Quick Fix For “Was Loaded Over HTTPS, But Requested An Insecure Script” Error

You’ve made some changes to your site. You’re reviewing how it looks. Suddenly you see the error: Was loaded over HTTPS, but requested an insecure script.

What does it mean to request an insecure script? Why is this WordPress error suddenly showing up? What triggered this WordPress issue? How do you fix it?

We understand the worry. We’ve got your back. We’ll walk you through everything you need to know, in this article. 

TL;DR: Fix the error by updating all HTTP links in your theme and plugins to HTTPS. This involves editing core files. We recommend that you backup your website using a tool like BlogVault to ensure safety.

Understanding the “was loaded over HTTPS, but requested an insecure script” error 

Understanding the error is the first step to fixing it. So, let’s break it down. 

When a visitor’s browser connects to your site, it asks for a secure link.  Your server responds with its SSL/TLS certificate. This certificate confirms your site’s identity, proving it’s the real site and not an impostor. During this process, your server and the visitor’s browser agree on encryption keys that scramble and unscramble the data sent back and forth.

The error “Was Loaded Over HTTPS, But Requested An Insecure Script” pops up when something on your site tries to load using HTTP instead of HTTPS. The browser notices this unsecured request. Instead of letting the script load, the browser throws an error. It does this to protect the user, warning that some parts of your site aren’t secure.

Here are some reasons why this may have happened:

•  When switching to SSL, some URLs might be missed. Some scripts still use HTTP.
• Some external scripts use HTTP. We’re referring to scripts like analytics or ads.
• Hard-coded links haven’t been updated to HTTPS, when switching to HTTPS.

How to fix the “was loaded over HTTPS, but requested an insecure script” error?

The “Was Loaded Over HTTPS, But Requested An Insecure Script” error, showcases a weakness in your site’s security. It can also tarnish your site’s reputation and hurt search engine rankings. The urgency to fix this error is real. Let’s dive right in. 

Step 1: Check SSL certificate

First, check your SSL certificate to fix the “was loaded over HTTPS, but requested an insecure script” error. Often, the problem is an expired or misconfigured SSL certificate, which can affect your site’s security. Start by testing your site URL with the Qualys SSL Labs tool. It will show if your certificate is valid and when it expires.

If it turns out the certificate is expired or not valid, you’ll need to install an SSL certificate. This process varies by provider, but they usually have simple guides or support to assist you. After renewing, make sure to install the certificate on your server properly. This will ensure your site is secure and help stop the error from coming back.

Step 2: Identify the insecure scripts

Next up, find the insecure scripts causing the “was loaded over HTTPS, but requested an insecure script” error. Spotting these scripts will show you exactly what needs fixing. This step guides all the actions you will take to solve the problem.

You can use many browsers to do this. But, we’re using Chrome’s developer tools for this tutorial. 

1. Open your site in Chrome.
2. Right-click on the page and select Inspect.
3. Navigate to the Console tab.

The tab will display warnings or errors that will help you see which scripts are loading over HTTP.

Expert tip: This method can get cumbersome if you have to review a lot of pages. In that case, run the site through WhyNoPadlock? This will conduct tests through your entire site and tell you what is triggering the error. 

Step 3: Find and replace HTTP links with HTTPS URLs

The next step is to find and replace insecure content that still loads over HTTP. But, doing so manually is prone to errors. 

Instead, use a tool like the SSL Insecure Content Fixer plugin. This plugin automates the task for you. Just install the plugin on your website and choose one of the following levels from the settings:

• Basic: Fixes simple issues, ideal for most sites.
• Content: Fixes issues found in your main page content.
• Widgets: Targets widget content.
• Capture: More detailed fix affecting all site content.
• Capture All: Fixes every aspect of your site; use if other levels don’t resolve the issue.

Once you’ve selected a level, click Save Changes. Test everything once you’re done. Check to see if the error is still being triggered. 

What types of scripts and URLS to look out for?

1. Plugin related issues: Plugins, sometimes, include links to resources like scripts, images, or stylesheets that use HTTP instead of HTTPS. This often happens when a plugin is outdated or not updated to support HTTPS properly.
   
   Open your browser’s developer tools to spot any plugin loading resources over HTTP. Next, update your plugins in the WordPress dashboard. Developers often release updates to improve security and HTTPS compatibility. After updating, use your browser tools again to see if the errors continue. If the problem persists, it may indicate the plugin isn’t fully compatible with HTTPS. Consider finding an alternative that works with HTTPS. 
   
2. Absolute/hardcoded paths: Absolute or hardcoded paths are direct URLs embedded in your WordPress site’s code. They link to resources using a full URL format.  These absolute paths can create problems when your site transitions to HTTPS. They keep pulling resources over HTTP, causing the “was loaded over HTTPS, but requested an insecure script” error.
   
   Use the browser developer tools, as we previously discussed. It can pinpoint which URLs are causing the issue. Then, on the admin panel, navigate to Appearance > Theme Editor. Look for HTTP URLs in files such as header.php, footer.php, and functions.php and change them to relative paths wherever possible or update them to https://
   
3. Database links: Your site’s database may contain numerous links hardcoded with http://, which, if left unchanged, can lead to the “was loaded over HTTPS, but requested an insecure script” error. By updating these links to https://, you are ensuring that all elements of your site load securely, reinforcing the trustworthiness and integrity of your site’s content.
   
4. Third-party scripts: Third-party scripts are resources from outside vendors that you integrate into your site to add features, like analytics or ads. For example, they might be used for tools like Google Analytics or social media functions.
   
   First, use your browser’s developer tools and find scripts that are not your domain. Next, go to the websites of the third-party services to see if they provide HTTPS versions of their scripts. Once you find the secure script URLs, update them in your WordPress settings or theme files to use HTTPS.
   
5. JavaScript and media files: JavaScript or media files often have elements loaded over an HTTP connection. This can trigger browser warnings too. 

Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)

Expert advice: Really Simple SSL simplifies the process of a lot of these mixed content issues. It will automatically update your site’s URLs to HTTPS, making it the most reliable way to replace the files and scripts. 

Step 4: Clear cache

The last step is to clear the cache. This is because when caches hold outdated resources, users might still trigger the error. So, even if you’ve already fixed the issues on your site, it can look like the error is persisting. 

Step 5: Test everything

After clearing the cache, revisit your site. Make sure you’re in the clear and not triggering the error still. 

How to prevent the “was loaded over HTTPS, but requested an insecure script” error?

To keep your WordPress site running securely and smoothly, taking preventive measures is essential. These steps help ward off potential issues before they turn into bigger problems. Whether it’s staying on top of updates, managing plugins effectively, or regularly checking your SSL configurations, proactive maintenance is key. By anticipating and addressing potential vulnerabilities, you not only protect your site but also ensure a seamless experience for your visitors. In this section, we will explore practical preventive measures to safeguard your site and reduce the risk of common errors.

• Maintain SSL Certificates: Keeping your SSL certificates up-to-date is crucial. An expired certificate can lead to mixed content issues by defaulting to HTTP, thus compromising your site’s security. Regular monitoring with an SSL Monitor can help you track expiry dates and certificate status, preventing disruptions.

• Consistent Use of HTTPS: Always using HTTPS URLs from the beginning ensures that all resources load securely, avoiding any mixed content errors. This consistency helps maintain a secure environment and minimizes the chances of HTTP links slipping in unnoticed.
• Apply Site-wide Redirects: Setting up server-side redirects from HTTP to HTTPS ensures every connection to your site is secure. This automatic rerouting avoids accidental access via HTTP, which can trigger mixed content issues and compromise security.
• Automate HTTPS URL Conversion: Automating the conversion of URLs to HTTPS with plugins or similar tools saves time and reduces human error. This ensures that new content is published securely without manually verifying each link.
• Secure Third-party Integrations: Choosing third-party services that provide or require HTTPS guarantees that external resources are secure. This guards against the risk of pulling insecure scripts or data from outside your site, reducing mixed content errors.

Final thoughts

Fixing this error gives you a new found appreciation for tools that automate boring tasks. It would be mind numbingly difficult to do it all by yourself.

However, we’d be remiss to not remind you to take a backup before you get started. Use a backup plugin that can help you restore your site quickly in the event of an error. 

FAQs

How to Resolve “This Request Has Been Blocked, the Content Must Be Served Over HTTPS”?

To resolve this issue, ensure all resources on your site are requested over HTTPS. Start by using developer tools in your browser to identify which resources are loaded over HTTP. Update these links in your code, database, or settings to HTTPS. Additionally, apply site-wide redirects to force every request to the secure version of your site. Updating plugins and themes can also help if they contribute to the issue.

How to Fix Mixed Content HTTPS?

To fix mixed content issues, first, identify which resources (scripts, images, stylesheets) are loading over HTTP instead of HTTPS. You can find these using browser developer tools. Once identified, make sure to update these resources to load via HTTPS. This may involve editing your site’s code, database entries, and theme or plugin configurations. Using plugins that automatically convert HTTP links to HTTPS can also be helpful.

Is HTTPS a Secure Version of HTTP? True or False?

Yes. HTTPS is the secure version of HTTP. It encrypts data transferred between the user’s browser and the server, ensuring confidentiality and integrity. This prevents interception and tampering, providing a secure connection for users.

Why Should You Not Use Any HTTP Resources Over HTTPS?

Using HTTP resources on an HTTPS site can create security vulnerabilities known as mixed content issues. It opens potential for data interception and manipulation by attackers. This compromises the overall security of the site and can undermine user trust. Browsers often block HTTP resources on HTTPS sites or issue warnings to users, leading to a poor experience and potential loss of traffic. To maintain security and trust, ensure all resources are loaded over HTTPS.