Skip to content

How to Fix Mixed Content WordPress

Mixed content errors occur when a secure HTTPS site loads resources over HTTP, causing browser warnings. This guide shows you how to fix mixed content WordPress issues using plugins, manual edits, and best practices to keep your site secure and fast.

Key Takeaways

  • Mixed content breaks security: Loading HTTP resources on an HTTPS site triggers browser warnings and hurts SEO.
  • Use a plugin for quick fixes: Tools like Really Simple SSL automatically detect and resolve most mixed content issues.
  • Update your site URL: Change WordPress Address and Site Address to HTTPS in Settings > General.
  • Search and replace old links: Use a safe search-and-replace tool to update HTTP links in your database.
  • Check themes and plugins: Outdated or poorly coded themes can inject insecure links—keep them updated.
  • Test after fixing: Use browser developer tools or online scanners to confirm all content loads securely.
  • Prevent future issues: Always use relative URLs or protocol-relative paths when adding media or scripts.

How to Fix Mixed Content WordPress: A Complete Guide

If your WordPress site shows a “Not Secure” warning in the browser bar—or worse, blocks access entirely—you might be dealing with a mixed content error. This happens when your site uses HTTPS (secure), but some elements like images, scripts, or stylesheets are still loaded over HTTP (insecure). The result? Broken padlocks, warning messages, and frustrated visitors.

The good news? Fixing mixed content in WordPress is straightforward once you know the steps. In this guide, we’ll walk you through how to fix mixed content WordPress issues using both automated tools and manual methods. By the end, your site will load fully over HTTPS, boosting security, SEO, and user trust.

What Is Mixed Content?

Mixed content occurs when a webpage served over HTTPS includes resources (like images, videos, CSS, or JavaScript) that are loaded over HTTP. Modern browsers like Chrome and Firefox flag these pages as “Not Secure,” even if the main page is encrypted.

There are two types:

  • Active mixed content: Scripts, iframes, or stylesheets loaded via HTTP. These are blocked by default in most browsers.
  • Passive mixed content: Images, videos, or audio files loaded via HTTP. These may still load but trigger security warnings.

Either way, mixed content hurts your site’s credibility and can affect search rankings. Google favors fully secure sites, so fixing this issue is essential.

Step 1: Update Your WordPress Site URL to HTTPS

The first step in how to fix mixed content WordPress is ensuring your site is set to use HTTPS by default.

Go to Settings > General

Log into your WordPress dashboard and navigate to Settings > General. Look for two fields:

  • WordPress Address (URL)
  • Site Address (URL)

Both should start with https://. If they still say http://, change them to https://yourdomain.com and save the changes.

Why This Matters

WordPress uses these URLs to generate links for themes, plugins, and media. If they’re set to HTTP, new content may still load insecurely—even after you’ve installed an SSL certificate.

Step 2: Install an SSL Plugin (Recommended for Beginners)

For most users, the fastest way to fix mixed content is using a plugin. We recommend Really Simple SSL—it’s free, lightweight, and handles most issues automatically.

Install and Activate Really Simple SSL

  1. Go to Plugins > Add New.
  2. Search for “Really Simple SSL.”
  3. Click Install Now, then Activate.

Once activated, the plugin will detect your SSL certificate and automatically redirect HTTP traffic to HTTPS. It also fixes many common mixed content issues by rewriting insecure URLs on the fly.

Verify the Fix

Visit your site and check the browser address bar. You should see a padlock icon. If you still see warnings, proceed to the next steps.

Step 3: Search and Replace Old HTTP Links

Even after updating settings, old content—like blog posts, pages, or widgets—may still contain hardcoded HTTP links. These need to be updated manually or with a tool.

Use a Safe Search-and-Replace Plugin

Never edit the database directly unless you’re experienced. Instead, use a trusted plugin like Better Search Replace.

  1. Install and activate Better Search Replace from the plugin directory.
  2. Go to Tools > Better Search Replace.
  3. In the Search for field, enter http://yourdomain.com.
  4. In the Replace with field, enter https://yourdomain.com.
  5. Select all tables (or just wp_posts and wp_postmeta for safety).
  6. Check Run as dry run first to preview changes.
  7. If everything looks good, uncheck dry run and click Run Search/Replace.

This updates all internal links in your content, menus, and widgets to use HTTPS.

Important Notes

  • Always back up your site before running database searches.
  • Avoid replacing URLs in serialized data (like widgets) unless you’re sure the plugin handles it safely.
  • If you use a caching plugin, clear the cache after making changes.

Step 4: Check Your Theme and Plugins

Sometimes, mixed content comes from your WordPress theme or plugins that hardcode HTTP links.

Inspect Your Theme Files

If you’re using a custom or older theme, check files like header.php, footer.php, and functions.php for hardcoded HTTP URLs. Look for lines like:

<script src="https://example.com/script.js"></script>

Change them to:

<script src="https://example.com/script.js"></script>

Or better yet, use protocol-relative URLs:

<script src="//example.com/script.js"></script>

Update or Replace Problematic Plugins

Some plugins inject insecure scripts. To find the culprit:

  • Deactivate plugins one by one and check if the mixed content warning disappears.
  • Reactivate them gradually to identify the problematic plugin.
  • Update the plugin or find a secure alternative.

For help managing themes, check out our guide on how to update theme on WordPress to ensure compatibility and security.

Step 5: Force HTTPS with .htaccess (Advanced)

If plugins don’t catch everything, you can force HTTPS at the server level using your .htaccess file.

Edit Your .htaccess File

  1. Access your site via FTP or your hosting file manager.
  2. Locate the .htaccess file in your root directory.
  3. Make a backup before editing.
  4. Add this code at the top:
    RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This redirects all HTTP traffic to HTTPS, helping prevent future mixed content issues.

Step 6: Test Your Site

After making changes, test your site thoroughly.

Use Browser Developer Tools

  1. Open your site in Chrome or Firefox.
  2. Right-click and select Inspect.
  3. Go to the Console tab.
  4. Look for warnings like “Mixed Content” or “Blocked loading.”

If you see errors, note the resource URL and trace it back to your content, theme, or plugins.

Use Online Mixed Content Scanners

Tools like:

Scan your site and list all insecure resources.

Troubleshooting Common Issues

Padlock Still Missing After Fixing?

  • Clear your browser cache and cookies.
  • Clear WordPress cache (if using a plugin like WP Super Cache).
  • Check for hardcoded URLs in custom CSS or JavaScript.

Images Still Loading Over HTTP?

  • Re-upload images via the Media Library (they’ll use HTTPS).
  • Use the Regenerate Thumbnails plugin to refresh image URLs.

Plugin or Theme Causing Issues?

Temporarily switch to a default theme like Twenty Twenty-Four. If the issue disappears, your theme is the problem. For plugin conflicts, use the deactivation method mentioned earlier.

Preventing Future Mixed Content Issues

Once fixed, keep your site secure:

  • Always use HTTPS when adding links: When inserting images or embedding videos, paste HTTPS URLs.
  • Keep plugins and themes updated: Developers often patch security flaws in updates.
  • Use relative URLs when possible: Instead of http://yoursite.com/image.jpg, use /wp-content/uploads/image.jpg.
  • Monitor regularly: Use tools like Google Search Console to catch new issues early.

For more on maintaining a secure WordPress site, read our guide on best WordPress theme for SEO and speed, which includes security best practices.

Conclusion

Fixing mixed content in WordPress doesn’t have to be scary. By updating your site URLs, using a plugin like Really Simple SSL, replacing old HTTP links, and testing thoroughly, you can eliminate insecure warnings and protect your visitors.

Remember: a fully HTTPS site isn’t just about security—it’s about trust. Users and search engines alike prefer sites that take privacy seriously. Now that you know how to fix mixed content WordPress, you’re ready to keep your site fast, safe, and professional.

Don’t forget to back up your site before making major changes, and consider using a staging environment for testing. With these steps, your WordPress site will be secure and ready for the future.