Mixed Content Issues: How to Find and Fix Them
Learn what mixed content is, why HTTPS pages still show insecure warnings, and how to find and fix HTTP images, scripts, stylesheets and embeds.
Introduction
Mixed content happens when a page loads over HTTPS but some resources on that page still load over insecure HTTP. The SSL certificate may be valid, but the browser can still show warnings or block parts of the page because images, scripts, stylesheets, fonts, iframes or API calls are not using HTTPS.
This issue is common after migrating from HTTP to HTTPS, changing domains, moving WordPress sites, enabling a CDN or importing old content with hardcoded HTTP URLs.
Quick answer
Mixed content means an HTTPS page loads some resources over HTTP. Fix it by finding insecure image, script, stylesheet, font, iframe and API URLs, replacing them with HTTPS URLs, updating CMS/database links, and checking the page again in browser developer tools.
Mixed content
Mixed content occurs when the main page is loaded over HTTPS, but one or more resources are loaded over HTTP.
Page:
https://example.com
Insecure image:
http://example.com/uploads/photo.jpg
Insecure script:
http://cdn.example.com/script.js
The page can have a valid SSL certificate and still have mixed content warnings.
Active vs passive content
Active mixed content
- Examples: Scripts, iframes, stylesheets, API requests.
- Risk: Can affect page behavior or security.
- Browser behavior: Often blocked.
Passive mixed content
- Examples: Images, audio, video.
- Risk: Still weakens trust and privacy.
- Browser behavior: May load with warnings or be upgraded/blocked depending on browser policy.
Active mixed content is usually more urgent because it can break site functionality.
Common sources
Hardcoded image URLs
Old uploads or page content still use http://.
Theme or plugin assets
CSS, JavaScript or fonts are loaded with HTTP URLs.
External scripts
Tracking, chat, ads or widgets use insecure URLs.
Embedded media
Videos, maps or iframes use HTTP embed links.
API requests
Frontend code calls HTTP endpoints from an HTTPS page.
CDN URLs
Asset CDN or media domain is not configured for HTTPS.
Database URLs
CMS database contains old HTTP links after migration.
After HTTPS migration
Mixed content often appears because the site was originally built on HTTP. After SSL is installed, the main page changes to HTTPS, but older asset URLs may remain unchanged.
- Old WordPress media URLs
- Hardcoded theme URLs
- Plugin settings using HTTP
- CDN configured with HTTP origin
- Absolute URLs in page builder content
- Old sitemap or canonical settings
- External embeds without HTTPS support
Installing SSL does not automatically rewrite every asset URL inside the website.
Why this matters
Mixed content matters because it can make a secure-looking HTTPS page behave insecurely or break parts of the page. Browsers may block scripts, stylesheets, iframes or requests, causing layout problems, broken checkout, missing images, failed forms or warning messages.
For users, mixed content can make the site look unfinished or unsafe even when the certificate itself is valid.
How to find mixed content
Use browser developer tools, Website Status Checker and HTTP Header Checker to inspect resources loaded by the page.
When checking mixed content, review
These seven checks help find insecure HTTP resources.
Browser console
Open developer tools and look for mixed content warnings.
Network tab
Filter for URLs starting with http://.
Page source
Search for hardcoded http:// URLs.
CMS content
Check pages, posts, widgets, menus and page builder blocks.
Theme and plugin settings
Check logo, fonts, scripts, tracking and CDN settings.
External embeds
Check maps, videos, forms, widgets and third-party scripts.
CDN/media domain
Confirm asset domains support HTTPS.
Check HTTPS page resources
Use Website Status Checker and browser tools to find insecure resources loaded from HTTP.
Common problems
Images load over HTTP
MediumThe page is HTTPS, but image URLs still use http://.
Next step: Replace image URLs with HTTPS or update media URLs in the CMS/database.
JavaScript loads over HTTP
HighBrowsers may block insecure scripts on HTTPS pages.
Next step: Update script URLs to HTTPS or remove unsupported third-party scripts.
CSS loads over HTTP
HighStylesheets may be blocked, causing broken layout.
Next step: Update stylesheet URLs to HTTPS and clear cache.
Fonts load over HTTP
MediumFonts may be blocked or cause console warnings.
Next step: Serve fonts over HTTPS or update font provider URLs.
Iframes or embeds use HTTP
MediumMaps, videos or widgets may be blocked or show warnings.
Next step: Use HTTPS embed URLs or replace unsupported embeds.
API calls use HTTP
HighFrontend requests from HTTPS to HTTP APIs may be blocked.
Next step: Move API endpoints to HTTPS and update frontend code.
CDN asset URL uses HTTP
MediumStatic assets are served from an insecure CDN URL.
Next step: Enable HTTPS on the CDN and update asset URLs.
WordPress database still contains HTTP URLs
MediumOld links remain inside posts, pages, widgets or builder data.
Next step: Run a careful search-and-replace from HTTP to HTTPS after backup.
Cache still serves old HTTP links
LowThe site was updated but cached pages still contain old URLs.
Next step: Clear page cache, CDN cache and browser cache.
How to fix it
-
Step 1: Confirm SSL is valid
Use SSL Checker to make sure HTTPS works before changing content URLs.
-
Step 2: Find insecure resources
Use browser console and network tools to identify HTTP assets.
-
Step 3: Replace HTTP URLs with HTTPS
Update images, scripts, stylesheets, fonts, iframes and API URLs.
-
Step 4: Update CMS settings
Check WordPress/CMS site URL, media paths, plugin settings and theme options.
-
Step 5: Update database links carefully
If needed, run a backup first and replace old HTTP URLs with HTTPS.
-
Step 6: Fix external resources
Use HTTPS versions of third-party widgets or replace services that do not support HTTPS.
-
Step 7: Clear caches
Purge WordPress cache, server cache, CDN cache and browser cache.
-
Step 8: Re-test important pages
Check homepage, checkout, login, forms, blog pages and templates.
WordPress fixes
WordPress mixed content is common after SSL migration.
- WordPress Address URL
- Site Address URL
- Media library URLs
- Page builder content
- Widgets
- Menus
- Theme options
- Logo and favicon settings
- Custom CSS
- Plugin scripts
- Cache and CDN plugin settings
- SEO plugin canonical URLs
Before database search-and-replace, create a backup. Some page builders store serialized data, so use a WordPress-aware replacement tool instead of manual SQL when possible.
Mixed content examples
<img src="http://example.com/uploads/logo.png">
<img src="https://example.com/uploads/logo.png" alt="Company logo">
<script src="http://cdn.example.com/app.js"></script>
<script src="https://cdn.example.com/app.js"></script>
fetch("http://api.example.com/status")
fetch("https://api.example.com/status")
grep -R "http://example.com" ./public_html
curl -I https://example.com
These examples are illustrative. Replace domains and paths with your real website URLs.
When replacement is not enough
Sometimes changing http:// to https:// is not enough.
- The external service does not support HTTPS
- The CDN certificate is missing
- The API endpoint has no SSL certificate
- The resource redirects back to HTTP
- CORS rules block HTTPS requests
- The resource is loaded by JavaScript after page load
- A plugin regenerates HTTP URLs
If a third-party resource does not support HTTPS, replace it with a secure alternative.
Checklist
Check the following pages and resource types for mixed content.
- Homepage
- Important landing pages
- Checkout and payment pages
- Login and register pages
- Contact forms
- Blog templates
- Product pages
- Images and media
- CSS and JavaScript
- Fonts
- Iframes and embeds
- API calls
- CDN asset domain
- Mobile view
- Cached pages
Do not only test the homepage. Mixed content may appear only on specific templates or pages.
Frequently asked questions
What is mixed content?
Mixed content happens when an HTTPS page loads some resources over HTTP.
Can a valid SSL certificate still show mixed content warnings?
Yes. SSL can be valid while images, scripts or other assets still load insecurely.
Which mixed content is most serious?
Scripts, stylesheets, iframes and API requests are usually more serious because browsers may block them or they can affect page behavior.
How do I find mixed content?
Use browser developer tools, especially the console and network tab, and search for http:// resource URLs.
How do I fix mixed content in WordPress?
Update site URLs, media URLs, theme/plugin settings and run a careful HTTP-to-HTTPS replacement after backup.
Can mixed content affect SEO?
Yes. It can affect user trust, page quality, crawl consistency and technical SEO audits.
What if an external script does not support HTTPS?
Replace it with a secure alternative or remove it. Do not load insecure scripts on HTTPS pages.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all SSL & HTTPS guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!