How to Fix Mixed Content Warnings After Enabling SSL

To fix mixed content warnings, back up your site, confirm SSL is working, then set both WordPress URLs to https and run a database search-and-replace to change http:// to https:// for your domain. Update any leftover hardcoded links, clear all caches, and re-test the browser console.

Key takeaways

  • Mixed content means an HTTPS page is still loading some files (images, scripts, fonts) over insecure HTTP, so the browser flags it as "not fully secure."
  • It is almost always caused by old http:// links left in your content, theme, or database after switching to HTTPS.
  • This is a site-content issue, not a hosting issue your host cannot fix your page's internal links for you.
  • Always back up first, then use a proper search-and-replace tool so you do not damage your database.
  • Open the browser Developer Tools console to see the exact files still loading over HTTP.

"I installed SSL, so why does my site still say not secure?"

You did everything right. You got an SSL certificate, your address now starts with https://, and yet the browser still shows a broken padlock or a "Not secure" note in the address bar. On some pages, the layout may even look broken buttons or sliders stop working. If this is you, don't worry: this is one of the most common things that happens right after a site moves to HTTPS, and it is almost always fixable in a few minutes. The problem is not your certificate. It is a handful of old links that still point to the insecure version of your files. This guide walks you through finding and fixing every one of them. If you are still not sure your certificate itself is valid, start with our plain-English guide to what an SSL certificate is.

How to tell what's causing it

The browser already knows exactly which files are the problem you just need to ask it. The fastest way is the browser console, a built-in developer tool that lists loading errors and warnings.

Open the page that shows the warning, then press F12 (or right-click the page and choose Inspect). Click the Console tab. Look for lines that say "Mixed Content" they name the exact file that is still loading over HTTP, such as an image, a stylesheet, or a script. Write these down; they are your fix list. You can also click the padlock (or "Not secure" text) in the address bar and open the site's security details to see a similar summary.

If your page looks visually broken, that is a strong sign of active mixed content (explained below): the browser blocked a script or stylesheet, so part of the page stopped working.

Is it your site or your host? It is your site nearly every time. Mixed content comes from links stored inside your content, theme, and database, not from your hosting server. Your host installs and serves the certificate correctly; it cannot rewrite the internal links your pages point to. So this is a config and content fix you make yourself and this guide covers it start to finish. The one exception worth checking: if the certificate itself is missing or failing, sort that out first with our guide on how to get an SSL certificate.

What mixed content actually is

Mixed content means a single web page is delivered over a secure https:// connection, but some of the files that page loads such as images, scripts, stylesheets, or fonts are still requested over insecure http://. The page is "mixed" because it combines secure and insecure connections. Browsers dislike this because an insecure file can be tampered with in transit, which weakens the security the padlock is supposed to promise.

There are two kinds, and the difference matters:

Passive (display) mixed content covers images, audio, and video. It cannot easily change the behaviour of your page, so browsers usually still load it but they downgrade your padlock and show a warning. Your page looks fine; it just is not marked fully secure.

Active mixed content covers scripts, stylesheets, and iframes files that can control how the page looks and behaves. Because a tampered script is dangerous, modern browsers usually block active mixed content outright. That is why a page can suddenly look broken or stop working after you move to HTTPS: the browser refused to load an insecure script or stylesheet.

So where do these old http:// links come from? When your site ran on HTTP, every image you uploaded, every link you pasted, and many theme and plugin settings saved their full web address starting with http://. Switching on SSL does not go back and rewrite those saved addresses. They stay in your content, your theme files, your widgets, and your database (the store that holds your posts, pages, and settings) until you update them. That cleanup is exactly what the steps below do.

Your options at a glance

There are two broad ways to clear mixed content, and most people use a mix of both:

  • The plugin route (easiest for WordPress). A tool like Really Simple SSL detects insecure requests and rewrites them to https:// automatically. It is the fastest path for a typical mixed content WordPress site and great for beginners.
  • The manual route (cleanest and permanent). You update your site URLs, run a real database search-and-replace, and fix any hardcoded links by hand. This actually removes the bad links instead of rewriting them on the fly, so nothing depends on a plugin staying active.

The steps below combine them: do the safe manual cleanup, and lean on a plugin where it saves time. Either way, the order matters back up before you touch anything.

How to fix mixed content, step by step

  1. Back up your site first. Before changing any URLs or the database, make a full backup of your files and database so you can undo any mistake. If you are unsure how, follow our website backups guide. Do not skip this step it is your safety net.
  2. Confirm SSL is installed and working. Visit your site at https://yourdomain.com and make sure the certificate loads without a certificate error (a downgraded padlock from mixed content is fine at this stage; an outright certificate error is not). If the certificate itself is not set up, fix that first using how to get an SSL certificate.
  3. Update your WordPress addresses to HTTPS. In your dashboard, go to Settings → General and change both WordPress Address (URL) and Site Address (URL) from http:// to https://. Save. This tells WordPress the whole site now lives on HTTPS.
  4. Run a database search-and-replace. Old http:// links are stored throughout your database. Use a safe tool such as the Better Search Replace plugin, or a fix-it plugin like Really Simple SSL, to replace http://yourdomain.com with https://yourdomain.com. Always use a real search-replace tool that handles serialized data (bundled settings some plugins store) never edit the raw database with a blind find-and-replace, which can corrupt it.
  5. Update hardcoded links in your theme, widgets, and menus. Check custom links in your theme files, text or HTML widgets, and navigation menus for any address that still starts with http://yourdomain.com, and change it to https://. These are often missed by database tools because they live in template files.
  6. Fix external resources still loaded over HTTP. Some warnings point to files hosted elsewhere such as a font, script, or image pulled from another site over http://. Update each one to its https:// version. If a third-party file has no secure version, download it and host it on your own HTTPS site instead.
  7. (Optional) Add an upgrade header. To auto-upgrade any stray insecure requests, add the Content-Security-Policy: upgrade-insecure-requests header. This tells browsers to fetch http:// resources over https:// automatically. Treat it as a safety net, not a substitute for fixing the real links.
  8. Clear all caches and re-test. Clear your caching plugin, your browser cache, and any CDN cache so you are viewing the fresh version. Then reload the page, open the Console again, and confirm the mixed content warnings are gone and the padlock is solid.

Common mistakes to avoid

Never edit your database without a backup. One bad replace can break your whole site, and without a backup there is no easy way back. Back up first, every time and if a search-and-replace tool offers a "dry run," use it before committing changes.

Three mistakes catch people out most often:

  • Editing the database without a backup. Covered above it is the one that turns a small fix into a lost afternoon.
  • Replacing "http" too broadly. Replacing every http everywhere can damage serialized data and even rewrite links to other websites you did not mean to touch. Replace the specific string http://yourdomain.com, and use a tool built to handle serialized data safely.
  • Forgetting to clear the cache. If your page, browser, or CDN is still serving an old cached copy, you will see "ghost" warnings that are already fixed. Always clear every cache and hard-refresh before you decide something did not work.

How to prevent it in future

Once your site is clean, keeping it that way is simple:

  • Move to HTTPS fully in one go. Switch the whole site at once rather than page by page, so you never leave a mix of secure and insecure content behind.
  • Force HTTPS. Redirect every http:// request to https:// so visitors and your own links always land on the secure version.
  • Always use https:// in new links. When you add images, embeds, or external scripts, paste the secure address. Many editors let you use protocol-relative or relative links, which sidesteps the problem entirely.
  • Re-check the console after big changes. After installing a new theme or plugin, glance at the browser console once to catch any new insecure request early.

Frequently asked questions

What does "mixed content" mean?

Mixed content means a secure https:// web page is still loading some of its files such as images, scripts, or stylesheets over an insecure http:// connection. Because the page mixes secure and insecure requests, the browser cannot call it fully safe, so it shows a warning or a downgraded padlock.

Why does my site say "not secure" after installing SSL?

Almost always because old http:// links are still saved in your content, theme, or database. Installing SSL secures the connection, but it does not rewrite the addresses your pages already point to. Until you update those links to https://, the browser keeps flagging the page as not fully secure.

How do I find mixed content errors?

Open the page in your browser, press F12 to open Developer Tools, and click the Console tab. Lines labelled "Mixed Content" name the exact file loading over HTTP. You can also click the padlock in the address bar and open the site's security details for a summary.

Will a plugin fix mixed content?

Often, yes. A tool like Really Simple SSL detects insecure requests and rewrites them to https:// automatically, which resolves most WordPress cases quickly. For a permanent fix, though, it is worth also running a proper database search-and-replace so your links are genuinely secure and not just rewritten on the fly.

Is mixed content a hosting problem?

No. Mixed content comes from links stored inside your own site's content and database, not from your hosting server. Your host installs and serves the SSL certificate correctly; it cannot change the internal links your pages point to. Fixing mixed content is a site-config task you handle yourself.

Can mixed content break my site's layout?

Yes. Scripts, stylesheets, and iframes count as active mixed content, which browsers usually block. If a blocked stylesheet or script controlled part of your page, that part can stop working buttons, sliders, or styling may fail until you serve those files over https://.

Do I need to fix passive mixed content like images?

Yes, you should. Browsers usually still show images loaded over HTTP, but they downgrade your padlock and display a warning, which erodes visitor trust. Updating those image links to https:// restores the full secure padlock and keeps your whole page consistent.

Summary

Mixed content warnings after switching to HTTPS are common and, in most cases, quick to clear. The cause is old http:// links left in your content and database, not your hosting or your certificate. Back up first, confirm SSL works, set both WordPress URLs to https, run a safe database search-and-replace, tidy up any hardcoded and external links, then clear every cache and re-check the browser console. Do that in order and your solid padlock comes back. Next, keep your site safe with a reliable routine try our website backups guide so you always have a clean copy before your next change.

References

  • MDN Web Docs Mixed content (definition of passive/display vs active mixed content and browser behaviour).
  • WordPress.org Support Administration over SSL and changing Site Address (URL) in Settings → General.
  • W3C Content Security Policy: the upgrade-insecure-requests directive.

Related help: What is an SSL certificate · How to get an SSL certificate · Server errors guide · Fix the JSON response error

Bitrich777 Hosting Team
About the author

The editorial team behind the Bitrich777 Hosting Help Center — practical, tested guides on web hosting, WordPress, servers, DNS, SSL, email, security and migration. Every walkthrough is reproduced on a live host before it is published.

Spotted an error? Tell us