To fix mixed content warnings, back up your site, confirm SSL is working, then set both WordPress URLs to https and run a database search-and-replace to change http:// to https:// for your domain. Update any leftover hardcoded links, clear all caches, and re-test the browser console.
http:// links left in your content, theme, or database after switching to HTTPS.You did everything right. You got an SSL certificate, your address now starts with https://, and yet the browser still shows a broken padlock or a "Not secure" note in the address bar. On some pages, the layout may even look broken buttons or sliders stop working. If this is you, don't worry: this is one of the most common things that happens right after a site moves to HTTPS, and it is almost always fixable in a few minutes. The problem is not your certificate. It is a handful of old links that still point to the insecure version of your files. This guide walks you through finding and fixing every one of them. If you are still not sure your certificate itself is valid, start with our plain-English guide to what an SSL certificate is.
The browser already knows exactly which files are the problem you just need to ask it. The fastest way is the browser console, a built-in developer tool that lists loading errors and warnings.
Open the page that shows the warning, then press F12 (or right-click the page and choose Inspect). Click the Console tab. Look for lines that say "Mixed Content" they name the exact file that is still loading over HTTP, such as an image, a stylesheet, or a script. Write these down; they are your fix list. You can also click the padlock (or "Not secure" text) in the address bar and open the site's security details to see a similar summary.
If your page looks visually broken, that is a strong sign of active mixed content (explained below): the browser blocked a script or stylesheet, so part of the page stopped working.
Mixed content means a single web page is delivered over a secure https:// connection, but some of the files that page loads such as images, scripts, stylesheets, or fonts are still requested over insecure http://. The page is "mixed" because it combines secure and insecure connections. Browsers dislike this because an insecure file can be tampered with in transit, which weakens the security the padlock is supposed to promise.
There are two kinds, and the difference matters:
Passive (display) mixed content covers images, audio, and video. It cannot easily change the behaviour of your page, so browsers usually still load it but they downgrade your padlock and show a warning. Your page looks fine; it just is not marked fully secure.
Active mixed content covers scripts, stylesheets, and iframes files that can control how the page looks and behaves. Because a tampered script is dangerous, modern browsers usually block active mixed content outright. That is why a page can suddenly look broken or stop working after you move to HTTPS: the browser refused to load an insecure script or stylesheet.
So where do these old http:// links come from? When your site ran on HTTP, every image you uploaded, every link you pasted, and many theme and plugin settings saved their full web address starting with http://. Switching on SSL does not go back and rewrite those saved addresses. They stay in your content, your theme files, your widgets, and your database (the store that holds your posts, pages, and settings) until you update them. That cleanup is exactly what the steps below do.
There are two broad ways to clear mixed content, and most people use a mix of both:
https:// automatically. It is the fastest path for a typical mixed content WordPress site and great for beginners.The steps below combine them: do the safe manual cleanup, and lean on a plugin where it saves time. Either way, the order matters back up before you touch anything.
https://yourdomain.com and make sure the certificate loads without a certificate error (a downgraded padlock from mixed content is fine at this stage; an outright certificate error is not). If the certificate itself is not set up, fix that first using how to get an SSL certificate.http:// to https://. Save. This tells WordPress the whole site now lives on HTTPS.http:// links are stored throughout your database. Use a safe tool such as the Better Search Replace plugin, or a fix-it plugin like Really Simple SSL, to replace http://yourdomain.com with https://yourdomain.com. Always use a real search-replace tool that handles serialized data (bundled settings some plugins store) never edit the raw database with a blind find-and-replace, which can corrupt it.http://yourdomain.com, and change it to https://. These are often missed by database tools because they live in template files.http://. Update each one to its https:// version. If a third-party file has no secure version, download it and host it on your own HTTPS site instead.Content-Security-Policy: upgrade-insecure-requests header. This tells browsers to fetch http:// resources over https:// automatically. Treat it as a safety net, not a substitute for fixing the real links.Three mistakes catch people out most often:
http everywhere can damage serialized data and even rewrite links to other websites you did not mean to touch. Replace the specific string http://yourdomain.com, and use a tool built to handle serialized data safely.Once your site is clean, keeping it that way is simple:
http:// request to https:// so visitors and your own links always land on the secure version.https:// in new links. When you add images, embeds, or external scripts, paste the secure address. Many editors let you use protocol-relative or relative links, which sidesteps the problem entirely.Mixed content means a secure https:// web page is still loading some of its files such as images, scripts, or stylesheets over an insecure http:// connection. Because the page mixes secure and insecure requests, the browser cannot call it fully safe, so it shows a warning or a downgraded padlock.
Almost always because old http:// links are still saved in your content, theme, or database. Installing SSL secures the connection, but it does not rewrite the addresses your pages already point to. Until you update those links to https://, the browser keeps flagging the page as not fully secure.
Open the page in your browser, press F12 to open Developer Tools, and click the Console tab. Lines labelled "Mixed Content" name the exact file loading over HTTP. You can also click the padlock in the address bar and open the site's security details for a summary.
Often, yes. A tool like Really Simple SSL detects insecure requests and rewrites them to https:// automatically, which resolves most WordPress cases quickly. For a permanent fix, though, it is worth also running a proper database search-and-replace so your links are genuinely secure and not just rewritten on the fly.
No. Mixed content comes from links stored inside your own site's content and database, not from your hosting server. Your host installs and serves the SSL certificate correctly; it cannot change the internal links your pages point to. Fixing mixed content is a site-config task you handle yourself.
Yes. Scripts, stylesheets, and iframes count as active mixed content, which browsers usually block. If a blocked stylesheet or script controlled part of your page, that part can stop working buttons, sliders, or styling may fail until you serve those files over https://.
Yes, you should. Browsers usually still show images loaded over HTTP, but they downgrade your padlock and display a warning, which erodes visitor trust. Updating those image links to https:// restores the full secure padlock and keeps your whole page consistent.
Mixed content warnings after switching to HTTPS are common and, in most cases, quick to clear. The cause is old http:// links left in your content and database, not your hosting or your certificate. Back up first, confirm SSL works, set both WordPress URLs to https, run a safe database search-and-replace, tidy up any hardcoded and external links, then clear every cache and re-check the browser console. Do that in order and your solid padlock comes back. Next, keep your site safe with a reliable routine try our website backups guide so you always have a clean copy before your next change.
upgrade-insecure-requests directive.Related help: What is an SSL certificate · How to get an SSL certificate · Server errors guide · Fix the JSON response error
The editorial team behind the Bitrich777 Hosting Help Center — practical, tested guides on web hosting, WordPress, servers, DNS, SSL, email, security and migration. Every walkthrough is reproduced on a live host before it is published.
View all guides by the Hosting Team Spotted an error? Tell us