ZeroToWP

Mixed Content

Quick Definition

Mixed content happens when an HTTPS page loads resources (images, scripts, stylesheets) over insecure HTTP. Browsers flag this as unsafe, the padlock icon disappears, and Google may penalize your site.

Kinsta guide on fixing mixed content warnings — how to resolve HTTPS/SSL insecure resource errors in WordPress

What Is Mixed Content?

Mixed content occurs when a page served over HTTPS loads some of its resources — images, JavaScript files, CSS stylesheets, fonts, or iframes — over plain HTTP. Your browser detects the mismatch and treats the entire page as insecure.

The result: the padlock icon in the address bar disappears, replaced by a warning. Browsers like Chrome display "Not Secure" or block the insecure resources entirely. This destroys visitor trust and can hurt your search rankings.

Mixed content is one of the most common issues WordPress site owners face after installing an SSL certificate, because existing content may still reference HTTP URLs from before the migration to HTTPS.

Two Types of Mixed Content

  • Active mixed content — Scripts and stylesheets loaded over HTTP. Browsers block these entirely because they can be intercepted and manipulated (like injecting malware into a JavaScript file). Your site breaks visually or functionally.
  • Passive mixed content — Images, audio, and video loaded over HTTP. Browsers allow these but display a warning. Less dangerous but still removes the padlock and looks unprofessional.

How to Detect Mixed Content

  • Browser DevTools — Open Chrome DevTools (F12) → Console tab. Mixed content warnings appear as yellow or red messages with the exact URLs of the insecure resources.
  • Why No Padlock? — Free online tool at whynopadlock.com that scans any URL for mixed content.
  • Really Simple SSL — Our SSL setup guide covers how this plugin automatically detects and fixes mixed content.

How to Fix It in WordPress

  1. Update WordPress URLs — Go to Settings → General. Make sure both "WordPress Address" and "Site Address" use https://.
  2. Search and replace — Use the Better Search Replace plugin to find all http://yourdomain.com references in your database and replace them with https://yourdomain.com.
  3. Install Really Simple SSL — This plugin automatically fixes most mixed content by rewriting HTTP URLs to HTTPS on the fly. Install, activate, done.
  4. Check theme and plugin files — Some themes and plugins hardcode HTTP URLs in their code. Update them or contact the developer.
  5. Force HTTPS via .htaccess — Add a redirect rule to ensure all traffic uses HTTPS, even if someone visits via an old HTTP link.

Why It Matters

Mixed content defeats the purpose of having an SSL certificate. You have paid for (or set up a free) SSL, but your site still shows as insecure because of a few leftover HTTP references. Google uses HTTPS as a ranking signal, browsers actively warn visitors, and a single mixed content error can make your entire site look untrustworthy. Fixing it usually takes 10 minutes with Really Simple SSL and Better Search Replace — there is no reason to leave it broken.

Sources: Kinsta, WP Engine, MDN Web Docs

Related Terms

.htaccess.htaccess is a configuration file for Apache web servers that WordPress uses to handle pretty permalinks, redirects, and security rules. It sits in your WordPress root directory.SSLSSL (Secure Sockets Layer) is the technology that encrypts the connection between your website and its visitors. Today it technically runs on TLS, but everyone still calls the certificate an "SSL certificate."SSL CertificateAn SSL certificate is a digital file that encrypts the connection between your website and visitors, enabling HTTPS (the padlock icon). Most WordPress hosts include free SSL certificates from Let's Encrypt — there is no reason not to have one.

Related Articles

WordPress Pre-Launch Checklist — 15 Things Before Going LiveBefore you share your site with the world, run through this 15-point checklist to make sure everything is ready.How to Set Up SSL/HTTPS on WordPress (Free & Easy)SSL used to be optional. It's not anymore — Google penalizes sites without it, and Chrome slaps a 'Not Secure' warning on every page. The good news? It's free and takes about 10 minutes. Here's exactly how to set it up, plus how to fix the mixed content issues that trip up almost everyone.WordPress Security Guide: 12 Steps to Protect Your SiteWordPress doesn't get hacked because it's insecure — it gets hacked because people skip basic precautions. Here are the 12 security steps I follow on every site I build, ranked by importance.
← Back to WordPress Glossary