Mixed content warnings break the padlock icon on your site and can cause browsers to block certain resources. SSL Insecure Content Fixer handles many of these automatically, but first you need to identify exactly what is causing them.
What Causes Mixed Content on WordPress Sites
Mixed content happens when an HTTPS page loads resources over HTTP. The most common causes on WordPress sites:
- Old post content with hardcoded HTTP image URLs — images added before the site switched to HTTPS.
- Theme or plugin assets with hardcoded HTTP paths.
- Third-party embeds (videos, widgets, maps) that load over HTTP.
- WordPress siteurl or home setting still set to HTTP after an HTTPS migration.
Finding Mixed Content with Chrome DevTools
- Open Chrome and go to the page showing mixed content warnings (the one missing its padlock).
- Open DevTools (F12 or right-click, Inspect).
- Go to the Console tab.
- Look for messages starting with “Mixed Content: The page was loaded over HTTPS, but requested an insecure…” These messages show the exact URL of each resource loading over HTTP.
- Note whether the resource is active (script, stylesheet — blocked by browsers) or passive (image, audio — only a warning).
Fixing HTTP URLs in Post Content with Better Search Replace
For posts and pages with hardcoded HTTP image URLs, a database search and replace is the permanent fix. Install Better Search Replace. Go to Tools, then Better Search Replace. In the Search field enter http://yourdomain.com. In the Replace field enter https://yourdomain.com. Select all tables (select all, or at minimum wp_posts and wp_postmeta). Run a dry run first to see how many records will change, then run the actual replacement.
Using SSL Insecure Content Fixer for Plugin and Theme Assets
For HTTP resources generated by plugins or themes that you cannot directly edit, SSL Insecure Content Fixer catches these at output time. Go to Settings, then SSL Insecure Content Fixer and start with the Simple fix level. This rewrites URLs in post content and basic page output. If mixed content warnings remain, move to WPML, then Capture, then Output Buffer.
Fixing Third-Party Embeds
Some embeds load resources from third-party servers that only serve over HTTP. If the third party does not support HTTPS, you cannot fix this with a URL rewrite — the resource itself is on an HTTP server. The only options are to remove the embed, find an HTTPS alternative, or host the resource yourself. YouTube embeds, for example, should use https://www.youtube.com/ not http:// in the embed URL.
Checking WordPress Site URL Settings
Go to Settings, then General. Both WordPress Address (URL) and Site Address (URL) should start with https://. If either shows http://, change them to https:// and save. After changing these settings, clear all caches and test the site thoroughly — this change can cause redirect issues if the server is not properly configured for HTTPS.
Verifying the Fix
After making changes, clear all caches (plugin cache, CDN, browser cache) and reload the page. The Console should show no mixed content warnings and the padlock should be present and unbroken. Use Why No Padlock at whynopadlock.com for a quick third-party check of any remaining mixed content issues.
For HTTPS migrations on complex sites including multisite, WooCommerce, and sites with many years of archival content, a WordPress developer can handle the full migration cleanly.