WordPress Mixed Content

Guide: Fixing WordPress mixed content errors - manually or via plugin

Are you switching WordPress to HTTPS? This can lead to so-called mixed content errors. Browsers such as Google Chrome then show your website as insecure or block it completely. We'll show you several ways to fix mixed content errors with WordPress.

A mixed content error always occurs when HTTP resources are loaded on your site or a subpage, although the site should actually only be accessible via HTTPS.

Recognize mixed content errors

Your visitors' browsers will then display the page as "not secure". You can also quickly see whether you have a problem with mixed content by calling up your pages:

Non-secure connection
Not secure connection, displayed in Google Chrome

"Possibly" because the "not sure" display can also conceal other errors. I'll come to a more detailed analysis in a moment.

A mixed content error looks dubious. It causes many of your visitors to abandon the site. Google is increasingly blocking the delivery of websites with mixed content via its Chrome browser. Users do have the option of manually reloading the blocked content. However, trust in your offer will already be damaged.

Causes of mixed content in WordPress

You have already switched your website to SSL or HTTPS, but individual elements are still being loaded from HTTP sources? This may be due to the following reasons:

  • Scripts such as CSS or JavaScript files
  • Embedded fonts, for example Google Fonts
  • Other external services and snippets
  • Images and videos on your WordPress pages that still point to the HTTP address instead of HTTPS

The sources are correspondingly diverse:

  • Plugins for WordPress and WooCommerce
  • WordPress Themes
  • Embedded source code on your pages and posts or in Gutenberg
  • Old or incorrect links
  • Widgets
  • Social media connections
  • Tools for tracking

Plugins and themes can lead to mixed content errors, especially if they are outdated or no longer being developed. In general, after switching your portal, blog or online store to HTTPS, you should check whether and which subpages are affected by mixed content.

Find mixed content

With a browser, you can quickly identify the sources of mixed content. This is how you proceed in Google Chrome; it is very similar in other browsers:

  1. Click the right mouse button on any area of your page that you want to examine. Then select the "Examine" option.
  2. Switch to the "Security" tab in the tools. There you can see at a glance under "Resources" whether there are mixed content errors.
  3. The exact sources for the incorrect integration are listed in the error console ("Console").

Here is a small example of what the analysis looks like in the Chrome console:

Chrome error console
Mixed content error in the console in Chrome

You can now resolve the error messages step by step by replacing the HTTP bindings with the respective HTTPS variants. Or by removing the cause - such as a plugin or a widget - completely if necessary.

Fix WordPress mixed content errors

In some cases, you will need to adapt your WordPress theme and CSS files. Don't have any technical knowledge of WordPress yourself? Then you have the following options:

  • You commission your agency or a web designer
  • You contact the manufacturer of the theme and ask them to fix the errors - or provide you with the relevant instructions
  • You are using the WordPress plugin Realtime-Find-Replace

Important in the latter case: This plugin only masks the problem. To future-proof your site - but also to avoid creating unnecessary clutter in WordPress - you should completely replace the HTTP links with HTTPS links. Want to edit your theme yourself? Then make sure you use a child theme. See our guide Child theme for WordPress.

Solution with Search and Replace

Are there many internal links hidden in your WordPress database that still point to an HTTP address? Then you can change these en masse or automatically to HTTPS using Search and Replace. We recommend the Better Search Replace plugin for this. The advantages of the tool:

  • The tables in which you want to search and replace can be selected individually if required
  • There is a test run function - very practical for checking in advance how many fields are changed and whether you have perhaps designed the search query incorrectly or too broadly
  • Support for serialized arrays and objects for all tables
  • Supports WordPress multisites

An even more detailed evaluation of the impact of Search & Replace is only available in the paid Pro version. But even then, the tool provides practical help.

Better Search Replace Plugin
The WordPress plugin Better Search Replace

Mixed Content WordPress Plugin

Do you want to fix the errors quickly, but can't do it yourself? And you don't have an agency or freelancer at hand? There are also plugins for WordPress that can do some of the work for you. For example, the SSL Insecure Content Fixer.

Even in the standard settings, the tool fixes central mixed content errors:

  • Scripts that are based on wp_register_script() or wp_enqueue_script() access
  • Stylesheets based on wp_register_style() or wp_enqueue_style()
  • Images and similar files that, among other things wp_get_attachment_image() resp. wp_get_attachment_image_src() call
  • Data provided by wp_upload_dir() can be returned, for example for captchas

Other errors in the content - for example from themes, plugins or widgets - can also be fixed. The adjustments are made in a step-by-step model:

SSL Insecure Content Fixer
Some of the options of the SSL Insecure Content Fixer Plugin

However, the developers point out that the cleanup via plugin can have a negative impact on the performance of your WordPress installation. You can find out more about how the Insecure Content Fixer works here.

Mixed content and cache

As already mentioned, it generally makes more sense to clean up mixed content errors manually than to use a plugin. This is because additional plugins and calls generate additional calls. Not to mention that plugins can be an additional gateway for attacks by hackers.

René Dasbeck reveals how you can clean up mixed content as part of a database migration in his guide Solving WordPress mixed content problems. Are you using a plugin for caching? René points out that an existing cache should be emptied before the cleanup. This is because old entries with unsafe requests can also be hidden in the cache.

Mixed content: Your questions

Do you have questions about mixed content? Feel free to use the comment function. Do you want to be informed about new posts on WordPress? Then follow us on Twitter, Facebook or via our newsletter.

Featured image: Markus Winkler

Did you like the article?

With your rating you help us to improve our content even further.

Write a comment

Your e-mail address will not be published. Required fields are marked with *