What "WordPress Mixed Content" Means and How to Fix It
parallax background

What “WordPress Mixed Content” Means and How to Fix It

Top Professional Website Design Examples
May 16, 2024
Top Web Design Tools Every Developer Needs
May 20, 2024
Top Professional Website Design Examples
May 16, 2024
Top Web Design Tools Every Developer Needs
May 20, 2024
 

Imagine this: You've just installed an SSL certificate on your WordPress site, but instead of the secure padlock, you're greeted with a mixed content error. Frustrating, right? This common issue plagues many site owners as they transition from HTTP to HTTPS, leaving them puzzled about how to fix the WordPress mixed content error effectively.

Mixed content warnings can undermine your site's security and scare off visitors. That's where we come in. With years of expertise in website security and WordPress SSL setup, I'm here to guide you through the exact steps to secure your site completely. By the end of this article, you'll have a crystal-clear understanding of identifying, troubleshooting, and fixing mixed content issues.

We'll cover everything from using SSL plugins to troubleshooting HTTPS errors and configuring your web server for optimal security. Ready to transform those pesky errors into a thing of the past? Let's dive in and ensure your WordPress site is as secure as it should be.

What the "WordPress Mixed Content" Warning Means

 

A secure site uses the SSL (Secure Sockets Layer). This is a protocol that provides security between a web server and a browser.

It keeps sensitive personal information such as bank card details secure and protected.

A secure padlock icon appears in the address bar when a website has an SSL certificate like comodo and an encrypted connection. But when there's a security problem, users will see an info icon and a mixed content warning.

This means that some elements on the site are loading over HTTPS, but others are still using HTTP scripts. They are not protected with encryption and are making the site vulnerable.

Depending on the browser used, the exact words of the error message may differ. The most common mixed content warnings are:

  • “Connection is Not Secure”
  • “Your connection to this site is not fully secure”
  • “Only secure content is displayed”
  • “Be careful here. Some content on this page is not encrypted.”

Common Triggers of the "WordPress Mixed Content" Warning

 

Moving from HTTP to HTTPS is not always smooth and trouble-free. Some HTTP links may not change and can account for the insecure content on the site.

To remove the mixed content warning, check to see which features are not encrypted. The following elements are a common trigger of the mixed content warnings:

 
  • an image that has a hardcoded URL path that uses HTTP. They can be in posts, pages, or widgets.
  • a video that loads over HTTP, rather than HTTPS.
  • plugins, themes, or services that use absolute paths instead of relative paths to link to CSS and JavaScript.
  • links to external resources that don't use HTTPS (hosted jQuery, Font Awesome, etc.).

Mixed Content can be passive or active.

Passive mixed content loads over HTTP and includes images, video, and audio content. Active mixed content also loads over HTTP and can include stylesheets, scripts, and other code.

Here are some tips on how to fix the mixed content warning error.

Find the Source of the Error

 

First, it’s necessary to pinpoint what content is triggering the error.

To find the HTTP element, go to the page that loads with the mixed content warning. Then open Chrome DevTools assistant.

How to open Chrome Developer tools:

  • Use the following key shortcut for Windows: F12 or CTRL + Shift + I. For macOS press Cmd + Opt + I.
  • Launch it from the tools menu in your browser- More tools/ Developer tools.

Once the Developer tools window opens, go to the Console tab and refresh the page. If the assistant finds any mixed content errors, they will display in red or yellow.

Usually, this message also appears: “This request has been blocked; the content must be served over HTTPS.” The browser is preventing any HTTP insecure content by default.

Thanks to some new features on Google Chrome, some mixed images and media are now auto- upgraded. Other browsers don't include this option.

Results shown under the Console tab will indicate if this action has occurred.

In the example below, notice the yellow highlighted message. It says that the page loaded over HTTPS, but requested an insecure element.

The request was automatically upgraded from HTTP to HTTPS

 

The Developer tools assistant will show the different types of mixed content warnings. Some of them include a stylesheet and script, which is the active mixed content error.

Besides the Console tab, users can investigate under the Security tab. It will show the security details of the certificate, connection and resources.

The Network tab in the Developer Tools lists blocked requests.

Check the Status of your SSL Certificate

 

The SSL Certificate authenticates your site and guarantees a secure, encrypted communication. But these certificates only work if they're valid.

The SSL Certificate isn't infinite so it’s important to check the status.

It’s possible to find the relevant details by viewing site information. Do this by clicking on the padlock in the address bar.

 

The information in the window that opens says if the certificate is valid. Users can also view further information, such as who it was issued to and by what authority.

Furthermore, it outlines the exact validity period.

Replacing HTTP With HTTPS in Your WordPress Address And Site Address

Having an invalid SSL certificate isn’t usually the core problem. There are other common causes, so further action may be necessary to fix the mixed content errors.

Here are some more tips on how to make sure that all site URLs load over HTTPS. In this step, users replace HTTP with HTTPS in their WordPress Address and Site Address.

1. Go to the WordPress Dashboard.

2. In the General Settings, find the following fields: WordPress Address (URL), and Site Address (URL). In those fields change the HTTP into HTTPS.

 

3. Finally, don’t forget to save the changes.

Now all site URLs will load over HTTPS and are safe. But if visitors type HTTP in the site address, they’ll still access insecure content.

The following tip will explain how to redirect visitors to the secured HTTPS version.

4. Opened the Dashboard, and click on Settings/General.

How to Redirect HTTP to HTTPS

 

If launching a new website, use HTTPS in the WordPress Address and Site Address right from the start. That way you won’t need to make any protocol or security changes in the future.

If switching from HTTP to HTTPS, it's important to set up an automatic redirect to the encrypted pages. To do that, add a rule in the WordPress .htaccess file.

Make sure to complete the previous step before adding the code. That is, replace HTTP with HTTPS in the WordPress Address and Site Address.

Next, connect to your site via the web host's File Manager, or with the File Transfer Protocol (FTP) and an FTP client. Go to the WordPress core files (usually public_html).

Right-click on the .htaccess file and select Edit. If using the Apache servers, paste the following rule within the file:

 
IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.mysite.com/$1 [R,L]
</IfModule>

If using the NGINX, add this code:

server {
listen 80;
server_name yoursite.com www.yoursite.com;
return 301 https://yoursite.com$request_uri;
}

If your file includes more code than the default WordPress snippet, download a backup of the original .htaccess file. Right-click on the .htaccess file and download it.

Checking Your CDN SSL Settings

 

At times the cause of the WordPress mixed content warning is a CDN (Content Delivery Network). If you issue an SSL certificate for a site that has a CDN configuration, it may trigger the mixed content error.

Here's how to check the CDN SSL settings for Cloudflare.

Go to the Cloudflare dashboard. Locate the SSL option.

In the menu that allows users to choose the level of encryption, select the Full (strict) setting. This enables a secure connection between Cloudflare and visitors, and between the CDN and your server.

 

Next, enable ‘Always use HTTPS’ to serve all the content. On the Cloudflare dashboard, select the Always use HTTPS setting.

Save the changes and refresh the site to see if the mixed content warning still appears. For those unsure how to configure the SSL on a different CDN, check the CDN’s knowledge center.

Update the Content In Your Database Through Search/Replace

 

If the preceding tips didn’t solve the issue, update the database content through search and replace.

Open the phpMyAdmin and go to the WordPress database on the left. Select the SQL tab.

In the SQL query box write the following command:

UPDATE wp_posts SET post_content=(REPLACE (post_content, ‘<old url>’,'<new url>’));

The 'old URL' is the HTTP website address. The 'new URL' is the new HTTPS site address.

 

Don't forget to include the 's' in HTTPS. Confirm by clicking on GO.

Clear the cache and refresh the website. The mixed content error should be gone and all content served over HTTPS.

FAQ about the WordPress mixed content error

What is a mixed content error in WordPress?

A mixed content error happens when your WordPress site loads both secure (HTTPS) and non-secure (HTTP) resources. This often occurs after installing an SSL certificate but not updating all URLs. This inconsistency triggers browser warnings, potentially driving visitors away.

How can I identify mixed content on my WordPress site?

Identifying mixed content involves using browser tools. Open the browser console (F12) and look for warnings about insecure resources. Tools like Mixed Content Checker plugins can also help you find and fix these issues on your WordPress admin panel.

Why is fixing mixed content important for my WordPress site?

Fixing mixed content is crucial because it impacts your site's security and user trust. Mixed content errors can prevent your SSL certificate from showing properly, making your site appear less secure, which could hurt your SEO and visitor engagement.

How do I manually fix mixed content errors in WordPress?

Manually fixing mixed content involves updating all URLs from HTTP to HTTPS. Check your WordPress themes, plugins, and database for outdated links. Tools like the "Better Search Replace" plugin can help streamline this process, ensuring all elements load securely.

What plugins can help fix mixed content errors in WordPress?

Several plugins can fix mixed content errors efficiently. Really Simple SSL and SSL Insecure Content Fixer are popular choices. These plugins automatically update URLs and force HTTPS, resolving mixed content warnings without manual URL changes.

How do I configure my web server for HTTPS?

Configuring your web server involves updating your server settings to redirect all traffic to HTTPS. This might include editing your .htaccess file for Apache servers or using a configuration file for Nginx. Ensure your SSL/TLS encryption is correctly installed and active.

Can mixed content errors affect my SEO rankings?

Yes, mixed content errors can impact your SEO rankings. Search engines prioritize secure sites, and mixed content warnings might lead to lower rankings. Ensuring your content is fully secure enhances your site's credibility and can improve its search engine visibility.

How do I use the browser console to find mixed content?

To use the browser console, press F12 or right-click on your page and select "Inspect." Navigate to the "Console" tab. Look for mixed content warnings indicating which resources are loaded insecurely. This method helps pinpoint the exact elements causing issues.

What is the role of a Content Delivery Network (CDN) in fixing mixed content?

A Content Delivery Network (CDN) can help fix mixed content by ensuring all resources are served over HTTPS. Make sure your CDN is configured correctly to use your SSL certificate. Update CDN settings to rewrite all HTTP URLs to HTTPS.

Are there any tools to automate fixing mixed content in WordPress?

Yes, tools like Really Simple SSL and SSL Insecure Content Fixer automate the process. They handle URL updates, enforce HTTPS, and fix mixed content issues without manual intervention. These tools are invaluable for maintaining a fully secure WordPress site.

Conclusion

Fixing the WordPress mixed content error is essential to maintain a secure and trustworthy site. By addressing mixed content warnings, you ensure that all resources are loaded over HTTPS, providing a seamless user experience and boosting your website security.

Here's what we've covered:

  • Identifying mixed content: Using browser tools and plugins to locate insecure resources.
  • Manual fixes: Updating URLs in WordPress themes, plugins, and the database.
  • Plugins and tools: Leveraging Really Simple SSL and SSL Insecure Content Fixer for automated solutions.
  • Web server configuration: Ensuring proper SSL/TLS encryption and HTTPS redirection.
  • CDN configuration: Utilizing a Content Delivery Network to serve secure content globally.

By implementing these strategies, you mitigate security risks and improve your site's SEO performance. Ensuring your WordPress site is free of mixed content not only safeguards your visitors but also enhances your online presence.

If you enjoyed reading this article on Wordpress mixed content errors, you should check out this one about failed to open stream error.

We also wrote about a few related subjects like WordPress post missed schedule, failed to load resource error, WordPress posting to Facebook done automatically, how to reorder pages in WordPress and WordPress updating failed error.

Albert Ślusarczyk
Albert Ślusarczyk
As the co-creator of Be Theme, I am a strong believer in designing with care and patience. I pour my energy, time & knowledge into perfecting the theme for our 260,000+ customers.