Mixed Content Warning Fix

Your contractor website has SSL installed and shows HTTPS in the address bar — but the padlock icon has a warning triangle, or the browser’s developer tools are showing mixed content errors. In some cases Chrome shows “Not Secure” even though the SSL certificate is valid.

This is a mixed content problem. The page itself loads over HTTPS, but some resources on the page — images, scripts, stylesheets, iframes — are still loading over HTTP. Browsers flag this because those HTTP resources could potentially be intercepted or tampered with, even though the page itself is encrypted.

What Mixed Content Looks Like

Passive mixed content — images and videos loaded over HTTP. The browser loads them but shows a warning in the padlock or developer tools. The page still mostly works.

Active mixed content — JavaScript or CSS files loaded over HTTP. Modern browsers (Chrome, Firefox, Edge) block these entirely. Scripts that are blocked can break page functionality — including contact forms, sliders, and interactive elements.

The difference matters because passive mixed content degrades trust signals, while active mixed content actively breaks site functionality.

What Causes Mixed Content

WordPress Site URL Migration

The most common cause for contractor sites. The site was originally built with http:// URLs throughout — in the database, in theme files, in uploaded image paths. When SSL was installed and HTTPS activated, the HTTPS connection was configured, but the existing URLs in the content were never updated.

WordPress stores the full URL of every uploaded image in the database. If these were saved as http://example.com/wp-content/uploads/image.jpg, they will still load over HTTP after the SSL switch.

Hardcoded HTTP URLs in Theme Files

A theme or page builder template that hardcodes http:// in its source code — rather than using relative URLs or WordPress’s get_template_directory_uri() function — will continue loading resources over HTTP after the HTTPS switch.

Third-Party Embeds

Embedded content from external sources — Google Maps iframes, video embeds, social media widgets, booking systems — that use an http:// source URL will trigger a mixed content warning. This is common with older Google Maps embed code that uses http://maps.googleapis.com.

Plugin-Loaded Assets

Some plugins load images, scripts, or stylesheets with hardcoded http:// URLs in their source code. An outdated plugin that has not been maintained may not have updated its asset URLs to HTTPS.

How to Find Mixed Content

Browser Developer Tools

In Chrome, right-click → Inspect → Console tab. Mixed content warnings appear as errors or warnings, listing each HTTP resource and the page it was found on. This is the fastest way to see exactly what is loading over HTTP.

Online Tools

Search “mixed content checker” — several free tools scan a URL and list all HTTP resources on the page. Useful for scanning multiple pages without manually inspecting each one.

How to Fix Mixed Content

Fix 1 — Database URL Replacement (WordPress)

Use the Better Search Replace plugin or WP-CLI to replace all instances of http://yourdomain.com with https://yourdomain.com in the WordPress database. This updates every post, page, and image URL saved in the database in one operation.

Via WP-CLI:

wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --all-tables

Important: Take a full database backup before running any search-replace operation.

Fix 2 — Force SSL Plugin

Install the Really Simple SSL plugin. It automatically enforces HTTPS on all pages and rewrites HTTP references to HTTPS in the page output. This resolves most database URL issues without a manual search-replace.

Note: this is a quick fix that masks the problem rather than correcting URLs at the source. A search-replace is the cleaner permanent fix.

Fix 3 — Update Theme Files

Review the theme’s header, footer, and template files for hardcoded http:// URLs. Replace them with https:// or with protocol-relative URLs (//yourdomain.com). If you are not comfortable editing theme files directly, use a child theme for any changes.

Fix 4 — Update Third-Party Embeds

Re-generate embed code from the source (Google Maps, YouTube, etc.) — modern embed code uses https:// by default. Replace old embed code in posts, pages, and widget areas.

Fix 5 — Update or Replace Plugins

If a plugin is loading HTTP assets, check if an updated version is available. If the plugin has not been updated in over a year, consider replacing it with a maintained alternative.

Mixed Content vs. Full HTTP Site

Mixed content is different from a site that has no SSL at all. If the address bar shows http:// with no padlock (and no warning triangle), the issue is that SSL is not installed or not active — not a mixed content problem.

See Fix Not Secure Warning for sites with no SSL installed, and SSL Errors for certificate-level problems.

After Fixing — Clear Everything

After making the changes above:

1. Clear the WordPress cache (caching plugin, hosting-level cache)
2. Clear Cloudflare cache if the site uses Cloudflare
3. Clear the browser cache
4. Re-test in an incognito window

The padlock should now be clean with no warning triangle.

Related Issues

• Fix Not Secure Warning
• SSL Errors
• SSL Certificate Expired
• Too Many Redirects
• Plugin Conflicts
• Website Security

Get It Resolved

Mixed content errors vary from a single image to dozens of resources across every page. If you have confirmed the padlock warning exists but the browser console output is difficult to interpret, a technical audit will identify every HTTP resource on the site and resolve them systematically.