Security

How to Fix HTTPS Mixed Content Warnings on Your WordPress Site

by dotCanada Team
How to Fix HTTPS Mixed Content Warnings on Your WordPress Site

You have installed an SSL certificate, your domain starts with https://, and yet the padlock icon in the browser is broken, grey, or showing a warning triangle. The almost certain cause is mixed content - and it is one of the most common issues that surfaces when a WordPress site moves from HTTP to HTTPS for the first time.

What Mixed Content Is

Mixed content occurs when a page served over HTTPS loads one or more resources - images, scripts, stylesheets, iframes - over plain HTTP. The browser has a secure, encrypted connection to your page, but then that page is pulling in unencrypted resources. This breaks the security chain.

Browsers handle mixed content in two ways:

  • Passive mixed content (images, audio, video over HTTP): The browser typically loads these but shows a broken or degraded padlock
  • Active mixed content (scripts and stylesheets over HTTP): Modern browsers block these entirely, which can break page functionality

Either way, the result from a visitor's perspective is that your site does not look fully secure - and for many users, a broken padlock is a trust signal they notice.

Why Mixed Content Happens

The most common cause is a site that existed for years as http:// and was then switched to https://. During that time, content was created with hardcoded HTTP URLs. Images uploaded through the WordPress media library, links in post content, theme setting values, and plugin configurations all have the old http:// domain stored in the database. Installing an SSL certificate changes how WordPress serves pages, but it does not retroactively update all those stored values.

Other causes include:

  • Third-party embeds using HTTP URLs (old YouTube embed codes, map embeds)
  • Theme or plugin settings that store full URLs rather than relative paths
  • Custom HTML blocks or widgets with hardcoded HTTP image sources

How to Find Mixed Content

Browser developer console: Open Chrome or Firefox, navigate to the affected page, and open Developer Tools (F12). The Console tab will show warnings for every mixed content resource with the exact URL that is causing the problem. This is the quickest way to see what is happening on a specific page.

Why No Padlock: This free online tool at whynopadlock.com scans a URL and lists all insecure resources it finds. Good for a quick overview without opening developer tools.

Mixed content scanners: Tools like Really Simple SSL's scanner or dedicated browser extensions can crawl your site and report mixed content across multiple pages at once, saving time on larger sites.

The Fix Options

Option 1: Really Simple SSL plugin (easiest) For most WordPress sites, the Really Simple SSL plugin is the fastest path to resolving mixed content. It handles the WordPress address settings, sets up HTTP-to-HTTPS redirects, and applies content filters that rewrite HTTP URLs to HTTPS on the fly. Install it, activate it, and follow the setup wizard. For many sites, this resolves mixed content immediately without any database changes.

Option 2: Better Search Replace for hardcoded URLs If Really Simple SSL does not catch everything - or if you prefer to fix the URLs at the source in the database - use the Better Search Replace plugin (described in detail in our search and replace guide). Replace http://yourdomain.ca with https://yourdomain.ca across all tables. This permanently fixes the stored URLs rather than rewriting them on every page load.

Option 3: Update WordPress Address Settings Go to Settings > General in WordPress and confirm both "WordPress Address (URL)" and "Site Address (URL)" use https://. If they still show http://, WordPress is generating HTTP URLs for core content even with SSL active.

Preventing Mixed Content on New Sites

If you are launching a new site or rebuilding an existing one on a host with SSL already configured:

  • Always set WordPress Address and Site Address to https:// from day one
  • Use relative URLs in custom HTML wherever possible
  • When embedding third-party content, always use the https:// version of the embed code
  • After installing new plugins or themes, do a quick console check on the homepage to confirm no new HTTP resources have appeared

Once all mixed content is resolved, your padlock should be solid and green. At dotCanada, SSL certificates are included with all hosting plans, and our support team can help you work through mixed content issues if you run into anything that the plugin approach does not resolve.

#https#ssl#wordpress#security

Related Articles

How to Perform a Basic Security Audit of Your WordPress Website
Security

How to Perform a Basic Security Audit of Your WordPress Website

Most WordPress hacks exploit the same handful of gaps. Run through this checklist in an afternoon and close the vulnerabilities before someone else finds them.

Read more →
Cloud Backup Strategies for Your Website: Beyond the Hosting Backup
Security

Cloud Backup Strategies for Your Website: Beyond the Hosting Backup

Hosting backups are a safety net with a hole in it. Here is how to build a real backup strategy that protects your site even if your server burns down.

Read more →
How to Back Up Your Website Using cPanel Backup Tools
Security

How to Back Up Your Website Using cPanel Backup Tools

Backups are the safety net every website needs. cPanel includes powerful backup tools that make it straightforward to protect your files, databases, and email data - and to restore everything quickly if the unexpected happens.

Read more →

100% Satisfaction Guarantee

We're so confident you'll love dotCanada that we offer a 30-day money-back guarantee. Not satisfied? Get a full refund, no questions asked.

Ready to Get Started?

Join thousands of Canadian website owners who trust dotCanada for reliable, fast web hosting.

Get Started Today