.svg?alt=media&token=344acf91-664d-4352-83aa-4526aff83cea)
How to Fix a Mixed Content Warning on Your Website
PreviousWhat Is Localhost? And How Does It Apply to WordPress?NextHow to Fix the "Connection Timed Out" Error in WordPress
Last updated
Was this helpful?
Last updated
Was this helpful?
A mixed content warning occurs when a website that is supposed to be loaded over a secure HTTPS connection contains resources—such as images, scripts, or stylesheets—that are still being loaded over an insecure HTTP connection. This can cause security issues and prevent a site from being fully secured. Browsers like Google Chrome, Mozilla Firefox, and Microsoft Edge display a mixed content warning to notify users of potential security risks.
Even if your website has an SSL certificate installed, some elements might still be referenced using an HTTP URL. This often happens due to:
Old links hardcoded in the website’s source code
Content management system (CMS) settings not updated to HTTPS
External resources (images, scripts, or stylesheets) not available over HTTPS
Incorrect website configuration
To maintain security and prevent mixed content warnings, you should ensure all resources load over HTTPS.
Below are step-by-step instructions to resolve mixed content issues.
If the site’s URL is still set to HTTP, the website will try to load assets over an insecure connection.
How to Update the Configuration File:
Open your website’s configuration file (e.g., wp-config.php).
Look for entries similar to the following: define('WP_HOME', 'http://yourwebsite.com');
define('WP_SITEURL', 'http://yourwebsite.com');
Replace http:// with https://: define('WP_HOME', 'https://yourwebsite.com');
define('WP_SITEURL', 'https://yourwebsite.com');
Save the file and refresh your website to check if the warning disappears.
If the issue persists, check your source code for hardcoded HTTP links.
Steps to Find and Replace HTTP Links:
Open your browser's Developer Tools (press F12 or Ctrl + Shift + I in Chrome and Firefox).
Navigate to the Console tab and look for mixed content warnings.
Copy and search for the reported insecure URLs in your website’s source code.
Open the corresponding file in a text editor or file manager and replace http:// with https://.
Save the changes and refresh the website.
A tool like Why No Padlock can help identify insecure resources.
Visit Why No Padlock.
Enter your website’s URL and scan for mixed content issues.
Check the results and fix the insecure links manually or update external resources to HTTPS versions.
If your site runs on WordPress or another CMS, mixed content may be caused by database entries.
Updating URLs in WordPress Database:
Install and activate the Better Search Replace plugin.
Run a search for http://yourwebsite.com and replace it with https://yourwebsite.com.
Apply changes and verify if the issue is resolved.
Alternatively, run the following SQL query in phpMyAdmin:
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourwebsite.com', 'https://yourwebsite.com');
For Nginx, add this directive to the configuration file:
add_header Content-Security-Policy "upgrade-insecure-requests";
After making these changes, clear your website cache to ensure the updates take effect:
Clear browser cache.
Clear website cache.
If using Cloudflare or another CDN, purge its cache.
Test your website in an incognito/private browsing window to confirm the mixed content warning is resolved.
A mixed content warning is a sign that some elements of your website are being loaded over an insecure connection, even when an SSL certificate is active. By following these steps—checking configuration files, updating hardcoded HTTP links, scanning with online tools, forcing HTTPS via Nginx and clearing cache—you can resolve the issue and ensure your website is fully secure.
Taking these steps will not only improve website security but also enhance SEO rankings and user trust, ensuring a safe browsing experience for your visitors.
