Guide: Fixing WordPress mixed content errors — manually or via plugin

Are you switching WordPress to HTTPS? This can lead to so-called mixed content errors. Browsers such as Google Chrome then show your website as insecure or block it completely. We’ll show you several ways to fix mixed content errors with WordPress.

A mixed content error always occurs when HTTP resources are loaded on your site or a subpage, although the site should actually only be accessible via HTTPS.

Recognising mixed content errors

Your visitors’ browsers will then display the page as “not secure”. You can also very quickly recognise whether they may have a problem with mixed content by calling up your pages:

“Possibly” because the “not sure” display can also conceal other errors. I will analyse this in more detail in a moment.

A mixed content error looks dubious. It leads to many of your visitors cancelling. Google is increasingly blocking the delivery of websites with mixed content via its Chrome browser. Users do have the option to manually reload the blocked content. However, trust in your website will already be damaged.

Causes of mixed content in WordPress

You have already switched your website to SSL or HTTPS, but individual elements are still being loaded from HTTP sources? This may be due to the following reasons:

• Scripts such as CSS or JavaScript files
• Embedded fonts, for example Google Fonts
• Other external services and snippets
• Images and videos on your WordPress pages that still point to the HTTP address instead of HTTPS

The sources are correspondingly diverse:

• Plugins for WordPress and WooCommerce
• WordPress Themes
• Embedded source code on your pages and posts or in Gutenberg
• Old or incorrect links
• Widgets
• Social media connections
• Tools for tracking

Plugins and themes can lead to mixed content errors, especially if they are outdated or no longer being developed. In general, you should check whether and which subpages are affected by mixed content after switching your portal, blog or online shop to HTTPS.

Find mixed content

With a browser, you can quickly identify the sources of mixed content. This is how you proceed in Google Chrome; it is very similar in other browsers:

1. Click the right mouse button on any area of your page that you want to examine. Then select the “Examine” option.
2. Switch to the “Security” tab in the tools. There you can see at a glance under “Resources” whether there are any mixed content errors.
3. The exact sources for the incorrect integration are listed in the error console (“Console”).

Here is a small example of how the analysis looks in the Chrome console:

You can now resolve the error messages step by step by replacing the HTTP bindings with the respective HTTPS variants. Or by removing the cause – such as a plugin or a widget – completely if necessary.

Fix WordPress mixed content errors

In some cases, you will need to customise your WordPress theme and CSS files. Don’t have any technical knowledge of WordPress? Then you have the following options:

• You commission your agency or a web designer
• You contact the manufacturer of the theme and ask them to fix the errors – or provide you with the relevant instructions
• You are using the WordPress plugin Realtime-Find-Replace

Important in the latter case: This plugin only masks the problem. To future-proof your site – but also to avoid creating unnecessary clutter in WordPress – you should completely replace the HTTP links with HTTPS links. Want to edit your theme yourself? Then make sure you use a child theme. See our guide Child theme for WordPress.

Solution with Search and Replace

Are there many internal links hidden in your WordPress database that still point to an HTTP address? Then you can change these en masse or automatically to HTTPS using Search and Replace. We recommend the Better Search Replace plugin for this. The advantages of the tool:

• The tables in which you want to search and replace can be selected individually if required
• There is a test run function – very practical for checking in advance how many fields are changed and whether you have perhaps designed the search query incorrectly or too broadly
• Support for serialised arrays and objects for all tables
• Supports WordPress multisites

An even more detailed evaluation of the impact of Search & Replace is only available in the paid Pro version. But even then, the tool provides practical help.

Mixed Content WordPress Plugin

Do you want to fix the errors quickly but can’t do it yourself? And you don’t have an agency or freelancer at hand? There are also plugins for WordPress that can do some of the work for you. For example, the SSL Insecure Content Fixer.

Even in the standard settings, the tool fixes central mixed content errors:

• Scripts that access wp_register_script() or wp_enqueue_script()
• Stylesheets based on wp_register_style() or wp_enqueue_style()
• Images and similar files that call wp_get_attachment_image() or wp_get_attachment_image_src(), among others
• Data returned by wp_upload_dir(), for example for captchas

Other errors in the content – for example from themes, plugins or widgets – can also be fixed. The adjustments are made in a step-by-step model:

However, the developers point out that the cleanup via plugin can have a negative impact on the performance of your WordPress installation. You can find out more about how the Insecure Content Fixer works here.

Mixed content and cache

As already mentioned, it generally makes more sense to clean up mixed content errors manually than to use a plugin. This is because additional plugins and calls generate additional calls. Not to mention that plugins can be an additional gateway for attacks by hackers.

René Dasbeck reveals how you can clean up mixed content as part of a database migration in his guide Solving WordPress mixed content problems. Are you using a plugin for caching? René points out that an existing cache should be emptied before the clean-up. This is because old entries with unsafe requests can also be hidden in the cache.

Featured image: Markus Winkler