Error rescue

WordPress Mixed Content Warning After SSL: Fix (2026)

By Ali Yasin Jatoi 5 min readUpdated July 2, 2026
Reviewed by Ali Yasin Jatoi, Founder & Lead Engineer· Updated July 2, 2026

Quick answer

The mixed content warning means your page loaded over HTTPS but at least one asset (image, script, stylesheet, iframe) is still requested over HTTP. Fix by (1) running Better Search Replace to change `http://yourdomain` to `https://yourdomain` across all tables, (2) forcing HTTPS in wp-config with `define('FORCE_SSL_ADMIN', true)`, (3) auditing hard-coded HTTP URLs in theme files and page-builder widgets, (4) adding an `upgrade-insecure-requests` CSP header as a safety net.

Find every insecure asset first

Open Chrome DevTools → Console on the affected page. Every mixed content warning names the exact URL that failed. Screenshot the list — that is your fix backlog.

Also open the Security tab (⋮ → More tools → Security). It shows the origins Chrome flagged, grouped by type (image, script, XHR).

Fix #1 — Rewrite the database

Install Better Search Replace. Search for `http://yourdomain.com` and replace with `https://yourdomain.com`. Run a dry run first, then execute against all tables. This catches image URLs stored in post content, options, meta, and widget serialised data.

Prefer we just fix it?

This is the exact pattern our security team hardens against — malware removal, salt rotation, firewall tuning, and a post-cleanup audit. Flat-fee, one week to complete. Learn more about WordPress security cleanup & hardening or grab a slot below.

Fix #2 — Hard-coded plugin and theme URLs

Some themes and page-builder widgets hard-code HTTP URLs in template files. Grep the theme folder: `grep -r "http://" wp-content/themes/<yourtheme>/`. Every hit is either a legitimate external link or an asset URL you need to switch to `https://` (or a protocol-relative `//`).

Elementor and Divi sometimes store asset URLs in their own CSS caches — regenerate CSS after the search-replace (Elementor → Tools → Regenerate CSS).

Fix #3 — CSP upgrade-insecure-requests

Add this header via your host, Cloudflare, or a plugin like Really Simple SSL: `Content-Security-Policy: upgrade-insecure-requests`. Browsers will silently upgrade HTTP asset requests to HTTPS, killing the warning even if a stray URL slips through.

This is a safety net, not a replacement for fixing the source. Cached third-party CDNs may still fail to upgrade.

When to call for help

If the warning persists after search-replace and cache purges, the culprit is usually a page-builder cache or an external service (Cloudflare, third-party embed). Our SSL migration audit resolves persistent mixed content in under an hour — flat $99.

Common questions

Why does WordPress show mixed content after installing SSL?+

Your database still contains HTTP URLs from before the migration — post content, image src attributes, widget data, plugin options. Browsers refuse to load HTTP assets on an HTTPS page and flag it as mixed content. Fix with a full database search-replace.

Is mixed content bad for SEO?+

Yes. Chrome shows a 'Not Secure' warning that kills conversions, and Google treats mixed content as a signal of a poorly maintained site. It also breaks lazy-loaded images and can prevent form submissions on strict CSP setups.

Can I just use Really Simple SSL?+

Really Simple SSL rewrites URLs on the fly, which fixes the symptom but adds runtime overhead on every request. For a permanent fix, run Better Search Replace once and then remove the plugin. Keep the plugin only if you can't touch the database.

How do I fix mixed content from external sources?+

If the external asset (a font, script, or embed) is only available over HTTP, contact the provider or self-host the asset. As a safety net, add `Content-Security-Policy: upgrade-insecure-requests` — browsers will upgrade compatible URLs automatically.

Want help with this?

The pages below go deeper, by service and by city.

Want this handled for you?

Book a call and we will review your site before recommending anything.

Call Book a call