Adding Secure Socket Layer (SSL) protection to your website is crucial for protecting users’ private data. However, when integrating SSL certificates, it’s not uncommon to run into issues such as WordPress mixed content warnings.
To prevent Google from flagging your web pages as “not secure,” it’s essential to take careful measures to ensure the proper implementation of SSL certificates. This includes providing all URLs, scripts, and content load over HTTPS rather than HTTP.
In this post, we’ll start by explaining what SSL certificates are and why they’re essential. Then we’ll discuss HTTPS mixed content warnings, what causes them, and step-by-step instructions for finding and fixing them in WordPress. Let’s get started!
What Is an SSL Certificate?
While browsing the internet, we often share personal information such as credit card details. SSL, which stands for Secure Socket Layer, helps protect your privacy and boost security by acting as the middleman between your browser and the server where a site is hosted.
SSL-protected sites load over HyperText Transfer Protocol Secure (HTTPS). They’re also marked by a padlock icon in the address bar. This indicates that data transmission between the visitor and the server is encrypted.
There are three main types of SSL certificates:
- Domain Validation (DV): A DV certificate verifies that you are the domain owner before adding SSL protection to it.
- Organization Validation (OV): An OV certificate not only verifies your domain but also proves your organization is legitimate.
- Extended Validation (EV): An EV certificate offers your customers the highest level of security assurance, as all applicants must pass a strict vetting process.
The use of SSL certificates is increasing, and almost everyone is switching to HTTPS.
Why SSL Certificates Are Important for WordPress Sites
There are a variety of reasons SSL certificates are so necessary. To start, Google added HTTPS use as a ranking parameter for its Search Engine Results Pages (SERPs), along with site speed. Thus, leveraging an SSL certificate can help boost your rankings and improve Search Engine Optimization (SEO).
SSL certificates can also help decrease cart abandonment rates. Having a green padlock icon in the address bar with a “Secure Connection” message helps gain visitors’ trust. Customers will feel more confident when purchasing your products, as there’s less concern about data theft.
SSL certificates are also officially recommended by WordPress. The platform’s co-founder, Matt Mullenweg, announced that WordPress would only suggest SSL-secured WordPress hosting providers.
Perhaps most importantly, HTTPS prevents browsers from displaying security warnings on your WordPress site, which may deter visitors altogether.
In 2018, Google Chrome announced that it would start showing a “not secure” warning on HTTP sites. With an SSL certificate, your visitors won’t see this warning and will be more likely to trust your site.
How to Get an SSL Certificate for Your WordPress Site
You can use a handful of methods to install an SSL certificate on your WordPress site. One of the most popular is to go through Let’s Encrypt, a free domain-level SSL Certificate Authority (CA) provider backed by the Internet Security Research Group (ISRG).
We recommend checking with your host for specific SSL certificate installation requirements and guidance. However, most hosting providers support free, one-click Let’s Encrypt installation with their plans.
If your host doesn’t offer a one-click installation option, you can also manually add a Let’s Encrypt certificate to your site. To do so, you will need control of your entire server and shell access, as well as the CertBot ACME, installed on your computer.
Another option is to use an online tool such as SSL For Free, which eliminates the complexity of installing an SSL certificate.
You enter your site’s URL and follow the steps provided. This is much easier than the manual method and only takes about ten minutes to complete.
Unfortunately, there are some cases when you might still see a “not secure” message even after installing your SSL certificate. If your settings are misconfigured, it can cause several issues, including WordPress mixed content warnings.
What is WordPress Mixed Content Warnings?
If you’ve successfully installed an SSL certificate on your WordPress site and configured it correctly, you should see the padlock icon in the browser address bar when you visit your site. However, on some pages, you may notice an info icon instead.
This indicates a mixed content warning, which appears in visitors’ browsers if your WordPress site loads HTTPS and HTTP scripts. The wording of this error may vary depending on which browser you’re using. However, in most cases, it will identify your site as “not secure.”
Some common examples of HTTPS mixed content warnings include:
- “Your connection to this site is not fully secure.”
- “Connection is Not Secure”
- “Be careful here. Some content on this page is not encrypted.”
- “Only secure content is displayed.”
Although your site may be using a secure URL and is accessible and functioning, a WordPress mixed content warning means some elements or assets on the page aren’t protected. More specifically, it means one or more URLs are serving content via HTTP rather than HTTPS.
Common Causes of HTTPS Mixed Content Warnings
Mixed content warnings are likely to occur right after migrating from HTTP to HTTPS. There are multiple reasons you might see a diverse content warning on your WordPress site, including:
- There are HTTP links in your CSS and JS Files. While writing the code of themes and plugins, some developers hardcode HTTP links instead of HTTPS.
- Images on the page are not linked. Hotlinking is the process of calling shots from other sources. Images may have hardcoded URL paths that use HTTP.
- Links to external scripts are included in your CSS and JS files. As with hotlinking, calling files from external resources that don’t have HTTPS enabled might cause a mixed content warning in WordPress.
There are two major types of mixed content: active and passive. Dynamic, diverse range refers to web pages loaded over a secure HTTPS connection containing scripts loaded over HTTP. Passive mixed content relates to image, video, or audio files loaded via HTTP.
How to Find and Identify WordPress Mixed Content Errors in WordPress
There are multiple ways you can identify mixed content errors on your WordPress site and, more specifically, which assets are loading over HTTP. The first is to check for them using Chrome DevTools manually.
To do this, you’ll need to open your site in Google Chrome. Right-click on the page where the warning appears, then select Inspect. Under the Console tab, anything your browser has identified and flagged as not secure will be listed, with mixed content warnings highlighted in yellow.
If it’s just one or two items you need to fix, you can go to the page or post where the problem is located to fix it. However, if there are many mixed content issues on your WordPress site, manually resolving them isn’t the easiest.
Therefore, you might consider using SSL Check by JitBit instead.
This helpful tool scans your entire site and provides a list of non-HTTPS URLs. Enter your domain and click on Check for SSL Errors. After it’s done crawling your pages, it will display a list of pages with insecure content.
Once you identify which assets are causing the WordPress mixed content warnings, the next step is figuring out how to resolve them.
How to Fix Mixed Content Warnings in WordPress (In 4 Steps)
If you’re seeing mixed content warnings on your WordPress site, it’s essential to resolve them as soon as possible. In addition to making your site appear untrustworthy to visitors, these errors can also hurt your site’s User Experience (UX) and SEO.
Let’s take a look at how to fix WordPress mixed content warnings in four steps:
- Confirm You’re Using a Valid SSL Certificate
- Change Your WordPress Internal URLs from HTTP to HTTPS
- Add a Rule to Redirect HTTP to HTTPS
- Perform a Search and Replace to Update the Links in Your Content and Database
How to Change Image URLs from HTTP to HTTPS in WordPress
As you might recall, image URLs and other media assets with absolute HTTP links can cause WordPress mixed content warnings. If a plugin such as Better Search Replace wasn’t practical for updating your image URLs, you could switch them by running a database search and replacing the query.
To do this, login into your hosting account and open phpMyAdmin. Select your WordPress database from the list on the left, then click on the SQL tab.
In the SQL query box, place the following:
- UPDATE wp_posts SET post_content=(REPLACE (post_content, ‘<old url>’,'<new url>’));
- Make sure to replace the old URL and new URL with your domain using HTTP and HTTPS, respectively. When you’re done, click on the Go button.
Once the query is done, all your post content and images should be updated with the new HTTPS URL. Clear your cache and revisit your site to confirm that the WordPress mixed content warnings are resolved.
Helpful WordPress Mixed Content Plugins
Manually inspecting, implementing, and resolving WordPress mixed content warnings can be time-consuming. Fortunately, some WordPress mixed content plugins can help streamline the process. We’ve already mentioned a few in the steps above, but here are some others you might find helpful.
Simple SSL
Simple SSL automatically detects and configures your WordPress site to run over HTTPS. The beauty of this tool is that you have to enable SSL via your host, and the plugin handles everything else.
Simple SSL accomplishes the following:
- Handles common issues with SSL certificates in WordPress
- Redirects all incoming requests to HTTPS
- Enables .htaccess redirects
- Changes your website address to HTTPS
- Fixes mixed content warnings in most cases, except for outbound links
Simple SSL premium licenses start at $29 per year and run up to $159 per year. If you don’t need all the bells and whistles, you can also use a free version.
SSL Insecure Content Fixer
SSL Insecure Content Fixer is a free yet powerful plugin you can use to resolve a variety of WordPress mixed content warnings and errors. After you install it, it automatically works to detect insecure content on your website.
It also provides multiple levels for fixing mixed content errors, ranging from Simple to Capture.
Once you select your detection level and settings, the plugin handles all the heavy lifting for you. Plus, it’s free to use!
Wrapping Up
Since Google added HTTPS as a ranking factor and began marking sites without SSL certificates “not secure,” it’s recommended that you protect your WordPress site by installing one. However, to prevent and resolve WordPress mixed content warnings, it’s essential to properly configure your site for HTTPS encryption.
As we discussed in this post, there are four steps you can take to do this:
- Confirm you’re using a valid SSL certificate on your WordPress site.
- Change your internal WordPress site URLs from HTTP to HTTPS.
- Add a rule to redirect HTTP to HTTPS.
- Perform a search and replace to update your content and database (via query or plugin).
Adding an SSL certificate is just one way to boost your WordPress site security. We offer Care Plans that can help streamline all your site maintenance and security tasks. Check them out today to see how we can help!
If you enjoyed this article, then you’ll enjoy the 24/7 WordPress website management and support services has to offer! Partner with the team that provides every aspect of premium WordPress support services.
Our expert engineers have your back from speed optimization services to unlimited website edits, security, 24/7 support, or even white-label site management for agencies and freelancers. Bring us in as part of your team to make your site Bufftastic! Check out our plans
