Few things are more frustrating than spending time and money to install an SSL certificate, only to see “Not Secure” warnings in your browser bar. You’ve done the right thing-securing your site with HTTPS is essential-but those persistent mixed content warnings can undermine user trust and damage your SEO.
I’ve been there. Seeing the warning when everything seems to be configured correctly can drive you up the wall. But the issue usually lies not with the SSL itself, but with elements of your site still loading over HTTP.
This guide breaks down how to fix mixed content warnings in WordPress, so your site can truly be 100% secure, fast, and browser-trusted.
What Is Mixed Content, and Why Does It Matter?
When a WordPress site is served over HTTPS but includes resources (like images, stylesheets, scripts) that still load over HTTP, browsers detect it as mixed content. While the HTML loads securely, other assets don’t, creating a security gap.
Google Chrome and Mozilla Firefox now block some or all of these HTTP elements, which can break site functionality or layout-and even damage your SEO rankings. Google’s transparency report states over 90% of browsing now happens over HTTPS. So, if your WordPress site isn’t fully secure, you're falling behind.
1. Check If Your WordPress Site Has Mixed Content Warnings
The first step is identifying the issue clearly. Even if your SSL is installed, some resources may still call non-secure links.
Use these tools to diagnose:
- Why No Padlock (https://www.whynopadlock.com/)
- SSL Labs SSL Test (https://www.ssllabs.com/ssltest/)
- Browser dev tools: Go to Inspect Element > Console and look for warnings like
Mixed Content: The page at 'https://yoursite.com' was loaded over HTTPS, but requested an insecure image.
Once identified, it’s easier to tackle these issues systematically within your WordPress environment.
2. Update WordPress Settings to Use HTTPS
Let’s face it-sometimes the fix is right under your nose. If your WordPress settings still point to HTTP, it can cause widespread content mismatches.
How to update it:
- Go to your WordPress Dashboard > Settings > General.
- Change both the WordPress Address (URL) and Site Address (URL) to https://yourdomain.com.
Double-check the change takes effect across all pages. You may need to clear your site cache or browser cache after this update.
3. Use a Plugin to Automatically Fix Mixed Content
If you’re not comfortable digging into theme files or your site’s codebase, a plugin can do the heavy lifting.
Recommended Plugins:
Really Simple SSL
Automatically redirects all non-HTTPS URLs and scans for mixed content issues. It’s the most popular plugin for a reason—minimal setup and reliable fixes.Better Search Replace
Lets you update database entries in bulk fromhttp://tohttps://, especially useful for older WordPress sites where media and links are hardcoded.
Just be careful. Always back up your database before making bulk changes.
4. Update Media and Theme Assets
Sometimes, images or stylesheets are still hardcoded with http:// inside your theme, header, or even page builders. This happens often if you manually uploaded files before installing SSL.
What to check:
- Theme header
(header.php)for<link>or<script>tags - Custom HTML widgets or blocks
- Page builder content like Elementor or WPBakery
- Media files linked with full URLs instead of relative paths
WordPress themes and plugins should use functions like get_template_directory_uri() or wp_enqueue_script() to load resources-make sure your theme does.
5. Use Search and Replace to Fix Hardcoded Links
On older WordPress sites, hardcoded URLs are a common culprit. If your posts, widgets, or pages reference images and resources via http://, you’ll need to update them.
Run a site-wide replace using:
- WP-CLI (for developers comfortable with the command line)
- Search & Replace Plugin (like “Better Search Replace” mentioned earlier)
For example, replace:
http://yourdomain.com → https://yourdomain.com
Important: Test the changes on a staging environment first or take a full backup of your WordPress database. A wrong replace operation can break serialized data.
6. Verify Your CDN Configuration
If you’re using a Content Delivery Network (like Cloudflare, BunnyCDN, or StackPath), it might be serving cached assets over HTTP.
To resolve this:
- Enable "Always Use HTTPS" in your CDN settings.
- Clear your CDN cache after SSL installation.
- Ensure your WordPress caching plugin (like WP Rocket or W3 Total Cache) is also configured to enforce HTTPS.
A misconfigured CDN can often silently continue serving HTTP assets even after your site is SSL-secured.
7. Fix External Resources (Fonts, Videos, Widgets)
It’s easy to overlook third-party content embedded on your WordPress site. Fonts, iframes, video embeds, and widgets can load via HTTP and trigger mixed content warnings.
Watch for:
- Google Fonts or custom fonts not loaded via
https:// - YouTube or Vimeo embeds with old
http://links - Widgets and form embeds (e.g., Calendly, Mailchimp, Typeform)
These can usually be edited within the WordPress editor or page builder. Always use the HTTPS version of the embed URL if available.
8. Clear Cache Everywhere
After making these fixes, the issue may still appear-just because you’re seeing an old cached version.
Clear cache from:
- Your WordPress caching plugin
- Browser (CTRL + SHIFT + R for hard refresh)
- CDN (like Cloudflare)
- Hosting panel, if your host uses server-side caching (e.g., SiteGround, WP Engine)
It sounds basic, but it’s often the final step that makes all your previous fixes visible.
9. Use a Web Host That Supports HTTPS Fully
If your hosting provider doesn’t offer full SSL support, auto-renewals, or forced HTTPS redirection, it could make all of this harder.
Choose WordPress-friendly hosting providers that include:
- Free Let’s Encrypt SSL
- Auto HTTPS redirection
- SSL monitoring tools
Some hosts, like Kinsta and SiteGround, even scan your WordPress site for mixed content errors during SSL installation.
Still Seeing Mixed Content Warnings on Your WordPress Site?
Don’t stress-these issues can be frustrating, especially when buried deep in themes, plugins, or older databases. If the fixes above feel too technical or time-consuming, help is available.
Outsourcing firms in India offer dedicated and talented WordPress developers who can diagnose and fix these issues efficiently. You can hire WordPress programmers India-based who understand WordPress architecture deeply and provide tailored solutions-saving you time, frustration, and lost traffic.
Read Our Recent Blog - 8 Tips: How to Fix 404 Page Not Found Errors on Your Website
Top comments (0)