WordPress Mixed Content Error HTTPS
What Is This Error?
A mixed content error appears when your WordPress site runs on HTTPS but still attempts to load certain resources — images, stylesheets, or JavaScript files — over the old, unencrypted HTTP protocol. Browsers either block those resources silently or replace the padlock icon in the address bar with a warning symbol, signaling to visitors that the page isn’t fully secure.
From a visitor’s perspective, this might show up as broken images, unstyled page sections, or JavaScript-powered features that stop responding. Even when the visual damage looks minor, the security warning alone is enough to shake user trust — and modern browsers like Chrome now actively label these pages as “Not Fully Secure.”
This error is especially common right after migrating a WordPress site from HTTP to HTTPS, or after installing an SSL certificate without updating the URLs already stored inside the WordPress database.
Get free WordPress & AI tips
Join 500+ readers. No spam, unsubscribe anytime.
Why Does This Happen?
- WordPress Site URL still set to HTTP: If Settings > General still shows
http://, WordPress generates HTTP links for all internal content automatically. - Database content not updated after SSL migration: WordPress stores post content, image URLs, and widget data in the database using the old HTTP address — these don’t change on their own when you switch to HTTPS.
- Hardcoded HTTP links in themes or plugins: Some themes and plugins write absolute URLs directly into their code, completely bypassing WordPress’s URL settings.
- Third-party scripts or embeds loading via HTTP: Analytics snippets, ad networks, or embedded media pulled in over HTTP will trigger mixed content warnings even if your own site content is clean.
- CSS stylesheets referencing HTTP image paths: Background images defined inside CSS files often still point to HTTP URLs set during the original site build and are easy to overlook.
How to Fix It — Step by Step
- Update WordPress URL settings in the dashboard. Go to Settings > General and change both “WordPress Address (URL)” and “Site Address (URL)” from
http://tohttps://. Click Save Changes.You should see: The settings page reloads and both URL fields now display the https:// version of your domain.
- Add an HTTPS enforcement line to wp-config.php. Open your
wp-config.phpfile via FTP or your host’s file manager and add this line just before the “That’s all, stop editing!” comment:define('FORCE_SSL_ADMIN', true);You should see: Your WordPress admin panel loads exclusively over HTTPS from this point on.
- Run a database search and replace to swap HTTP URLs. If you have WP-CLI access via SSH, run this command (replace the domain with your own):
wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --skip-columns=guidNo WP-CLI? Install the free Better Search Replace plugin — it does the exact same thing safely from inside your dashboard.
You should see: A results table showing how many rows were updated across your database tables (posts, postmeta, options, etc.).
- Force HTTPS redirects at the server level via .htaccess. Open the
.htaccessfile in your site’s root folder and insert this block above the existing WordPress rewrite rules:RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]You should see: Any attempt to visit the HTTP version of your site immediately redirects to HTTPS with a 301 status.
- Scan for any remaining mixed content issues. Open your site in Chrome, press
F12to launch DevTools, and click the Console tab. Look for lines flagged as “Mixed Content.” Each warning names the exact HTTP resource still causing the problem. Fix those URLs individually in your theme files, the media library, or the offending plugin’s settings.You should see: A clean console with no mixed content warnings and a solid padlock icon in the browser address bar.
Common Mistakes When Fixing This
- Running search-replace without a backup first: A typo in your domain name during search-replace can corrupt post content site-wide. Always export a full database backup before touching it — this takes two minutes and can save hours of recovery work.
- Only updating Settings > General and calling it done: Changing the URL in the dashboard updates future-generated links, but it does nothing for the thousands of HTTP URLs already saved inside your database. The search-replace step is non-negotiable.
- Omitting
--skip-columns=guidfrom the WP-CLI command: Theguidcolumn stores permanent post identifiers. Replacing those values breaks RSS feeds and can create duplicate content issues that are painful to untangle. - Relying entirely on a redirect plugin as the permanent fix: Plugins like Really Simple SSL fix the surface problem quickly, but they patch mixed content via JavaScript — which can miss content inside certain page builders or custom database fields. A proper database URL replacement is the durable solution.
Frequently Asked Questions
Does mixed content actually hurt my Google ranking?
Yes, indirectly. Google uses HTTPS as a ranking signal, and mixed content warnings undermine that signal by showing your page isn’t fully secure. Chrome also displays visible warnings that can increase bounce rates, which compounds the SEO impact over time.
Can I fix this without using the command line?
Absolutely. The free version of the Better Search Replace plugin handles the full database URL replacement from inside the WordPress dashboard — no SSH or WP-CLI knowledge required. It’s a reliable choice for shared hosting environments.
What if the padlock is still broken after completing all the steps?
Head to Chrome DevTools (F12), open the Console tab, and look for “Mixed Content” warning messages. Each one tells you the exact URL of the resource still loading over HTTP. Common culprits at this stage are external fonts, embedded YouTube thumbnails, or an old plugin that hardcodes its asset path.
Do I need a paid SSL certificate for this fix to work?
No. Free SSL certificates issued by Let’s Encrypt work perfectly well — the browser doesn’t care whether you paid for the certificate or not, only that it’s valid. Most modern hosting providers include a free Let’s Encrypt certificate directly in their control panel under the SSL or Security section.
