via Softaculous Auto-Installer WordPress is the world's leading...
How to Manually Install WordPress via Installation Archive

How to Manually Install WordPress via Installation Archive In this tutorial, we will guide you...
WordPress Configuration: How to Adjust General Settings for Optimal Results

WordPress Configuration: How to Adjust General Settings for Optimal Results After the initial...
What is a WordPress Plugin and How Do You Install It?

What is a WordPress Plugin and How to Install a New One? Introduction Plugins are components...
How to Install a New Theme in WordPress

How to Install a New Design (Theme) in WordPress Introduction It is obvious how fundamentally...