Severity: Major · Fix time: 15–60 min · Skill level: Intermediate

Mixed content occurs when an HTTPS web page loads some resources — images, scripts, stylesheets, or fonts — over insecure HTTP. The browser detects the mismatch, removes the padlock from the address bar, and may display a “Not Secure” warning or block the insecure resources entirely. In WordPress, this happens most often after migrating from HTTP to HTTPS when old HTTP URLs remain hardcoded in the database, theme, or plugin files.

For visitors, mixed content makes your site look untrustworthy — a “Not Secure” notice next to your domain name is a credibility problem, especially on checkout pages or anywhere you handle personal information. For search visibility, Google uses HTTPS as a ranking signal, and mixed content undermines the full HTTPS benefit you’ve worked to achieve.

Need a quick map of every WordPress error? See our 70+ WordPress Errors Guide → for a categorized reference of every common WordPress issue.

[Image: Browser address bar showing a “Not Secure” warning icon next to the URL of an HTTPS page with mixed content]

How Mixed Content Works

When a browser loads a page, it checks the protocol of every resource the page requests. If the page itself is served over HTTPS but requests a script at http://yoursite.com/wp-content/plugins/..., the browser has a conflict: the secure page is pulling in an insecure resource.

Modern browsers handle this in two ways depending on the resource type:

  • Passive mixed content (images, video, audio): The browser typically loads the resource but removes the padlock and shows a warning. The page functions but looks less secure.
  • Active mixed content (scripts, stylesheets, iframes): Modern browsers block these entirely. A script blocked by mixed content can break page functionality silently — buttons stop working, interactive elements disappear, and the page may look broken with no obvious explanation.

Common causes include:

  • HTTP to HTTPS migration with database URLs not updated — WordPress stores content, settings, widget data, and option values in the database as absolute URLs. If those weren’t updated from http:// to https:// during migration, every stored resource URL loads insecurely.
  • Hardcoded HTTP URLs in theme files — Theme files that reference stylesheets, fonts, or images with absolute http:// URLs won’t update automatically when switching to HTTPS.
  • Plugin-loaded external resources — A plugin that loads a third-party script or font via HTTP (because the developer hasn’t updated their code) introduces mixed content you don’t control directly.
  • Uploaded media files with old absolute URLs — Images inserted into posts and pages via the visual editor store the full URL at the time of insertion. If those were created pre-HTTPS, they reference http://.

Check This First — 2-Minute Diagnostic

  1. Open browser DevTools — In Chrome, press F12 → Console tab. Mixed content errors appear as red “Mixed Content” warnings with the URL of the insecure resource.
  2. Identify the resource type — Scripts and stylesheets causing mixed content are higher priority than images, as browsers may block them entirely.
  3. Check if the padlock is missing or has a warning — If the padlock is missing even though you have SSL installed, mixed content is almost certainly the cause.
  4. Try the Really Simple SSL plugin — This plugin can catch and fix many common mixed content issues automatically and is a useful diagnostic tool.
  5. Check WordPress general settings — Go to Settings → General and confirm both “WordPress Address (URL)” and “Site Address (URL)” use https://, not http://.

Purpose & Benefits

1. A Full HTTPS Setup Protects Visitor Trust

The padlock communicates trust. Losing it due to mixed content — even on a site with a valid SSL certificate — signals insecurity. On eCommerce pages or contact forms, a “Not Secure” warning directly reduces conversions. Resolving mixed content fully restores the padlock and visitor confidence.

2. HTTPS Is a Ranking Signal

Google confirmed HTTPS as a ranking signal in 2014. Mixed content doesn’t negate having HTTPS, but it prevents you from fully capturing that benefit. Blocked scripts can also harm user experience metrics that increasingly influence rankings. Our SEO services include technical audits that surface HTTPS configuration issues.

3. Blocked Scripts Can Break Key Functionality

Active mixed content isn’t just cosmetic — when browsers block insecure scripts, it can disable form submissions, payment processing, analytics, or any JavaScript-dependent feature. These failures often surface as “the button does nothing” bugs with no obvious error message.

Examples

1. Database Search-Replace After HTTP to HTTPS Migration

The most comprehensive fix for mixed content is replacing all http://yourdomain.com references in the database with https://yourdomain.com. Using the Better Search Replace plugin:

  1. Install and activate Better Search Replace from the WordPress plugin directory.
  2. Go to Tools → Better Search Replace.
  3. In “Search for,” enter: http://yourdomain.com
  4. In “Replace with,” enter: https://yourdomain.com
  5. Select all database tables.
  6. Run a dry run first to see how many replacements will be made.
  7. Run the actual replacement.

This safely handles serialized data in the WordPress database, which manual SQL REPLACE() queries can corrupt.

2. WP-CLI Search-Replace for Developers

For those with command-line access, WP-CLI handles the database replacement with a single command:

# Replace all HTTP URLs with HTTPS across all database tables
# Run dry-run first to preview changes
wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --all-tables --dry-run

# Remove --dry-run when ready to apply
wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --all-tables

Always back up the database before running a search-replace operation. WP-CLI correctly handles serialized data in WordPress option values.

3. Content-Security-Policy Header as a Safety Net

After running the database search-replace, adding a Content-Security-Policy: upgrade-insecure-requests header via .htaccess instructs browsers to automatically upgrade any remaining HTTP resource requests to HTTPS:

# Tell browsers to upgrade all HTTP requests to HTTPS
Header always set Content-Security-Policy "upgrade-insecure-requests"

This doesn’t fix the underlying URLs but acts as a failsafe, capturing any remaining HTTP resource references from plugins or hardcoded theme files.

Common Mistakes to Avoid

  • Running a simple SQL search-replace without handling serialized data — WordPress stores some option values as serialized PHP arrays. A direct REPLACE() SQL query on serialized data breaks the serialized format and corrupts site settings. Always use Better Search Replace or WP-CLI, which handle serialized data safely.
  • Fixing the database but not the theme files — Hard-coded http:// URLs in your theme’s PHP or CSS files won’t be caught by a database search-replace. Check theme files manually for absolute URL references and update them.
  • Forgetting to update WordPress general settings — If Settings → General still shows http://yoursite.com for the WordPress Address or Site Address, switch both to https:// before running the search-replace.
  • Not backing up the database first — A search-replace operation touches thousands of database rows simultaneously. Run a full database backup before proceeding, so you can restore if anything goes wrong.

Best Practices

1. Update WordPress General Settings and Run Database Search-Replace

Start with Settings → General and ensure both URL fields use https://. Then run a database search-replace using the Better Search Replace plugin or WP-CLI to update all stored URLs from HTTP to HTTPS. These two steps resolve the majority of mixed content issues. Run the search-replace as a dry run first to confirm the scope before applying.

2. Audit Browser DevTools After the Fix

After running the database update, press F12 in Chrome and check the Console for remaining mixed content warnings. Some resources may still load via HTTP from plugin CDNs or hardcoded theme URLs. Address each one individually — update the theme file, contact the plugin developer, or use the Content-Security-Policy header as a fallback.

3. Monitor SSL Expiry and Recheck After Plugin Updates

Mixed content can resurface after plugin updates that reintroduce HTTP references, or after an SSL certificate renewal lapse that temporarily causes content to be created with HTTP URLs. Track your SSL expiry date and run a DevTools check after major plugin updates to confirm no new mixed content has appeared.

Frequently Asked Questions

What causes mixed content warning most often?

The most common cause is an incomplete HTTP to HTTPS migration: the site got an SSL certificate and switched to HTTPS, but the database still contains thousands of http:// URLs that were hardcoded into posts, pages, widgets, and WordPress options before the migration. Every time WordPress outputs one of those stored URLs, it introduces mixed content.

How do I fix mixed content warning when locked out of wp-admin?

Mixed content issues don’t typically lock you out of wp-admin. If you can’t access wp-admin for a separate reason, connect via SFTP and use WP-CLI to run the search-replace directly. You can also access phpMyAdmin through your hosting control panel to manually run SQL, though be careful with serialized data — use WP-CLI or Better Search Replace instead whenever possible.

Can mixed content hurt my SEO?

Yes. Google treats HTTPS as a ranking signal, and mixed content weakens the HTTPS signal. More importantly, if active mixed content (scripts or stylesheets) is blocked by browsers, it can break key functionality that affects user experience metrics — and user experience metrics increasingly influence rankings. A clean HTTPS implementation with no mixed content gives you the full SEO benefit of SSL.

How do I find which resources are causing the mixed content?

Open your site in Google Chrome, press F12 to open DevTools, and go to the Console tab. Mixed content warnings appear as red error messages identifying the exact URL of each insecure resource. The Security tab in DevTools also provides a summary of all insecure content on the page.

Does adding an SSL certificate automatically fix mixed content?

No. An SSL certificate enables HTTPS on your domain, but it doesn’t update URLs already stored in your database. You must separately run a database search-replace after switching to HTTPS. Many sites have mixed content immediately post-SSL installation for exactly this reason.

Related Glossary Terms

How CyberOptik Can Help

Still broken? Our team fixes WordPress errors like this in under 30 minutes for maintenance clients. Mixed content issues are common after SSL installations and site migrations — and they require a careful database operation to fix correctly. We’ve handled HTTPS migrations for hundreds of WordPress sites and know the full scope of what needs to be updated: database, theme files, hardcoded plugin URLs, and server configuration. Contact us to discuss your site or explore our WordPress maintenance services.