web60

How to fix mixed content warnings on your website

WordPress Help4 min read·

Mixed content means your site loads over HTTPS but some individual resources — such as images, stylesheets, or scripts — are still being requested over plain HTTP. This guide explains why it happens and how to fix it.

What mixed content looks like

When mixed content is present, browsers display a warning. In Chrome, the padlock icon in the address bar may disappear or show a "Not Secure" label. Firefox shows a padlock with a warning triangle. Some browsers block the insecure resources entirely, which can cause missing images or broken page layouts.

Why it happens

Web60 provides an SSL certificate for every site, and all traffic is automatically redirected to HTTPS. However, mixed content can still occur when:

  • Content was created before SSL was active. If you wrote posts or pages when your site was still using HTTP, the image URLs saved in the database start with http://.
  • Hardcoded URLs in themes or plugins. Some themes or plugins include http:// URLs directly in their code rather than using relative paths.
  • External resources. Your site may load fonts, scripts, or images from a third-party service using an HTTP URL.

Step 1: Find the mixed content

Open your site in Chrome or Firefox. Right-click anywhere on the page and select Inspect, then click the Console tab. Any mixed content warnings will appear here, showing the full URL of each insecure resource. This tells you whether the problem is in your own database, your theme, or a third-party service.

Step 2: Fix URLs in the database

Most mixed content comes from HTTP URLs stored in your WordPress database — in post content, widget text, or custom fields. The fastest way to fix this is with a WP-CLI search-replace command.

Open the WP-CLI tool in your Web60 portal and run:

wp search-replace 'http://yourdomain.ie' 'https://yourdomain.ie' --skip-columns=guid --skip-plugins --skip-themes

Replace yourdomain.ie with your actual domain name. This command finds every instance of your HTTP URL in the database and replaces it with the HTTPS version.

The --skip-columns=guid flag is important — it prevents WordPress from changing the GUID column, which is used internally and should not be modified. The --skip-plugins --skip-themes flags ensure the command runs even if a plugin or theme has a bug.

Step 3: Check your theme and plugins

If the browser console still shows mixed content after the database fix, the HTTP URLs may be hardcoded in your theme or plugin files. Check:

  • Theme settings pages for image URLs or custom CSS that reference http://.
  • Widget content, especially text widgets with manually entered image URLs.
  • Page builder settings where background images or media are stored separately from the main content.

Update any http:// URLs to https://.

Step 4: Fix third-party resources

If the mixed content is coming from an external domain (not your own), check whether that service supports HTTPS. Most modern services do. Simply change http:// to https:// in the URL. If the service does not support HTTPS, you may need to find an alternative or host the resource on your own site.

Step 5: Clear your cache

After making changes, clear your site cache from the Web60 portal. Then clear your browser cache and reload the page. Check the console again to confirm all mixed content warnings are gone.

FAQ

Q: How do I find which resources are causing mixed content?

A: Open your site in Chrome or Firefox, right-click anywhere, and select Inspect. Click the Console tab. Mixed content warnings appear as yellow or red messages listing the exact URL of each insecure resource. This tells you which images, scripts, or stylesheets are still loading over HTTP.

Q: Will the search-replace command break anything?

A: The WP-CLI search-replace command is safe when used as shown in this guide. The --skip-columns=guid flag protects the GUID column, which WordPress uses internally and should never be changed. Always clear your cache after running the command so the updated URLs take effect.

Q: Why does my site still show a warning after fixing the URLs?

A: The most common reason is caching. Clear your site cache from the Web60 portal, then clear your browser cache and reload. If the warning persists, check the browser console again — there may be a hardcoded HTTP URL in your theme files or in a third-party plugin that was not caught by the database search-replace.

Frequently asked questions

How do I find which resources are causing mixed content?

Open your site in Chrome or Firefox, right-click anywhere, and select Inspect. Click the Console tab. Mixed content warnings appear as yellow or red messages listing the exact URL of each insecure resource. This tells you which images, scripts, or stylesheets are still loading over HTTP.

Will the search-replace command break anything?

The WP-CLI search-replace command is safe when used as shown in this guide. The --skip-columns=guid flag protects the GUID column, which WordPress uses internally and should never be changed. Always clear your cache after running the command so the updated URLs take effect.

Why does my site still show a warning after fixing the URLs?

The most common reason is caching. Clear your site cache from the Web60 portal, then clear your browser cache and reload. If the warning persists, check the browser console again — there may be a hardcoded HTTP URL in your theme files or in a third-party plugin that was not caught by the database search-replace.

Last updated: 4 April 2026

← PreviousHow to change the language of your WordPress siteNext →How to fix the WordPress white screen of death

Still need help?

Contact our support team for personalised assistance.

Contact Support