Mixed Content Warning

Your site has an SSL certificate, you switched to HTTPS, and yet the browser is screaming “Not Secure” at your visitors. That’s a mixed content warning — your page loads over HTTPS but some resources (images, scripts, stylesheets) are still being requested over plain HTTP. Browsers block or flag those insecure requests, and your site looks broken or untrustworthy as a result.

What Causes Mixed Content Warning?

1. Hardcoded HTTP URLs in your database — The most common culprit. Your content, widget text, and theme options still reference http://yourdomain.com from before the SSL migration.
2. Theme or plugin assets loaded over HTTP — Poorly coded themes or plugins that hardcode http:// URLs instead of using esc_url() or protocol-relative paths.
3. WordPress Address and Site URL not updated — The WordPress Address and Site Address in Settings > General still point to http:// instead of https://.
4. External resources served over HTTP — Third-party fonts, analytics scripts, or embedded iframes that only support HTTP or were hardcoded that way.
5. CDN not configured for HTTPS — Your CDN is still serving assets over HTTP, or the CDN URL in your caching plugin uses the old protocol.

How to Fix It

Step 1: Identify the Mixed Content

Open your site in Chrome, right-click, and hit Inspect > Console. Every mixed content error will be listed there with the exact URL that’s causing the problem. Note these down — you need to know whether this is a database issue, a theme issue, or an external resource.

You can also use WP-CLI to search your database for HTTP references:

Related reading

• theme
• plugin
• widget
• wp-cli