Fixing Mixed Content Issues (HTTP Resources on HTTPS Page)

What Is Mixed Content?

Mixed content occurs when a webpage is loaded over a secure HTTPS connection, but some of its resources (images, scripts, stylesheets, fonts, iframes, etc.) are still being loaded over insecure HTTP. Modern browsers block or warn about these requests, which can cause broken images, missing styles, non-functioning scripts, and browser "Not Secure" warnings.

A typical browser console error looks like this:

Mixed Content: The page at 'https://example.com/' was loaded over HTTPS,
but requested an insecure resource 'http://example.com/wp-content/uploads/image.jpg'.
This request has been blocked; the content must be served over HTTPS.

Common Causes

• Hardcoded http:// URLs in your site's content, theme files, or plugin settings.
• Image or media URLs saved to the database with http:// before the site was migrated to HTTPS.
• Third-party resources (fonts, scripts, embeds) referenced over HTTP.
• A missing or incomplete HTTP-to-HTTPS redirect on the server.

Solution 1: Really Simple SSL Plugin (WordPress)

The Really Simple SSL plugin is the fastest way to resolve mixed content on a WordPress site. It automatically detects your SSL certificate, updates your site URL, and fixes most mixed content issues dynamically.

Steps

1. Log in to your WordPress admin dashboard.
2. Navigate to Plugins → Add New.
3. Search for Really Simple SSL and click Install Now, then Activate.
4. You will see a prompt: "Almost ready to migrate to SSL!" — Click "Go ahead, activate SSL!"
5. The plugin will automatically:
   • Set your WordPress Address and Site Address to https://.
   • Add a server-level redirect from HTTP to HTTPS.
   • Dynamically replace http:// references with https:// in your page output.

After Activation

• Clear any caching plugins (WP Super Cache, W3 Total Cache, LiteSpeed Cache, etc.) and any server-side or CDN caches.
• Visit your site and check the browser address bar for a padlock icon.
• If you still see mixed content warnings, go to Settings → SSL in WordPress and review the plugin's scan results, which will identify the remaining insecure URLs.

Important Notes

• The free version handles most cases. The Pro version adds more advanced scanning and fixing features.
• The plugin fixes content on output, meaning it does not modify your database directly. This is safer, but it means the underlying http:// URLs still exist in your database. If you later deactivate the plugin without first doing a database search-and-replace, mixed content will return.
• For a permanent database fix, use a tool like Better Search Replace to find all instances of http://yourdomain.com and replace them with https://yourdomain.com.

Solution 2: .htaccess Redirect Rule

If you are on an Apache-based hosting environment (most cPanel and DirectAdmin servers), you can force all HTTP traffic to HTTPS using an .htaccess rule. This ensures that any resource requested over HTTP is automatically redirected to HTTPS.

Steps

1. Connect to your site via File Manager in cPanel or via SFTP/SSH.
2. Open (or create) the .htaccess file in your site's document root (usually public_html/).
3. Add the following lines at the very top of the file, before any existing rules:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

4. Save the file.

What This Does

• RewriteEngine On — Enables Apache's URL rewriting engine.
• RewriteCond %{HTTPS} !=on — Checks whether the current request is NOT using HTTPS.
• RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] — Redirects the request to the same URL but over HTTPS, using a 301 (permanent) redirect.

Important Notes

• This redirect handles requests to the server, but it does not fix hardcoded http:// URLs within your HTML or database. If your page source contains http://yourdomain.com/image.jpg, the browser will first try to load it over HTTP, get redirected to HTTPS, and then load it. This creates an unnecessary extra request. In some cases, browsers may still flag a mixed content warning before following the redirect.
• For WordPress sites, combine this .htaccess rule with either the Really Simple SSL plugin or a search-and-replace on the database for best results.
• If your server uses LiteSpeed (common on cPanel), the same .htaccess rules apply — LiteSpeed is compatible with Apache rewrite rules.

Verifying the Fix

After applying either solution:

1. Visit your site in a browser and confirm the padlock icon appears in the address bar.
2. Open Developer Tools (F12) → Console tab and look for any remaining mixed content warnings.
3. Use an online checker such as Why No Padlock or JitBit SSL Checker to scan for insecure resources.
4. Test multiple pages — mixed content issues can be page-specific, especially on WordPress where individual posts may contain hardcoded HTTP image URLs.

Still Having Issues?

If mixed content persists after trying the above solutions, the insecure URLs are likely hard coded in your site's database or theme files. Contact our support team and we can help you investigate further.