What WordPress mixed content means
WordPress mixed content happens when a page loads over HTTPS but still requests some resources over HTTP.
Browsers treat this as an incomplete secure connection, which can trigger warnings, break lock icons, and weaken user trust.
This issue often appears after moving a site to SSL, changing domains, or updating a theme that still references insecure URLs.
The fix is usually straightforward once you know where the old HTTP links are hiding.
Why mixed content matters for SEO and usability
Mixed content can affect more than appearance.
Modern browsers may block scripts, stylesheets, fonts, images, or iframes loaded over HTTP, which can alter layout or stop features from working.
- User trust: Visitors may see a “Not secure” indicator.
- Functionality: Scripts, sliders, forms, and embedded media may fail.
- SEO performance: Search engines prefer secure, fully consistent HTTPS pages.
- Conversions: Checkout and lead forms can suffer when the page appears unsafe.
Common causes of mixed content in WordPress
Most cases come from a small set of sources.
Knowing the source helps you fix the problem without guessing.
Old HTTP URLs in the database
When a site switches from HTTP to HTTPS, links stored in posts, pages, widgets, and custom fields may still contain the old protocol.
These are often inserted in page builders, image blocks, or legacy content.
Incorrect WordPress Address and Site Address settings
If the WordPress Address and Site Address fields do not both use HTTPS, WordPress may generate links with the wrong protocol.
This is one of the first settings to verify in the admin area.
Theme and plugin assets
Themes and plugins may enqueue CSS, JavaScript, fonts, icons, or images using hardcoded HTTP links.
Third-party plugins are especially common sources of mixed content after an SSL migration.
Hardcoded links in templates or custom code
Developers sometimes add direct asset URLs inside theme files, child themes, or custom snippets.
If those references still point to HTTP, the browser will flag them immediately.
External embeds and CDN resources
You may also see mixed content from embedded videos, maps, analytics, or a content delivery network that is not configured correctly for HTTPS.
How to find mixed content on your site
Before fixing anything, identify the exact resource causing the warning.
Browsers and scanning tools can show the offending URL, file type, and page location.
Use browser developer tools
Open the page in Chrome, Edge, or Firefox and inspect the Console tab.
Mixed content warnings usually name the blocked or upgraded resource, making it easier to trace the source.
Check the page source
View source on the affected page and search for http://.
This can reveal images, stylesheets, scripts, and embed codes that still use insecure links.
Use SSL scanning tools
Online scanners and browser extensions can crawl a site and highlight insecure assets.
These tools are useful on larger sites with many templates and plugins.
How to fix WordPress mixed content safely
The best fix is to update every internal reference from HTTP to HTTPS and confirm that WordPress is generating secure URLs everywhere.
Start with the simplest settings, then move to database and file-level fixes if needed.
1. Update WordPress and Site URLs
Go to Settings > General and make sure both WordPress Address (URL) and Site Address (URL) use https://.
Save the changes and test the homepage and a few internal pages.
2. Replace HTTP links in the database
If content still includes old links, perform a search and replace for your domain from HTTP to HTTPS.
Use a safe database tool or a trusted plugin that supports serialized data, because direct SQL replacements can break complex fields.
- Replace
http://yourdomain.comwithhttps://yourdomain.com - Check posts, pages, custom fields, widgets, and options tables
- Back up the database before making changes
3. Regenerate media URLs
If images are inserted from the Media Library with old URLs, update those references in content blocks or page builder modules.
For many sites, the database search and replace step handles this automatically.
4. Fix theme and plugin files
Open custom theme files and look for hardcoded http:// references.
Replace them with relative paths, protocol-relative URLs, or full HTTPS URLs.
If a plugin is responsible, update it first; if the issue remains, contact the plugin author.
5. Update external services
Many third-party tools have their own SSL or endpoint settings.
Confirm that embedded forms, analytics scripts, font providers, maps, and CDN URLs are all using secure endpoints.
Using a plugin to fix mixed content
For non-technical site owners, a plugin can simplify the process.
The right tool can rewrite URLs, detect insecure assets, and reduce the need to edit code manually.
- Better Search Replace: Useful for database-wide URL updates.
- Really Simple SSL: Helps enforce HTTPS and resolve common mixed content issues.
- WP-Optimize or similar maintenance tools: Can assist with cleanup after migration.
Plugins are helpful, but they are not a substitute for correcting hardcoded URLs in a theme or plugin file.
If the same warning returns after deactivating a plugin, the source may be deeper in your codebase.
How to verify the fix
After updating URLs, revisit pages that previously showed warnings and refresh with a hard reload.
Then check the browser console to confirm there are no insecure resource requests left.
Also inspect the following pages and templates:
- Homepage
- Blog posts
- Contact forms
- Checkout pages
- Landing pages built with page builders
- Headers, footers, and sidebar widgets
How to prevent mixed content in the future
The most reliable prevention strategy is to treat HTTPS as the default everywhere.
That means using secure URLs in content, theme development, plugin selection, and third-party integrations.
Use HTTPS from the start
When adding new images, scripts, or embeds, always choose the HTTPS version.
Avoid copying old links from cached pages or third-party documentation that may still show HTTP examples.
Keep themes and plugins updated
Developers regularly fix insecure asset loading in updates.
Staying current reduces the chance that outdated code will reintroduce mixed content.
Audit custom code during changes
Any time you switch themes, install a new plugin, or add custom snippets, test the site for insecure URLs before publishing changes.
Set up periodic SSL checks
Routine scans can catch mixed content early, especially on larger sites with multiple authors, page builders, and content imports.
This is particularly useful after redesigns or migration projects.
When mixed content needs developer help
Some cases require deeper debugging, especially when the source is buried in a custom theme, advanced plugin, or dynamic template.
A developer can trace enqueue functions, filter hooks, and database fields that are not easy to update from the dashboard.
If the warning persists after updating URLs and running a search and replace, focus on custom code, external embeds, and any asset generated by JavaScript.
In complex WordPress installs, that is often where the remaining HTTP request is hiding.