Mixed content warnings after enabling HTTPS

After switching a site to HTTPS, you may see a warning in the browser address bar — "Not fully secure," a crossed-out padlock, or a console message about "mixed content." This happens when an HTTPS page loads some resources (images, scripts, stylesheets) over plain HTTP. This article explains why it happens, how to find the culprits, and how to fix them.

What mixed content means

When a browser loads a page over HTTPS, it expects every resource on that page — images, CSS, JavaScript, iframes, fonts, videos — to also be loaded over HTTPS. If any of them are referenced with an http:// URL instead of https://, the browser flags it as mixed content.

Browsers handle this two ways:

• Passive mixed content (images, videos, audio) — usually loaded anyway, but the padlock icon is downgraded. No big visual break, just the "Not fully secure" warning.
• Active mixed content (scripts, stylesheets, iframes, XHR/fetch) — blocked outright by modern browsers. This can cause visible breakage: missing fonts, unstyled pages, broken widgets, non-functional forms.

Either way, the fix is the same: find the http:// references and switch them to https://.

Find the mixed content

Browser developer tools

The fastest way to see exactly what's being blocked:

1. Open your site in Chrome, Firefox, or Edge.
2. Right-click anywhere on the page and choose Inspect (or press F12).
3. Click the Console tab.
4. Reload the page.

The console will list every mixed-content warning with the specific URL that's being loaded over HTTP. Common patterns:

• Images hardcoded into pages or posts: <img src="http://yourdomain.com/wp-content/uploads/photo.jpg">
• Third-party widgets loaded over HTTP: <script src="http://old-cdn.example.com/widget.js"></script>
• Stylesheets loaded from a plugin that's using http://
• Fonts or API calls to a service that hasn't been updated to HTTPS

Online scanners

If developer tools feel intimidating, whynopadlock.com scans your site and gives a plain-language list of the problems. Paste your URL, click Scan, and it'll tell you exactly which resources need fixing.

Fix WordPress sites

Most mixed content on WordPress comes from two sources: hardcoded URLs in post content (images, links) and plugin/theme settings that stored an HTTP URL.

Search-and-replace in the database

This is the fastest and most thorough fix. Install and activate the free Better Search Replace plugin from the WordPress plugin repository. Then:

1. In WordPress admin, go to Tools → Better Search Replace.
2. In Search for, enter http://yourdomain.com (use your actual domain).
3. In Replace with, enter https://yourdomain.com.
4. Select all tables on the left.
5. Uncheck "Run as dry run" when you're ready to apply the change (run a dry run first to see what would change).
6. Click Run Search/Replace.

This safely updates serialized WordPress data (widgets, plugin options stored as PHP arrays) that a simple database search-and-replace would corrupt. It handles tens of thousands of rows in seconds.

Force HTTPS for future resources

After the search-and-replace, add a plugin like Really Simple SSL or SSL Insecure Content Fixer. These rewrite any remaining http:// URLs on the fly and enforce HTTPS on all pages going forward. They're particularly useful for catching mixed content that gets reintroduced by plugin updates or pasted-in content.

Check your theme's hardcoded URLs

Some themes include hardcoded http:// URLs in template files (especially older premium themes). If the database fix and an SSL plugin still leave you with mixed-content warnings, check your theme's functions.php and header.php for literal http:// strings and update them.

Fix non-WordPress sites

Static HTML sites

Use your editor's find-and-replace across the whole site folder to change http://yourdomain.com to https://yourdomain.com (and http://www.yourdomain.com to https://www.yourdomain.com). Re-upload the changed files via FTP or the File Manager.

Custom PHP / Laravel / framework sites

Look in your config files and environment variables for any hardcoded HTTP URLs:

• Laravel: APP_URL in .env
• Custom frameworks: often a SITE_URL or BASE_URL constant
• Templates or views that use full URLs (http://yourdomain.com/image.jpg) instead of relative paths (/image.jpg)

Relative URLs (without the http:// or https:// prefix) automatically use whatever protocol the page is served over, so they're immune to mixed-content issues — a good habit for any site.

Force HTTPS with an .htaccess redirect

Once your site's content is clean, ensure every visitor reaches the HTTPS version automatically. Add this to your .htaccess file at the root of the site:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

For WordPress sites, Really Simple SSL sets this up for you. If you're already using cPanel's Force HTTPS Redirect option (in the Domains section), you don't need to add anything to .htaccess manually — it's handled at the server level.

Common third-party sources of mixed content

• Google Fonts — if you have http://fonts.googleapis.com/... in your theme, change to https://.
• YouTube / Vimeo embeds — older embed codes used HTTP. Newer embed codes from YouTube are https://.
• Map widgets (Google Maps, Bing Maps) — same story.
• Social media widgets (Twitter, Facebook) — old embed codes may be HTTP.
• Analytics / tracking pixels — update the snippet from whichever service you use; all of them support HTTPS now.
• Image CDNs — if you load images from a separate CDN, make sure the CDN has a valid SSL certificate and you're referencing it over HTTPS.

Related articles

• Activate SSL and fix Not Secure warnings
• SSL at CanSpace - what is included and how it works
• Change and Update WordPress URLs in the Database
• Common WordPress errors and how to fix them

Still seeing a mixed-content warning? Open a support ticket