Migrating a website to HTTPS is an important step to enhance security, but often leads to frustrating mixed content errors. These warnings appear when a secure page tries to load insecure HTTP resources, compromising the encrypted connection.
Fixing mixed content in WordPress is crucial for maintaining visitor trust and confidence as well as optimizing your search engine rankings. This guide will explain what causes the mixed content error, identify affected resources, and provide steps to eliminate mixed content for good.
What Causes Mixed Content Warnings?
Mixed content occurs when a webpage served over HTTPS tries to load additional sub-resources using the unsecured HTTP protocol. This violates the security of the encrypted connection. For example:
- A blog post image linking to http://example.com/image.jpg
- A CSS stylesheet served from a http:// URL
- External script linking to a JavaScript file via HTTP
The webpage is secure but these unencrypted elements cause mixed content warnings.
Dangers of Mixed Content in WordPress
Allowing mixed content can negatively impact your WordPress site in a few ways:
- Security Risk – Mixed resources can be intercepted or modified during transfer over HTTP.
- Browser Warnings – Chrome, Firefox, and other browsers will display warnings about unsecure resources being loaded.
- SEO Issues – Search engine crawlers may index the unsecure URL versions of pages instead of HTTPS.
- Privacy Problems – HTTP requests can reveal information about pages visited to third parties.
- Failed Resources – Some browsers block unsecure content, so images/scripts won’t load.
Overall, mixed content undermines the added security you gain by migrating to HTTPS.
Identifying Mixed Content in WordPress
To locate the source of mixed content, you can:
- Check for browser warnings – Load pages in a private browsing session and watch for errors in the URL bar.
- Use developer tools – The network panel in dev tools shows each resource loaded and its protocol.
- Try a scanning tool – WordPress plugins like Really Simple SSL can scan and detect mixed content.
- Review page source code – Manually search for “http:” references in the source of affected pages.
- Check common places – Scan embeds, images, scripts, stylesheets, and hyperlinks for issues.
Finding all mixed content is the first step toward rectifying the problems.
How to Fix Mixed Content in WordPress
Once you’ve identified the offending HTTP resources causing mixed content, here are ways to fix it:
Update URL References to HTTPS
Edit all sources linking to HTTP resources and replace http:// with https:// to load them securely instead. This includes:
- Linked images, videos, documents
- External scripts and stylesheets
- Hyperlinks pointing to other sites
- Iframes and embedded content
- Bulk find/replace plugins can help update URLs across all content.
Move Resources to HTTPS Domain
For mixed content on your own site, migrate resources like images and scripts to subdirectories on your main HTTPS domain. Update references to point to the new HTTPS URLs.
Use Protocol Relative URLs
Update links to use protocol-relative formats like //example.com/image.jpg. This avoids specifying HTTP or HTTPS and prevents mixed content.
Reload Resources via .htaccess
For external resources, you can redirect HTTP URLs to their HTTPS versions using .htaccess rewrite rules. This forces HTTPS loading.
Plugin Updates or Disabling Plugins
Outdated WordPress plugins that generate links may need updates to output secure HTTPS URLs. Alternatively, deactivate or remove problem plugins.
Contact Third Party Site Owners
If mixed content comes from an external site, notify that site owner so they can migrate resources to HTTPS URLs.
With persistence, you can track down and eliminate all sources of mixed content.
Avoiding Recurring Mixed Content Problems
Take these steps to prevent mixed content issues from cropping up again in the future:
- Update your content creation processes and workflows to always use HTTPS by default.
- Review your site templates and theme files to replace hardcoded HTTP references with protocol-relative or HTTPS versions.
- In the CMS editor settings, disable auto-linking for URLs since they default to HTTP.
- For embedded third-party content, use their secure embed code options if available.
- If you swap domains, update all redirects to HTTPS versions.
- Regularly scan your site for new mixed content as part of maintenance.
- Keep WordPress and all plugins/themes updated to the latest secure versions.
Being vigilant about serving only encrypted resources will keep your WordPress site’s connections consistently secure.
Conclusion
Eliminating mixed content requires diligence to locate unsecured resources, update links to HTTPS, move files to secure locations, and prevent new issues from appearing.
While mixed content errors can undermine site security and visitor confidence at first, with concerted effort, webmasters can successfully shift their WordPress sites to serving 100% encrypted content.
Following these best practices will ensure your website connections remain private without disruptive warnings. Migrating fully to HTTPS protects website visitors and keeps your WordPress site secure in the future.
