SSL & HTTPS Guides

Mixed Content Issues: How to Find and Fix Them

Learn what mixed content is, why HTTPS pages still show insecure warnings, and how to find and fix HTTP images, scripts, stylesheets and embeds.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Beginner

Introduction

Mixed content happens when a page loads over HTTPS but some resources on that page still load over insecure HTTP. The SSL certificate may be valid, but the browser can still show warnings or block parts of the page because images, scripts, stylesheets, fonts, iframes or API calls are not using HTTPS.

This issue is common after migrating from HTTP to HTTPS, changing domains, moving WordPress sites, enabling a CDN or importing old content with hardcoded HTTP URLs.

Quick answer

Quick answer

Mixed content means an HTTPS page loads some resources over HTTP. Fix it by finding insecure image, script, stylesheet, font, iframe and API URLs, replacing them with HTTPS URLs, updating CMS/database links, and checking the page again in browser developer tools.

Mixed content

Mixed content occurs when the main page is loaded over HTTPS, but one or more resources are loaded over HTTP.

Example
Page:
https://example.com

Insecure image:
http://example.com/uploads/photo.jpg

Insecure script:
http://cdn.example.com/script.js

The page can have a valid SSL certificate and still have mixed content warnings.

Active vs passive content

Active mixed content

  • Examples: Scripts, iframes, stylesheets, API requests.
  • Risk: Can affect page behavior or security.
  • Browser behavior: Often blocked.

Passive mixed content

  • Examples: Images, audio, video.
  • Risk: Still weakens trust and privacy.
  • Browser behavior: May load with warnings or be upgraded/blocked depending on browser policy.

Active mixed content is usually more urgent because it can break site functionality.

Common sources

Hardcoded image URLs

Old uploads or page content still use http://.

Theme or plugin assets

CSS, JavaScript or fonts are loaded with HTTP URLs.

External scripts

Tracking, chat, ads or widgets use insecure URLs.

Embedded media

Videos, maps or iframes use HTTP embed links.

API requests

Frontend code calls HTTP endpoints from an HTTPS page.

CDN URLs

Asset CDN or media domain is not configured for HTTPS.

Database URLs

CMS database contains old HTTP links after migration.

After HTTPS migration

Mixed content often appears because the site was originally built on HTTP. After SSL is installed, the main page changes to HTTPS, but older asset URLs may remain unchanged.

  • Old WordPress media URLs
  • Hardcoded theme URLs
  • Plugin settings using HTTP
  • CDN configured with HTTP origin
  • Absolute URLs in page builder content
  • Old sitemap or canonical settings
  • External embeds without HTTPS support

Installing SSL does not automatically rewrite every asset URL inside the website.

Why this matters

Why this matters

Mixed content matters because it can make a secure-looking HTTPS page behave insecurely or break parts of the page. Browsers may block scripts, stylesheets, iframes or requests, causing layout problems, broken checkout, missing images, failed forms or warning messages.

For users, mixed content can make the site look unfinished or unsafe even when the certificate itself is valid.

How to find mixed content

Use browser developer tools, Website Status Checker and HTTP Header Checker to inspect resources loaded by the page.

When checking mixed content, review

These seven checks help find insecure HTTP resources.

Browser console

Open developer tools and look for mixed content warnings.

Network tab

Filter for URLs starting with http://.

Page source

Search for hardcoded http:// URLs.

CMS content

Check pages, posts, widgets, menus and page builder blocks.

Theme and plugin settings

Check logo, fonts, scripts, tracking and CDN settings.

External embeds

Check maps, videos, forms, widgets and third-party scripts.

CDN/media domain

Confirm asset domains support HTTPS.

Check HTTPS page resources

Use Website Status Checker and browser tools to find insecure resources loaded from HTTP.

Run Website Status Check →

Common problems

Images load over HTTP

Medium

The page is HTTPS, but image URLs still use http://.

Next step: Replace image URLs with HTTPS or update media URLs in the CMS/database.

JavaScript loads over HTTP

High

Browsers may block insecure scripts on HTTPS pages.

Next step: Update script URLs to HTTPS or remove unsupported third-party scripts.

CSS loads over HTTP

High

Stylesheets may be blocked, causing broken layout.

Next step: Update stylesheet URLs to HTTPS and clear cache.

Fonts load over HTTP

Medium

Fonts may be blocked or cause console warnings.

Next step: Serve fonts over HTTPS or update font provider URLs.

Iframes or embeds use HTTP

Medium

Maps, videos or widgets may be blocked or show warnings.

Next step: Use HTTPS embed URLs or replace unsupported embeds.

API calls use HTTP

High

Frontend requests from HTTPS to HTTP APIs may be blocked.

Next step: Move API endpoints to HTTPS and update frontend code.

CDN asset URL uses HTTP

Medium

Static assets are served from an insecure CDN URL.

Next step: Enable HTTPS on the CDN and update asset URLs.

WordPress database still contains HTTP URLs

Medium

Old links remain inside posts, pages, widgets or builder data.

Next step: Run a careful search-and-replace from HTTP to HTTPS after backup.

Cache still serves old HTTP links

Low

The site was updated but cached pages still contain old URLs.

Next step: Clear page cache, CDN cache and browser cache.

How to fix it

  1. Step 1: Confirm SSL is valid

    Use SSL Checker to make sure HTTPS works before changing content URLs.

  2. Step 2: Find insecure resources

    Use browser console and network tools to identify HTTP assets.

  3. Step 3: Replace HTTP URLs with HTTPS

    Update images, scripts, stylesheets, fonts, iframes and API URLs.

  4. Step 4: Update CMS settings

    Check WordPress/CMS site URL, media paths, plugin settings and theme options.

  5. Step 5: Update database links carefully

    If needed, run a backup first and replace old HTTP URLs with HTTPS.

  6. Step 6: Fix external resources

    Use HTTPS versions of third-party widgets or replace services that do not support HTTPS.

  7. Step 7: Clear caches

    Purge WordPress cache, server cache, CDN cache and browser cache.

  8. Step 8: Re-test important pages

    Check homepage, checkout, login, forms, blog pages and templates.

WordPress fixes

WordPress mixed content is common after SSL migration.

  • WordPress Address URL
  • Site Address URL
  • Media library URLs
  • Page builder content
  • Widgets
  • Menus
  • Theme options
  • Logo and favicon settings
  • Custom CSS
  • Plugin scripts
  • Cache and CDN plugin settings
  • SEO plugin canonical URLs

Before database search-and-replace, create a backup. Some page builders store serialized data, so use a WordPress-aware replacement tool instead of manual SQL when possible.

Mixed content examples

Problem image
<img src="http://example.com/uploads/logo.png">
Fixed image
<img src="https://example.com/uploads/logo.png" alt="Company logo">
Problem script
<script src="http://cdn.example.com/app.js"></script>
Fixed script
<script src="https://cdn.example.com/app.js"></script>
Problem API call
fetch("http://api.example.com/status")
Fixed API call
fetch("https://api.example.com/status")
Find HTTP URLs
grep -R "http://example.com" ./public_html
Check page
curl -I https://example.com

These examples are illustrative. Replace domains and paths with your real website URLs.

When replacement is not enough

Sometimes changing http:// to https:// is not enough.

  • The external service does not support HTTPS
  • The CDN certificate is missing
  • The API endpoint has no SSL certificate
  • The resource redirects back to HTTP
  • CORS rules block HTTPS requests
  • The resource is loaded by JavaScript after page load
  • A plugin regenerates HTTP URLs

If a third-party resource does not support HTTPS, replace it with a secure alternative.

Checklist

Check the following pages and resource types for mixed content.

  • Homepage
  • Important landing pages
  • Checkout and payment pages
  • Login and register pages
  • Contact forms
  • Blog templates
  • Product pages
  • Images and media
  • CSS and JavaScript
  • Fonts
  • Iframes and embeds
  • API calls
  • CDN asset domain
  • Mobile view
  • Cached pages

Do not only test the homepage. Mixed content may appear only on specific templates or pages.

Frequently asked questions

What is mixed content?

Mixed content happens when an HTTPS page loads some resources over HTTP.

Can a valid SSL certificate still show mixed content warnings?

Yes. SSL can be valid while images, scripts or other assets still load insecurely.

Which mixed content is most serious?

Scripts, stylesheets, iframes and API requests are usually more serious because browsers may block them or they can affect page behavior.

How do I find mixed content?

Use browser developer tools, especially the console and network tab, and search for http:// resource URLs.

How do I fix mixed content in WordPress?

Update site URLs, media URLs, theme/plugin settings and run a careful HTTP-to-HTTPS replacement after backup.

Can mixed content affect SEO?

Yes. It can affect user trust, page quality, crawl consistency and technical SEO audits.

What if an external script does not support HTTPS?

Replace it with a secure alternative or remove it. Do not load insecure scripts on HTTPS pages.

Use these free tools to verify your configuration after applying changes.

Browse all SSL & HTTPS guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.