Fix Mixed Content Warnings

Chrome shows “Not Secure” on your HTTPS site. Your SSL is installed, but one resource is loading over HTTP. Here’s how to find and fix it.

Mixed content warnings appear when secure pages load insecure resources, breaking the padlock icon. This is one of the most common HTTPS issues in 2026, even on sites with valid SSL certificates.

Finding Mixed Content

Chrome tells you exactly what’s loading insecurely. You just need to know where to look.

1. Open Chrome DevTools (F12 or right-click → Inspect)
2. Go to the Console tab
3. Look for “Mixed Content” warnings
4. Each warning shows the specific URL loading over HTTP

Common culprits: images uploaded before you had SSL, hardcoded URLs in themes, or external scripts that don’t support HTTPS.

Identify the Root Cause by Content Type

Each mixed content type has a different root cause and fix path. The Console warning tells you the resource type—use that to diagnose:

Images (img src="http://..."): Almost always old content uploaded before SSL was enabled. The URLs are stored in the WordPress database (wp_posts and wp_postmeta tables). A search-replace from http:// to https:// across all tables fixes these in bulk.

Scripts (script src="http://..."): Usually hardcoded in theme files, plugin settings, or injected by ad networks. These are “active” mixed content—browsers block them entirely, breaking functionality. Check header.php, footer.php, and any “custom scripts” fields in theme options or plugins.

Stylesheets (link href="http://..."): Often from Google Fonts loaded via http:// or older CDN references. Update the URL scheme in your theme or enqueue function. Google Fonts has supported HTTPS since 2014.

Iframes (iframe src="http://..."): Embedded maps, videos, or third-party widgets. If the source does not support HTTPS, you cannot fix it—you must replace the embed with an alternative provider or remove it. Check YouTube, Google Maps, and social embeds first; they all support HTTPS.

Fonts and media files: Custom font files or audio/video hosted on your server. Same fix as images: database search-replace or updating the hardcoded path in your theme.

Fixing Mixed Content in WordPress

Plugin method (recommended):

1. Install Better Search Replace
2. Search for: http://yoursite.com
3. Replace with: https://yoursite.com
4. Run on all tables (do a dry run first to see what will change)

For hardcoded URLs in theme files:

• Check your theme’s header.php, footer.php, and functions.php
• Look for http:// URLs and change them to https://
• Or use protocol-relative URLs: //yoursite.com/image.jpg

Other Causes of “Not Secure”

Certificate Expired

SSL certificates expire. Check yours:

• Click the padlock (or “Not Secure”) in the address bar
• Click “Certificate” or “Connection is secure”
• Check the expiration date

If expired, renew through your host. Let’s Encrypt certificates auto-renew if configured correctly.

Certificate Doesn’t Match Domain

The certificate was issued for www.yoursite.com but you’re accessing yoursite.com (or vice versa).

Fix: Get a certificate that covers both (most free certs do), or set up a redirect from one to the other.

Forcing HTTPS Site-Wide

Once SSL is working, force all traffic to HTTPS:

WordPress

1. Go to Settings → General
2. Update both WordPress Address and Site Address to https://
3. Install Really Simple SSL to handle redirects automatically

Server Level (.htaccess)

Add to .htaccess for Apache servers:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Hosting Dashboard

Most managed hosts (WP Engine, SiteGround, Kinsta) have a “Force HTTPS” toggle. Check your hosting dashboard first—it’s often the easiest method.

Testing Your SSL

Use SSL Labs to verify your configuration:

• Enter your domain and run the test
• Aim for grade A or A+
• It shows specific issues if anything needs fixing

Sources

• Better Search Replace
• Really Simple SSL
• SSL Labs