Mixed Content medium
Mixed Content Warning
Mixed content is an HTTPS page loading some resources over insecure HTTP — it breaks the padlock and blocks assets.
What you see
Mixed Content: The page at ‘https://example.com’ was loaded over HTTPS, but requested an insecure resource ‘http://example.com/image.jpg’. This request has been blocked.
What’s actually happening
Your page itself loads over HTTPS, but it pulls images, scripts, or stylesheets over plain HTTP. Browsers either block those resources (breaking layout/functionality) or downgrade the padlock to "Not Secure," eroding trust.
Common causes
- Hard-coded http:// URLs in content, themes, or the database after an HTTPS migration
- A plugin or embed loading assets over HTTP
- The site/home URL still set to http:// in CMS settings
- A third-party script that only offers HTTP
How to fix it
- Update site URLs to https://Set both the site and home URLs to https:// in your CMS settings so new links are generated securely.
- Search-and-replace hard-coded http:// linksRun a database search-replace (http://yourdomain → https://yourdomain). This catches the image/script URLs baked into old content.
- Add an upgrade-insecure-requests ruleA Content-Security-Policy "upgrade-insecure-requests" header tells browsers to auto-upgrade any remaining HTTP asset requests to HTTPS — a clean safety net.
- Find offenders with the consoleThe browser console lists every mixed-content resource by URL. Fix or replace each one (or drop HTTP-only third-party embeds).
Related errors