WordPress Mixed Content: Find the HTTP Leak and Fix It Safely

by

Wordpress mixed content feature image

You installed SSL. You expected the padlock to behave. Then your WordPress site says that it is not secure, an image disappears, a form refuses to submit, or Chrome shows blocked loading mixed active content in the Console.

That is the usual WordPress mixed content problem: the page loads over HTTPS, but one image, script, stylesheet, font, iframe, form request, embed, or AJAX call is still being requested over HTTP.

TL;DR: Find the exact HTTP resource first, then fix the place that creates it. Mixed content is usually fixed by correcting HTTP assets, WordPress settings, generated output, redirects, or cache.

Most cases are fixable. The mistake is treating mixed content like one problem with one cure. It is more like a water leak: the stain is visible in one place, but the pipe may be somewhere else.

Start with the source. Consider not starting with editing server files, forcing redirects everywhere, or running a site-wide database replacement because one warning appeared. Mixed content is a symptom. Your job is to find the URL behind it.

What the warning means

Mixed content means an HTTPS page is trying to load something through plain HTTP.

The visible problem is the browser warning. The hidden problem is trust. The browser no longer sees the whole page as secure because one part of it arrived through an insecure route.

Site not secure message

Browsers do not treat every resource the same way. An old image URL may still load, or the browser may try to upgrade it to HTTPS. Scripts, stylesheets, iframes, fonts, AJAX requests, and form actions are more serious because they can change what the page does. Browsers often block those.

That is why a small-looking warning can break something important. One HTTP script can stop a menu. One HTTP form action can interrupt a lead form. One HTTP admin-ajax.php request can make a plugin feature fail only on the pages where that plugin runs.

Treat mixed active content as urgent. A blocked image is annoying. A blocked script, iframe, stylesheet, font, form action, or request can change how the page works.

Why SSL did not fix everything

SSL gives your site a secure connection. It does not rewrite every URL WordPress has saved, generated, cached, or inherited from an old embed. HTTP URLs can hide in dull places. That is why this error often appears after a migration that otherwise looked successful.

  • WordPress settings: WordPress Address or Site Address may still use HTTP.
  • Content: posts, pages, menus, widgets, custom HTML blocks, and media blocks can store absolute HTTP URLs.
  • Builder data: Elementor, Divi, Spectra, and other builders can store URLs inside layouts or generated CSS.
  • Themes and plugins: a component may print an HTTP asset from its settings or code.
  • Outside services: fonts, maps, badges, tracking scripts, videos, iframes, and images may still be HTTP.
  • CDN or proxy settings: HTTPS detection can be wrong behind Cloudflare, a reverse proxy, or a load balancer.
  • Cache: old page output can keep showing a warning after the real source has been fixed.

Cache is where people lose time. Cache can make a fixed site look broken, but clearing the cache rarely fixes the original bad URL. It only removes an old copy of the page.

Choose the right fix

Use the warning as a clue, not as a diagnosis.

If you see thisStart here
Not Secure appears on many pagesCheck SSL, domain version, and WordPress URLs
One image or media file is HTTPEdit the page, block, widget, media reference, or run a safe own-domain search-replace
A plugin or theme folder appears in the HTTP URLUpdate that component, then check its settings
A builder CSS file or layout uses HTTPUse the builder’s URL replacement or asset regeneration tool
An outside script, font, badge, map, iframe, or video is HTTPSwitch to HTTPS, replace it, remove it, or host it safely if allowed
Forms, AJAX, checkout, login, or menus breakCheck HTTPS detection, CDN/proxy settings, plugin settings, and Console errors
The warning remains after a fixClear WordPress, host, CDN, builder, optimization, and browser cache
A certificate warning appears before mixed contentFix SSL first

The pattern matters: a database replacement will not fix a third-party widget that only serves HTTP. A redirect will not clean an old URL inside a page builder layout.

Find the exact HTTP resource

Before changing anything, find the request the browser is complaining about.

  • Open the affected page.
  • Right-click and choose Inspect.
  • Open the Console tab.
  • Refresh the page.
  • Copy the full URL that starts with http://.

If the Console message is vague, check the Network or Security tab. You are looking for the actual insecure request, not the browser’s summary.

Chrome DevTools Console showing the exact HTTP resource behind a mixed content warning

Now ask the simplest question: does the same resource work over HTTPS?

Open the copied URL in a new tab and change http:// to https://. If it loads, the fix is probably to update the stored or generated URL. If it fails, do not force it. Replace the resource, remove it, or use a different source that supports HTTPS.

Why no padlock

If browser tools feel too technical, use a scanner such as WhyNoPadlock to list insecure resources. Treat the scanner as a pointer. It tells you where to look; it does not decide the safest fix for your site.

Why no padlock dashboard

The Network panel is useful when the Console warning does not give you enough detail.

Chrome DevTools Network panel filtered to the insecure HTTP request

Check more than the homepage. Test old posts, high-traffic pages, landing pages, forms, checkout, login, account pages, pages with embeds, and mobile layouts. Mixed content often appears only on one template, one widget, or one builder section.

A warning on one page does not prove the whole site is broken. It proves that one page is loading at least one insecure resource. Fix by source, then retest the pages visitors actually use.

Check SSL and WordPress URLs

Start with the boring checks because they decide whether WordPress keeps generating the wrong links.

Confirm that the SSL certificate is valid, unexpired, and issued for the exact domain visitors use. example.com and www.example.com are not always interchangeable. If you still need to install an SSL certificate, do that before chasing mixed content. If the certificate is invalid or the browser shows a certificate warning before any mixed content warning, fix that first.

WordPress Settings General screen showing HTTPS WordPress Address and Site Address fields

Then go to Settings > General in wp-admin. Make sure WordPress Address (URL) and Site Address (URL) both use https:// and the correct domain version.

If you cannot access wp-admin, ask your host or developer to check the site URL values. Do not guess in the database if you are not comfortable recovering the site afterward. This step is the baseline. It will not rewrite old URLs already saved inside content, builder data, widgets, plugin settings, or custom code.

Fix old URLs in content

Stored HTTP URLs are the most common cause after an HTTPS migration.

If there are only a few, edit them by hand. Open the affected page, post, image block, menu item, widget, custom HTML block, or builder section. Replace your own-domain http:// URL with the correct https:// version.

WordPress block editor showing an old HTTP image URL inside page content

If there are many, use a WordPress-safe bulk method such as Better Search Replace or WP-CLI. Before a bulk change:

Backup details
  • Back up files and the database. The database matters because posts, settings, widgets, menus, and builder layouts live there.
  • Run a dry run first. Check how many replacements would happen before saving anything.
  • Match the exact old URL. Replace http://example.com with https://example.com, or http://www.example.com with https://www.example.com, based on the real site version.
  • Use a serialized-data-safe tool. WordPress stores some values in structured PHP data. A safe tool understands that. Raw SQL and text-editor replacements can break stored data.
  • Do not replace every HTTP link blindly. Some outbound links are just links to other sites. They are not mixed content unless your page loads that resource.

For broad own-domain replacements, a dry run gives you a count to review before anything changes.

Better Search Replace configured for an HTTP to HTTPS dry run

If the site handles orders, leads, memberships, bookings, or paid traffic, do not skip the backup. A bad search-replace can break more than the warning you started with.

Fix plugins, themes, builders, and outside resources

Use this section when the warning keeps returning after the obvious content URLs are fixed. If the HTTP URL is generated by a component or an outside service, database cleanup may not stick. The same bad URL can be printed again on every page load.

  • Plugins: Update the plugin first, then check its settings for asset URLs, API endpoints, custom scripts, form actions, maps, badges, or tracking fields. If the plugin still outputs HTTP and has no setting to change it, contact support or replace it.
  • Themes: Update the theme and check theme options, header and footer scripts, custom CSS, logo URLs, font URLs, and hardcoded assets. Avoid editing parent theme files unless you know how updates will be handled; a child theme or developer fix is safer.
  • Builders: Use the builder’s own URL replacement, CSS regeneration, or asset cleanup tools where available. Builders often store URLs in layouts and generated files, so a normal page edit may not be enough.
  • Outside resources: Change external fonts, scripts, iframes, images, videos, badges, and maps to HTTPS. If the HTTPS version does not load, replace the service, remove the embed, or host the file locally only if you have permission.
  • Malformed URLs: Watch for typos such as httpss:// or duplicated protocols. These can look like SSL problems, but the fix is usually a saved setting or copied embed code.

The clue is usually in the URL path. /wp-content/plugins/ points you toward a plugin. /wp-content/themes/ points you toward a theme. A domain you do not own points you toward an outside service.

For managed maintenance workflows, consider WP Remote’s safe updates are relevant before broad plugin or theme changes.

Use a mixed content plugin carefully

A mixed content plugin can help when you need quick relief or when WordPress still outputs HTTP URLs after a migration.

Plugins such as SSL Insecure Content Fixer or Really Simple SSL can rewrite some insecure URLs before visitors see the page. That is useful when the HTTP resources are on your own domain and already work over HTTPS.

SSL insecure content fixer

Use this path as a bridge, not a permanent hiding place. If an old HTTP URL is stored in the database, the cleaner fix is to update the stored URL. If a plugin, theme, or builder generates the bad URL, fix that source.

SSL insecure content fixer sidebar

Start with the lowest-impact setting that removes the warning. Aggressive capture, AJAX, or output-buffering modes can affect speed or break forms on some sites, so test important pages after each change.

A runtime fixer works while it is active and configured. Source cleanup is better when you can do it safely because the site no longer depends on a plugin intercepting bad output.

Force HTTPS without creating loops

HTTPS redirects are useful. They send visitors from the HTTP version of a page to the HTTPS version. They are not a complete mixed content fix.

Your HTTPS page can still print an HTTP script, image, iframe, or form request. A redirect may happen after the request, but the browser can still warn, and active content can still be blocked. Use one clear HTTPS enforcement method:

  • host or CDN HTTPS setting
  • Apache .htaccess rule
  • nginx server rule
  • Windows web.config rule
  • a WordPress redirect plugin, if your host recommends it

Do not enable every option at once. Multiple redirect systems can create loops, especially behind a CDN or reverse proxy.

HSTS is not a quick repair either. It tells browsers to remember HTTPS for your domain, but it does not clean old WordPress URLs. CSP upgrade-insecure-requests can help in advanced setups, but it should support cleanup, not replace it. The redirect is traffic control. It is not the cleanup crew.

Clear cache and retest

After fixing the source, clear your WordPress cache and every layer that may still hold old page output.

  • Clear WordPress and plugin cache. Purge caching plugins, object cache, and optimization plugins that combine CSS or JavaScript.
  • Clear builder and host cache. Regenerate builder assets if needed, then clear host-level cache.
  • Clear CDN cache. Purge the CDN after source and WordPress caches are cleared.
  • Use a fresh browser session. Open a new private or incognito window instead of reusing the same old tab.
  • Retest with DevTools open. Reload the affected page and confirm no mixed content warnings remain.
  • Check important flows. Test homepage, old posts, forms, checkout, login, account pages, mobile layout, pages with embeds, and pages made with a builder.
A clean retest view showing the page after the HTTP resource has been corrected

If another HTTP URL appears, repeat the same process. Mixed content cleanup often happens one source at a time. Annoying, yes. Still better than making a broad change that breaks production.

Prevent it from returning

Once the site is clean, make HTTPS part of normal site maintenance.

  • Use HTTPS for external scripts, fonts, iframes, tracking tags, videos, and images. Avoid hardcoded HTTP URLs in custom code. Use relative or path-based URLs for your own site only where they make sense, and use explicit HTTPS for outside resources.
  • Keep themes, plugins, and builders updated. Replace abandoned components that still assume HTTP. Monitor SSL renewal, especially if your certificate is not fully managed by the host.
  • Run a quick mixed content check after migrations, redesigns, CDN changes, page-builder changes, domain changes, and new tracking or embed scripts.

Prevention is not “fix once.” It is “check after anything that changes page output.”

When to ask for help

You can fix a visible image, page URL, widget, or simple embed yourself if you can edit it and test it.

  • Ask your host for help when the SSL certificate is invalid, redirects loop, HTTPS detection is inconsistent, or the site uses a CDN, reverse proxy, or load balancer.
  • Ask plugin, theme, or builder support when the HTTP URL comes from their folder, settings, or generated output.
  • Ask a developer when the fix touches database replacements, server config, theme files, plugin files, checkout, login, forms, or revenue-critical pages.
  • If the warning appears alongside strange redirects, spam pages, unknown admin users, unfamiliar files, malware warnings, or sudden Search Console issues, do not treat it as only an SSL cleanup.
  • Scan the site and investigate. MalCare fits here as a broader WordPress security layer for malware scanning, firewall protection, login security, and monitoring.

The rule is simple: fix clear content issues yourself. Escalate server, database, proxy, and code fixes when guessing could take the site down.

FAQs

What is WordPress mixed content?

WordPress mixed content happens when an HTTPS WordPress page loads at least one resource over HTTP. That resource may be an image, script, stylesheet, font, iframe, form request, AJAX request, video, or embed.

How do I fix mixed content in WordPress?

Find the exact HTTP resource in the browser Console or a scanner, then fix the source. That may mean updating WordPress URLs, editing content, running a safe search-replace, updating a plugin or theme, regenerating builder assets, replacing an external resource, correcting CDN settings, and clearing cache.

Why does my WordPress site still say Not Secure after SSL?

SSL protects the connection, but it does not rewrite old HTTP URLs saved in WordPress. Your certificate can be valid while a page still loads an insecure image, script, iframe, font, or form request.

What causes blocked loading mixed active content in WordPress?

It usually means an HTTPS page tried to load active content over HTTP, such as JavaScript, CSS, an iframe, a font, an AJAX request, or a form action. Browsers block these because they can affect how the page behaves.

Can a plugin fix WordPress mixed content?

Sometimes. A plugin can rewrite insecure URLs at page output, which helps for quick relief. It is not always permanent. If the bad URL is stored in the database or generated by a plugin, theme, or builder, fixing the source is better.

Conclusion

Mixed content looks like a browser warning, but the real problem is usually a URL source inside WordPress, a plugin, a theme, a builder, a CDN, cache, or an outside service. Find the exact HTTP URL first. Then choose the fix that matches the source.

Work in this order: confirm SSL and WordPress URLs, clean old stored URLs, fix generated or external resources, use plugins only where they fit, clear cache, and retest the pages that matter.

That keeps the repair focused, avoids risky guesswork, and gives visitors the secure page they expected when they saw HTTPS.

Category:

You may also like


How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.