Fixing Mixed Content Errors on WordPress
Learn how to fix WordPress mixed content errors after HTTPS migration by updating URLs, database content, themes, plugins, CDN settings and cache.
Introduction
Mixed content errors happen when a WordPress page loads over HTTPS but some resources on the page still load over HTTP. These resources can include images, CSS files, JavaScript files, fonts, iframes, videos, plugin assets, theme files or CDN URLs.
Browsers may block insecure resources or show a “Not secure” warning even if the SSL certificate is valid. Fixing mixed content usually means finding old HTTP URLs inside WordPress settings, database content, theme files, plugins, CDN settings and cached pages, then replacing them with HTTPS versions.
Quick answer
To fix WordPress mixed content, confirm WordPress Address and Site Address use HTTPS, replace old HTTP URLs in content/database, update theme and plugin asset URLs, check CDN/media URLs, clear all caches, and use browser developer tools or an HTTP Header/SSL checker to confirm all resources load over HTTPS.
Mixed content
Mixed content means the main page loads securely over HTTPS, but one or more resources load insecurely over HTTP.
Common mixed content resources:
- images
- CSS files
- JavaScript files
- fonts
- videos
- iframes
- embedded forms
- plugin assets
- theme assets
- CDN files
- background images
- hardcoded links
A valid SSL certificate does not automatically fix mixed content. The page resources must also use HTTPS.
Active vs passive
Browsers treat mixed content differently depending on the resource type.
Passive mixed content
Usually images, audio or video. Browsers may still load it but can show warnings.
Active mixed content
Scripts, stylesheets, iframes or other resources that can affect page behavior. Browsers often block these resources.
Active mixed content is more serious because it can break layout, functionality, forms, menus, sliders, checkout pages or admin features.
Why it happens
Mixed content is common after moving a WordPress site from HTTP to HTTPS.
Common causes:
- WordPress Address still uses HTTP
- Site Address still uses HTTP
- old image URLs in posts/pages
- hardcoded HTTP URLs in theme files
- plugin settings with HTTP URLs
- page builder content saved with HTTP URLs
- CDN URL still uses HTTP
- old CSS background images
- external fonts or scripts using HTTP
- widgets or embeds using HTTP
- cached HTML still contains HTTP URLs
- database migration kept old URLs
WordPress stores URLs in many places, so fixing only the homepage setting may not be enough.
Where to look first
WordPress mixed content checklist
The browser console usually shows the exact insecure HTTP resource causing the warning.
Settings → General
Review WordPress site URL settings.
WordPress Address URL
Confirm it uses HTTPS.
Site Address URL
Confirm it uses HTTPS.
Media library
Check image URLs for old HTTP links.
Page builder content
Review saved builder sections and assets.
Theme options
Check logo, background and asset URLs.
Plugin settings
Review CDN, tracking and embed URLs.
Widgets
Check text widgets and embeds.
Menus
Review custom links still using HTTP.
Custom CSS
Search for http:// in custom styles.
Header/footer scripts
Check hardcoded external URLs.
CDN plugin settings
Confirm CDN hostname uses HTTPS.
Cache plugin settings
Purge cache after URL fixes.
Database old URLs
Search for http://yourdomain.com in content.
Browser console
Read mixed content warning messages.
Why this matters
Mixed content matters because it weakens HTTPS trust and can break website functionality. Users may see browser warnings, secure padlock may disappear, CSS or JavaScript may be blocked, and forms or checkout flows may stop working correctly.
Mixed content can also affect SEO, conversion rate, analytics, user confidence and technical quality after an HTTPS migration.
How to find it
Use browser developer tools, SSL checks and page inspection to find insecure resources.
Check in this order:
- Open the page in browser — look for Not Secure warnings or missing padlock.
- Browser console — open developer tools and search for mixed content warnings.
- Network tab — filter requests by http://.
- Page source — search for http:// in HTML.
- WordPress settings — confirm WordPress Address and Site Address use HTTPS.
- Content/database — search old HTTP domain URLs in posts, pages and options.
- Theme/plugin assets — check whether files are hardcoded with HTTP.
- CDN/cache — clear cache and confirm CDN URLs use HTTPS.
Verify HTTPS
Use SSL Checker to confirm your certificate is valid and HTTPS loads correctly before fixing mixed content.
Search page source:
curl -s https://example.com | grep -i "http://"
Check headers:
curl -I https://example.com
Follow redirects:
curl -IL http://example.com
WP-CLI dry run:
wp search-replace 'http://example.com' 'https://example.com' --all-tables --dry-run
Find HTTP URLs in theme files:
grep -R "http://" wp-content/themes/your-theme/
Find HTTP URLs in plugins:
grep -R "http://" wp-content/plugins/
Command examples are illustrative. Some commands require SSH access. Use backups and avoid editing production files blindly.
Common problems
WordPress URL still uses HTTP
HighWordPress Address or Site Address still points to the insecure version.
Next step: Update both URLs to HTTPS in Settings → General or wp-config.php if needed.
Old image URLs in content
MediumPosts or pages contain images saved with http:// URLs.
Next step: Run a safe search-and-replace from HTTP to HTTPS for your domain.
Page builder saved HTTP URLs
MediumBuilder content stores image, background or link URLs separately.
Next step: Update builder settings/content and regenerate CSS if needed.
Theme hardcodes HTTP assets
MediumTheme files load CSS, JS, fonts or images over HTTP.
Next step: Update theme code to use HTTPS or protocol-relative/WordPress functions.
Plugin loads insecure resources
MediumA plugin includes external scripts, styles or images over HTTP.
Next step: Update plugin settings, replace the plugin or contact the developer.
CDN URL uses HTTP
HighAssets load from an HTTP CDN hostname.
Next step: Update CDN configuration and plugin CDN URL to HTTPS.
CSS background images use HTTP
MediumBackground images inside CSS files still point to HTTP.
Next step: Update CSS, theme options or generated builder CSS.
External embed uses HTTP
MediumIframe, video, map or widget loads insecurely.
Next step: Replace with HTTPS embed URL or remove unsupported embed.
Cache still serves old HTTP links
LowOld cached HTML contains insecure URLs after fixes.
Next step: Clear WordPress, plugin, CDN, server and browser cache.
Database replacement broke serialized data
HighUnsafe search-and-replace damaged serialized WordPress options.
Next step: Restore backup and use a WordPress-aware search-replace tool.
How to fix it
-
Step 1: Back up the website
Back up files and database before changing URLs.
-
Step 2: Confirm SSL works
Make sure the certificate is valid for the domain and HTTPS loads.
-
Step 3: Update WordPress URLs
Set WordPress Address and Site Address to HTTPS.
-
Step 4: Replace old internal URLs
Replace http://yourdomain.com with https://yourdomain.com using a safe WordPress-aware method.
-
Step 5: Fix page builder content
Update saved builder CSS, background images and generated assets.
-
Step 6: Check theme and plugins
Find hardcoded HTTP assets and update or replace them.
-
Step 7: Update CDN settings
Make sure CDN hostname and asset URLs use HTTPS.
-
Step 8: Clear all caches
Clear WordPress cache, plugin cache, server cache, CDN cache and browser cache.
-
Step 9: Re-test important pages
Check homepage, service pages, blog posts, forms, checkout and admin pages.
Example 1: Image mixed content
Page:
https://example.com/about
Browser console:
Mixed Content: The page was loaded over HTTPS, but requested an insecure image:
http://example.com/wp-content/uploads/team.jpg
Fix:
Replace image URL with:
https://example.com/wp-content/uploads/team.jpg
Example 2: CSS mixed content
CSS file contains:
background-image: url("http://example.com/wp-content/uploads/bg.jpg");
Fix:
Update generated CSS or theme option to HTTPS.
Example 3: Plugin script
HTML contains:
<script src="http://thirdparty.example/widget.js"></script>
Fix:
Use HTTPS version if provider supports it or remove/replace the widget.
Examples are illustrative. Always check whether external resources support HTTPS before replacing their URLs.
Search and replace
Many mixed content issues come from old URLs stored in the database.
Replace http://example.com with https://example.com for your own domain.
Important: Use tools that understand WordPress serialized data. A normal raw database replace can break serialized options.
- WP-CLI search-replace
- trusted migration plugin
- database tool that supports serialized data
- staging environment before production
- full database backup before replacement
Avoid replacing every http:// URL globally because external websites may not support HTTPS.
WP-CLI examples
Dry run first:
wp search-replace 'http://example.com' 'https://example.com' --all-tables --dry-run
Run replacement:
wp search-replace 'http://example.com' 'https://example.com' --all-tables
Skip GUID column:
wp search-replace 'http://example.com' 'https://example.com' --all-tables --skip-columns=guid
Check current site URLs:
wp option get home
wp option get siteurl
Update site URLs:
wp option update home 'https://example.com'
wp option update siteurl 'https://example.com'
Examples are illustrative. Replace example.com with your real domain. Back up the database first and test on staging where possible.
Theme and plugins
Some mixed content comes from code, not database content.
Check:
- header.php
- footer.php
- functions.php
- theme options
- custom CSS
- custom JavaScript
- plugin settings
- tracking scripts
- embedded widgets
- page builder generated files
- child theme files
Look for http:// hardcoded URLs, old CDN URLs, insecure font URLs, insecure script URLs and insecure iframe embeds.
Use WordPress functions like wp_enqueue_script and wp_enqueue_style where possible instead of hardcoding asset URLs.
Page builders can store image URLs, background images and generated CSS separately.
- section background images
- widget image URLs
- custom CSS
- global theme styles
- generated CSS files
- template library items
- header/footer builder
- popup templates
- form embeds
Some builders have a “replace URL” or “regenerate CSS” option that helps after HTTPS migration.
CDN and cache
CDN and caching layers can keep mixed content visible even after WordPress is fixed.
Check:
- CDN URL uses HTTPS
- CDN certificate is valid
- CDN rewrite rules
- cache plugin CDN settings
- image optimization CDN
- static asset cache
- full-page cache
- generated CSS cache
- browser cache
- server cache
After fixing URLs, purge CDN and WordPress cache before testing again.
Frequently asked questions
What is mixed content?
Mixed content happens when an HTTPS page loads some resources over HTTP.
Why does WordPress have mixed content after SSL?
Old HTTP URLs may remain in posts, pages, options, theme files, plugins, CSS, CDN settings or cache.
Does a valid SSL certificate fix mixed content?
No. SSL secures the main domain, but page resources must also load over HTTPS.
Can mixed content break my site?
Yes. Browsers may block scripts, styles or iframes, which can break layout or functionality.
Can I replace all http:// URLs with https://?
Only for resources that support HTTPS, especially your own domain. Avoid blind global replacements across unrelated external URLs.
Why does mixed content remain after I fixed URLs?
Cache, CDN, generated CSS, page builder files or plugin settings may still contain old HTTP links.
What should I check first?
Check browser console, WordPress Address/Site Address, old media URLs, page builder content, CDN settings and cache.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Website Health guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!