Scroll to top
USA
651 N Broad St, Suite 206,
MiddleTown, New Castle,
Delaware - 19709
Canada
635 Ashprior Avenue,
Mississauga, Ontario,
Canada - L5R3N6
India
34, Shiwanshu Bunglows
Vadodara, Gujarat - 390007

The Ultimate Guide of Mixed Content SSL Warnings in WordPress (2021)

93 / 100

Are you tense whether your site is secured or not? Do you own an SSL Certificate? If you have added the SSL Certificate then you can witness a lock symbol in the URL bar of your website. By doing so, you might often come across a problem named Mixed Content. Are you excited to learn more about this in detail? Then just keep reading because I am going to take you through some of these issues and their solutions to make your life easy. 

Let’s begin with learning about Mixed Content first.

What is a Mixed Content?

Mixed Content means that the site is being requested over a secured URL, however, some of your assets are not being loaded over the SSL. Confused? Let me explain to you in simple words.

While you access a Web Application from an HTTPS Load Balancer and HTTP on the backend, the site cannot be seen correctly, report Mixed Content warning in the Browser. This is generally caused by the responses from the backend Web Application containing Absolute links pointing to HTTP resources.

You might come across mixed content when both HTTPS and HTTP scripts or files are loaded at the same time by the WordPress platform. You can’t load both because they are two different protocols. When you plan to switch over HTTPS from HTTP then you need to have everything in HTTPS. For example, If you are using an Android Phone, then all the applications on your phone are of android. You cannot have an iOS application on your phone. Right? Similarly when you use HTTPS then everything has to be in HTTPS format. Simple, isn’t it?

Root Cause of the Mixed Content Warning

I have found that the most popular time mixed content alerts appear right after anyone migrates from HTTP to HTTPS to their WordPress account. HTTP links are carried over and this allows alerts of mixed material to begin shooting. Another explanation could be you simply added a new service or plugin.

I have enlisted some of the examples that depict the cause of these warnings:

  1. The developers of the plugins make use of absolute paths.
  2. The URL of the images is hardcoded.
  3. Video scripts are embedded by using HTTP instead of HTTPs.
  4. Your CSS or JS files include external links.

What is an SSL Certificate?

Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser, or a mail server and a mail client.

SSL Certificate

SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely.

Normally, data sent between browsers and web servers is sent in plain text—leaving you vulnerable to eavesdropping. If an attacker can intercept all data being sent between a browser and a web server, they can see and use that information.

Based on the Secure Sockets Layer protocol developed by Netscape, SSL certificates use a cryptographic key to provide validation for a Web server, detailing its domain name, server name, hostname, company name, and location.

More specifically, SSL is a security protocol. Protocols describe how algorithms should be used. In this case, the SSL protocol determines the variables of the encryption for both the link and the data being transmitted.

All browsers can interact with secured web servers using the SSL protocol. However, the browser and the server need what is called an SSL Certificate to be able to establish a secure connection.

Most SSL certificates today also support the Transport Layer Security (TLS) protocol, which is considered to be more secure than SSL. They are used for establishing authenticated and encrypted links between networked computers.

SSL/TLS Web secure Browsing

The most common and well-known use of SSL/TLS is secure web browsing via the HTTPS protocol. A properly-configured public HTTPS website includes an SSL/TLS certificate that is signed by a publicly trusted CA. Users visiting an HTTPS website can be assured of:

Authenticity:

The server presenting the certificate has the private key that matches the public key in the certificate.

Integrity:

Documents signed by the certificate (e.g. web pages) have not been altered in transit by a man in the middle.

Encryption:

Communication between the client and the server is encrypted.

Importance of SSL Certificates for WordPress sites

SSL certificates are relevant for several reasons. Google introduced the use of HTTPS as a ranking parameter for its Search Engine Results Pages ( SERPs), along with site speed, to begin with. Using an SSL certificate will also help increase your rankings and enhance search engine optimization ( SEO). 

your connection is not private 2 1

SSL certificates can also help to lower abandonment rates for carts. Getting a green padlock icon with a “Secure Connection” message in the address bar helps gain the trust of the visitors. When buying the goods consumers will be more secure as there is less worry about data theft.

WordPress also officially recommends SSL Certificates. The co-founder of the platform, Matt Mullenweg, announced that WordPress would suggest only hosting providers with SSL-secured WordPress

Most importantly, HTTPS may be preventing browsers from displaying security warnings on your WordPress site, which could deter visitors.

In 2018, Google Chrome announced that a “non-secure” warning on sites using HTTP would start showing up.  Your visitors will not see this warning by having an SSL certificate and will be more likely to trust your site if they have an SSL certificate.

Ways to Get Your SSL Certificate For WordPress Site

There are very few ways available by which you can get your SSL Certificate. One of the methods is to go through Let’s Encrypt. It is a free domain SSL Certificate Authority Provider which is backed by ISRG i.e Internet Security Research Group.

It is recommended that you consult with your host for precise specifications and instructions on installing SSL certificates. However, most hosting services provide free support for their plans, with one-click Let’s Encrypt installation. 

If your host doesn’t provide an installation solution with a single click, you can also manually add a Let’s Encrypt certificate to your account. To do so, you will need a full server and shell access control, as well as the CertBot ACME, installed on your computer.

Another option is to use an online tool such as SSL For Free, which eliminates the complexity of installing an SSL certificate.

Just enter the URL of your domain, and follow the steps given. This is much simpler than the manual process and will only take about ten minutes to complete. 

For Complete SSL Installation Guide, check out out blog article: https://wpuber.com/how-to-get-an-ssl-certificate/

Unfortunately, there are some cases where, even after installing your SSL certificate, you can still see a “not secure” alert. If your settings are misconfigured it can cause a variety of problems, including mixed content alerts for WordPress.

Identify WordPress Mixed Content Warnings

You can identify mixed content errors on your WordPress site in multiple ways and, more specifically, which assets are loaded over HTTP. The first is to use Chrome DevTools to check them manually.  

To do this, go to Google Chrome and open your site on it. Then the page that gives you a warning just right-clicks on it. Once this is done, select Inspect. You can see all the warnings that are not secure under the console tab. The mixed content warnings will be displayed in yellow color.

If it is just one or two items that you need to fix, you can go to the page or post where to fix the problem. However, if your WordPress site has a lot of mixed content issues, solving them manually isn’t the easiest way. You can use an SSL check by Jitbit for this.

Once you have identified your mixed content warnings, it’s time to fix them. So let’s see how this is done.

Fix Mixed Content Warnings in WordPress

If you see mixed alerts of content on your WordPress site, it’s important to fix them as soon as possible. These errors can also affect the User Experience ( UX) and SEO of your web, in addition to making your site look untrustworthy to visitors.

So let’s take a look as to how we can solve this.

Read below some of the steps that will help in fixing your mixed content warnings.

  1. Be sure that you are using a Valid SSL Certificate
  2. Change the URL from HTTP to HTTPS
  3. To redirect HTTP to HTTPS set a rule
  4. Search and Replace to Update Links

Be sure that you are using a Valid SSL Certificate

Installing an SSL certificate is a vital part of protecting your site as we have mentioned. It’s also necessary, though, to ensure it’s true and stay up-to-date.

Let’s have Encrypt certificates that have a ninety-day default expiry. You must periodically update yours for it to continue to work properly. There are a few hosting providers that have an integrated function to automatically renew SSL certificates. This is not always the case, however.

Thus, whether you have recently introduced an SSL certificate on your website, there is a risk that it will expire. Although this is not the source of mixed content alerts for WordPress, it is worth finding out.

Click on the information icon which appears where the padlock should be in the address bar of your browser to decide the status of your SSL certificate. Then choose Certificate (Valid).

You can check the details and information about your SSL certificate in the Certificate Viewer which opens.  This includes both the dates of issue and expiry.

Certificate Information

Verify that your certificate is not revoked. If it has, consult with your hosting company or the CA about how to update it.

Change the URL from HTTP to HTTPS

If even after installing a valid SSL certificate, you are still dealing with WordPress mixed content warnings, the integration may not have been properly configured for HTTPS encryption.

So the next step is to change your URLs in WordPress from HTTP to HTTPS. Log in to your dashboard to do this, and navigate to Settings > General

HTTP to HTTPS

Then replace HTTP with HTTPS in the WordPress and Site address.

HTTP to HTTPS

Click the Save Changes button at the bottom of the screen once you’re done. Now you should serve every URL of your WordPress site via HTTPS.

However, no HTTPS pages will be served to users who access your site via a link using ‘http://yoursite.com’ or who type “HTTP” into their browsers when they navigate to your site. So you need to set a rule for redirecting HTTP to HTTPS.

To redirect HTTP to HTTPS set a rule

Another problem that can trigger WordPress mixed content alerts on your site is if you have never introduced redirects to take visitors automatically to the protected version of your pages. To do that, you need to include a rule in the .htaccess file of your site that will require WordPress to use HTTPS.

You can do this with a script, or manually. Let’s begin with the manual process. 

First, you will need to access the files of your site through the File Manager tool of your web host, or using the File Transfer Protocol ( FTP) and an FTP client. Navigate to the directory containing core files for WordPress (usually public_html) and right-click the.htaccess file. Click on Edit.

Within the file, place the following lines of code:

IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.mysite.com/$1 [R,L]

Make sure to replace ‘https://www.mysite.com with’ your domain.
The above rule is for Apache servers. If your hosting provider uses NGINX, add this rule instead:
server {
listen 80;
server_name yoursite.com www.yoursite.com;
return 301 https://yoursite.com$request_uri;
}

Again, make sure to replace your domain with ‘your site,’ and change the port if your provider already uses a different one. Contact your host if you are unsure which rule you can use. 

If you are not familiar with the.htaccess file, instead you can use a WP Force SSL plugin. This plugin automatically forces SSL on every page of your WordPress blog. You can find its settings from your dashboard after you install and trigger it, by going to Settings > Force SSL.

Search Replace to Update Links

The next move is to update the links and content inside your WordPress database to replace any HTTP instances with HTTPS. The most effective way to do this is to use a plugin like Better Replace Search.

Once you install this onto your WordPress site, then go to Tools and select Better Search Replace. In the search field add the HTTP version of your site and in the replace field add the HTTPS version.

HTTP to HTTPS using SSL Certificate

Select all the tools as shown below and de-select the Run as Dry option.

HTTP secure

Once this is done, then click the Run Search/Replace button at the bottom of the screen. Clear the cache of your browser and revisit your website, the warnings will now be gone.

Change the Image URLs from HTTP to HTTPS

As you might know, WordPress’s mixed content alerts can be triggered by image URLs and other media assets with absolute HTTP linkages. If a plugin like Better Search Replace has not been successful in updating your image URLs, you can also remove them by running a search for the database and replacing the query. 

Log in to your hosting account to do this, and open phpMyAdmin. Select your WordPress database and then click on the SQL tab.

In the SQL query, write the following:

UPDATE wp_posts SET post_content=(REPLACE (post_content, ‘’,'’));

Ensure that you replace the old URL and new URL with your domain HTTP and HTTPS respectively. Then click on the go button. Once it is done, you can paste all the content and images with the new HTTPS URL. You can clear your cache and revisit your website to confirm that the mixed content warnings of WordPress are resolved.

Top WordPress Mixed Content Plugins

Inspecting, enforcing, and addressing mixed WordPress content alerts manually can be a time-consuming process. Fortunately, there are several mixed content plugins in WordPress that can help streamline the method. We have already listed a few in the above measures, but here are a few others that you may find useful.

Really Simple SSL

Really Simple SSL automatically configures your site to run over HTTPS. You need to enable SSL through your host and sit back and enjoy it.

It also enables .htaccess redirects and changes your website address to HTTPS. Really Simple SSL fixes the mixed content warnings that you might expect.

SSL Insecure Content Fixer

SSL Insecure Content Fixer is a free plugin that you can use to solve the mixed content warnings. It automatically detects the insecure content on your website. 

Conclusion

Since Google has added HTTPS as a ranking factor and has started to mark sites without “not secure” SSL certificates, it is recommended that you protect your WordPress site by installing one. However, it’s important to properly configure your site for HTTPS encryption to prevent and solve WordPress mixed content warnings.

As we have already discussed in the article that by following these four steps you can easily resolve the mixed content warnings:
  1. Be sure that you are using a Valid SSL Certificate
  2. Change the URL from HTTP to HTTPS
  3. To redirect HTTP to HTTPS set a rule.
  4. Search and Replace to Update Links

Also by adding an SSL certificate can boost your WordPress site security. So I hope that this article gives you all the insights of the mixed content solution and makes your life easier.

Author avatar
Tim Michaels
I am into WordPress and web development for the last 10 years. I use my experience to help people just starting with WordPress. Follow my blog at WP Uber for everything related to WordPress.
We use cookies to give you the best experience.
Do NOT follow this link or you will be banned from the site!