Website Health Guides

Fixing Mixed Content Errors on WordPress

Learn how to fix WordPress mixed content errors after HTTPS migration by updating URLs, database content, themes, plugins, CDN settings and cache.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 11 min read Beginner

Introduction

Mixed content errors happen when a WordPress page loads over HTTPS but some resources on the page still load over HTTP. These resources can include images, CSS files, JavaScript files, fonts, iframes, videos, plugin assets, theme files or CDN URLs.

Browsers may block insecure resources or show a “Not secure” warning even if the SSL certificate is valid. Fixing mixed content usually means finding old HTTP URLs inside WordPress settings, database content, theme files, plugins, CDN settings and cached pages, then replacing them with HTTPS versions.

Quick answer

Quick answer

To fix WordPress mixed content, confirm WordPress Address and Site Address use HTTPS, replace old HTTP URLs in content/database, update theme and plugin asset URLs, check CDN/media URLs, clear all caches, and use browser developer tools or an HTTP Header/SSL checker to confirm all resources load over HTTPS.

Mixed content

Mixed content means the main page loads securely over HTTPS, but one or more resources load insecurely over HTTP.

Common mixed content resources:

  • images
  • CSS files
  • JavaScript files
  • fonts
  • videos
  • iframes
  • embedded forms
  • plugin assets
  • theme assets
  • CDN files
  • background images
  • hardcoded links

A valid SSL certificate does not automatically fix mixed content. The page resources must also use HTTPS.

Active vs passive

Browsers treat mixed content differently depending on the resource type.

Passive mixed content

Usually images, audio or video. Browsers may still load it but can show warnings.

Active mixed content

Scripts, stylesheets, iframes or other resources that can affect page behavior. Browsers often block these resources.

Active mixed content is more serious because it can break layout, functionality, forms, menus, sliders, checkout pages or admin features.

Why it happens

Mixed content is common after moving a WordPress site from HTTP to HTTPS.

Common causes:

  • WordPress Address still uses HTTP
  • Site Address still uses HTTP
  • old image URLs in posts/pages
  • hardcoded HTTP URLs in theme files
  • plugin settings with HTTP URLs
  • page builder content saved with HTTP URLs
  • CDN URL still uses HTTP
  • old CSS background images
  • external fonts or scripts using HTTP
  • widgets or embeds using HTTP
  • cached HTML still contains HTTP URLs
  • database migration kept old URLs

WordPress stores URLs in many places, so fixing only the homepage setting may not be enough.

Where to look first

WordPress mixed content checklist

The browser console usually shows the exact insecure HTTP resource causing the warning.

Settings → General

Review WordPress site URL settings.

WordPress Address URL

Confirm it uses HTTPS.

Site Address URL

Confirm it uses HTTPS.

Media library

Check image URLs for old HTTP links.

Page builder content

Review saved builder sections and assets.

Theme options

Check logo, background and asset URLs.

Plugin settings

Review CDN, tracking and embed URLs.

Widgets

Check text widgets and embeds.

Menus

Review custom links still using HTTP.

Custom CSS

Search for http:// in custom styles.

Header/footer scripts

Check hardcoded external URLs.

CDN plugin settings

Confirm CDN hostname uses HTTPS.

Cache plugin settings

Purge cache after URL fixes.

Database old URLs

Search for http://yourdomain.com in content.

Browser console

Read mixed content warning messages.

Why this matters

Why this matters

Mixed content matters because it weakens HTTPS trust and can break website functionality. Users may see browser warnings, secure padlock may disappear, CSS or JavaScript may be blocked, and forms or checkout flows may stop working correctly.

Mixed content can also affect SEO, conversion rate, analytics, user confidence and technical quality after an HTTPS migration.

How to find it

Use browser developer tools, SSL checks and page inspection to find insecure resources.

Check in this order:

  1. Open the page in browser — look for Not Secure warnings or missing padlock.
  2. Browser console — open developer tools and search for mixed content warnings.
  3. Network tab — filter requests by http://.
  4. Page source — search for http:// in HTML.
  5. WordPress settings — confirm WordPress Address and Site Address use HTTPS.
  6. Content/database — search old HTTP domain URLs in posts, pages and options.
  7. Theme/plugin assets — check whether files are hardcoded with HTTP.
  8. CDN/cache — clear cache and confirm CDN URLs use HTTPS.

Verify HTTPS

Use SSL Checker to confirm your certificate is valid and HTTPS loads correctly before fixing mixed content.

Run SSL Check →
Useful checks
Search page source:
curl -s https://example.com | grep -i "http://"

Check headers:
curl -I https://example.com

Follow redirects:
curl -IL http://example.com

WP-CLI dry run:
wp search-replace 'http://example.com' 'https://example.com' --all-tables --dry-run

Find HTTP URLs in theme files:
grep -R "http://" wp-content/themes/your-theme/

Find HTTP URLs in plugins:
grep -R "http://" wp-content/plugins/

Command examples are illustrative. Some commands require SSH access. Use backups and avoid editing production files blindly.

Common problems

WordPress URL still uses HTTP

High

WordPress Address or Site Address still points to the insecure version.

Next step: Update both URLs to HTTPS in Settings → General or wp-config.php if needed.

Old image URLs in content

Medium

Posts or pages contain images saved with http:// URLs.

Next step: Run a safe search-and-replace from HTTP to HTTPS for your domain.

Page builder saved HTTP URLs

Medium

Builder content stores image, background or link URLs separately.

Next step: Update builder settings/content and regenerate CSS if needed.

Theme hardcodes HTTP assets

Medium

Theme files load CSS, JS, fonts or images over HTTP.

Next step: Update theme code to use HTTPS or protocol-relative/WordPress functions.

Plugin loads insecure resources

Medium

A plugin includes external scripts, styles or images over HTTP.

Next step: Update plugin settings, replace the plugin or contact the developer.

CDN URL uses HTTP

High

Assets load from an HTTP CDN hostname.

Next step: Update CDN configuration and plugin CDN URL to HTTPS.

CSS background images use HTTP

Medium

Background images inside CSS files still point to HTTP.

Next step: Update CSS, theme options or generated builder CSS.

External embed uses HTTP

Medium

Iframe, video, map or widget loads insecurely.

Next step: Replace with HTTPS embed URL or remove unsupported embed.

Cache still serves old HTTP links

Low

Old cached HTML contains insecure URLs after fixes.

Next step: Clear WordPress, plugin, CDN, server and browser cache.

Database replacement broke serialized data

High

Unsafe search-and-replace damaged serialized WordPress options.

Next step: Restore backup and use a WordPress-aware search-replace tool.

How to fix it

  1. Step 1: Back up the website

    Back up files and database before changing URLs.

  2. Step 2: Confirm SSL works

    Make sure the certificate is valid for the domain and HTTPS loads.

  3. Step 3: Update WordPress URLs

    Set WordPress Address and Site Address to HTTPS.

  4. Step 4: Replace old internal URLs

    Replace http://yourdomain.com with https://yourdomain.com using a safe WordPress-aware method.

  5. Step 5: Fix page builder content

    Update saved builder CSS, background images and generated assets.

  6. Step 6: Check theme and plugins

    Find hardcoded HTTP assets and update or replace them.

  7. Step 7: Update CDN settings

    Make sure CDN hostname and asset URLs use HTTPS.

  8. Step 8: Clear all caches

    Clear WordPress cache, plugin cache, server cache, CDN cache and browser cache.

  9. Step 9: Re-test important pages

    Check homepage, service pages, blog posts, forms, checkout and admin pages.

Mixed content examples
Example 1: Image mixed content

Page:
https://example.com/about

Browser console:
Mixed Content: The page was loaded over HTTPS, but requested an insecure image:
http://example.com/wp-content/uploads/team.jpg

Fix:
Replace image URL with:
https://example.com/wp-content/uploads/team.jpg

Example 2: CSS mixed content

CSS file contains:
background-image: url("http://example.com/wp-content/uploads/bg.jpg");

Fix:
Update generated CSS or theme option to HTTPS.

Example 3: Plugin script

HTML contains:
<script src="http://thirdparty.example/widget.js"></script>

Fix:
Use HTTPS version if provider supports it or remove/replace the widget.

Examples are illustrative. Always check whether external resources support HTTPS before replacing their URLs.

Search and replace

Many mixed content issues come from old URLs stored in the database.

Replace http://example.com with https://example.com for your own domain.

Important: Use tools that understand WordPress serialized data. A normal raw database replace can break serialized options.

  • WP-CLI search-replace
  • trusted migration plugin
  • database tool that supports serialized data
  • staging environment before production
  • full database backup before replacement

Avoid replacing every http:// URL globally because external websites may not support HTTPS.

WP-CLI examples

WP-CLI search-replace
Dry run first:
wp search-replace 'http://example.com' 'https://example.com' --all-tables --dry-run

Run replacement:
wp search-replace 'http://example.com' 'https://example.com' --all-tables

Skip GUID column:
wp search-replace 'http://example.com' 'https://example.com' --all-tables --skip-columns=guid

Check current site URLs:
wp option get home
wp option get siteurl

Update site URLs:
wp option update home 'https://example.com'
wp option update siteurl 'https://example.com'

Examples are illustrative. Replace example.com with your real domain. Back up the database first and test on staging where possible.

Theme and plugins

Some mixed content comes from code, not database content.

Check:

  • header.php
  • footer.php
  • functions.php
  • theme options
  • custom CSS
  • custom JavaScript
  • plugin settings
  • tracking scripts
  • embedded widgets
  • page builder generated files
  • child theme files

Look for http:// hardcoded URLs, old CDN URLs, insecure font URLs, insecure script URLs and insecure iframe embeds.

Use WordPress functions like wp_enqueue_script and wp_enqueue_style where possible instead of hardcoding asset URLs.

Page builders can store image URLs, background images and generated CSS separately.

  • section background images
  • widget image URLs
  • custom CSS
  • global theme styles
  • generated CSS files
  • template library items
  • header/footer builder
  • popup templates
  • form embeds

Some builders have a “replace URL” or “regenerate CSS” option that helps after HTTPS migration.

CDN and cache

CDN and caching layers can keep mixed content visible even after WordPress is fixed.

Check:

  • CDN URL uses HTTPS
  • CDN certificate is valid
  • CDN rewrite rules
  • cache plugin CDN settings
  • image optimization CDN
  • static asset cache
  • full-page cache
  • generated CSS cache
  • browser cache
  • server cache

After fixing URLs, purge CDN and WordPress cache before testing again.

Frequently asked questions

What is mixed content?

Mixed content happens when an HTTPS page loads some resources over HTTP.

Why does WordPress have mixed content after SSL?

Old HTTP URLs may remain in posts, pages, options, theme files, plugins, CSS, CDN settings or cache.

Does a valid SSL certificate fix mixed content?

No. SSL secures the main domain, but page resources must also load over HTTPS.

Can mixed content break my site?

Yes. Browsers may block scripts, styles or iframes, which can break layout or functionality.

Can I replace all http:// URLs with https://?

Only for resources that support HTTPS, especially your own domain. Avoid blind global replacements across unrelated external URLs.

Why does mixed content remain after I fixed URLs?

Cache, CDN, generated CSS, page builder files or plugin settings may still contain old HTTP links.

What should I check first?

Check browser console, WordPress Address/Site Address, old media URLs, page builder content, CDN settings and cache.

Use these free tools to verify your configuration after applying changes.

Browse all Website Health guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.