Mixed content is when a secure webpage serves content over an insecure protocol (HTTP).<\/p>\n\n\n\n
If someone accesses your site through HTTPS, their browser will encrypt the connection to your Web server. All data sent between them and your website is secure from being hacked. If your HTTPS page accesses a resource from an HTTP URL, however, such as an image, stylesheet, script, etc., then that resource will be transmitted over an unencrypted connection.<\/p>\n\n\n\n
The result is a page that’s partly secure and partly not. The browser can’t display the full padlock icon because the security guarantee it represents doesn’t apply to everything on the page.<\/p>\n\n\n\n
Here’s what mixed content looks like in a URL context. A page loaded at html<\/p>\n\n\n\n All three of those resources are being requested over HTTP. The page itself is HTTPS. That combination is mixed content.<\/p>\n\n\n\n The most common time this appears is immediately after migrating a site from HTTP to HTTPS. The SSL certificate gets installed. The site URL is updated. But hundreds of hardcoded HTTP references in the content, database, and templates remain pointing to the old unencrypted versions.<\/p>\n\n\n\n Most explanations of mixed content say it “creates vulnerabilities.” That’s accurate but vague. Here’s the concrete risk.<\/p>\n\n\n\n When your HTTPS page loads a resource over HTTP, that HTTP request is unencrypted. Anyone positioned between the user’s device and your server can see that request, and can modify what gets returned.<\/p>\n\n\n\n This is called an on-path attack, sometimes referred to as a man-in-the-middle attack. On public Wi-Fi, a hotel network, or any environment where an attacker can intercept unencrypted traffic, they can replace the HTTP resource your page is requesting with a malicious version.<\/p>\n\n\n\n Consider what that means for a JavaScript file loaded over HTTP. You have an HTTPS page where you instructed the browser to load a script from \u201chttp:\/\/yoursite.com\/app.js\u201d. An attacker captures that HTTP request to \u201chttp:\/\/yoursite.com\/app.js\u201d and serves back a malicious version of the JavaScript file. That code runs in the context of your HTTPS page, with access to your cookies, your session tokens, and anything else the page has access to. The user’s browser trusted the script because it came from your page. The connection the user thought was encrypted allowed the attack.<\/p>\n\n\n\n This is why the browser security model treats mixed content as a serious problem, not just a cosmetic one. An HTTPS page is only as secure as every resource it loads. A single HTTP resource is a potential injection point.<\/p>\n\n\n\n For a broader look at how this fits into the landscape of issues that can compromise a website, common website vulnerabilities<\/a> cover the full range of weaknesses that attackers actively look for.<\/p>\n\n\n\n Browsers treat different types of mixed content differently based on the level of risk they create. Understanding this distinction explains why some HTTP resources cause a warning while others cause a full block.<\/p>\n\n\n\n Active mixed content<\/strong> refers to resources that can execute code or directly affect the behavior of the page: JavaScript files, CSS stylesheets, iframes, XHR requests, and fetch API calls.<\/p>\n\n\n\n Active mixed content is the high-risk category. A malicious actor who intercepts and replaces an HTTP JavaScript file gets full code execution in the page context. This is severe enough that modern browsers block active mixed content entirely. The resource simply won’t load, and the browser records a console error rather than a warning.<\/p>\n\n\n\n Passive mixed content<\/strong> refers to resources that affect visual presentation but can’t execute code in the same way: images, audio files, and video files.<\/p>\n\n\n\n Passive mixed content historically generated a warning rather than a block. Browsers would load the resource but flag the page as “not fully secure.” Current browsers in 2026 are aggressively auto upgrading all passive mixed content to try to load HTTPS-equivalent images\/audio\/video. If the HTTPS version of the resource exists, the browser uses it silently. If it doesn’t exist, the resource gets blocked rather than loaded over HTTP.<\/p>\n\n\n\n The practical result: in modern browsers, mixed content is increasingly treated as a block rather than a warning across all resource types, not just scripts and stylesheets. The era of “passive mixed content generates a yellow warning” is being replaced by a model where most mixed content either gets silently upgraded or blocked entirely.<\/p>\n\n\n\n If you know what each of the major browsers will do for your specific mix-content issue, you will be able to understand what each sees and, therefore, which items you need to address first.<\/p>\n\n\n\n The consistency across browsers in 2026 is meaningful: no major browser allows active mixed content to load. If your site has HTTP JavaScript or CSS, those resources will not load for any visitor, regardless of browser choice. This makes active mixed content a functional site breakage, not just a security warning.<\/p>\n\n\n\n Mixed content doesn’t appear randomly. It appears for specific, predictable reasons. Knowing where it comes from makes finding and fixing it faster.<\/p>\n\n\n\n The most common cause by a significant margin. A site migrates from HTTP to HTTPS but internal links, image URLs, stylesheet references, and script tags throughout the codebase still point to Content management systems like WordPress store page content in a database. If posts and pages were written before the HTTPS migration, the HTML stored in the database will contain External scripts, widgets, social media embeds, analytics tools, and advertising tags that load from third-party HTTP URLs. These are particularly frustrating because you don’t control the third-party source, and some third-party providers are slow to update their CDN delivery to HTTPS.<\/p>\n\n\n\n Stylesheets often contain background-image properties pointing to images using HTTP URLs. These are easy to miss because they’re inside CSS files rather than in visible HTML.<\/p>\n\n\n\n Themes and plugins often contain hardcoded HTTP resource references in their own code. Even after a site-wide URL update, plugin-specific HTTP references may remain.<\/p>\n\n\n\n Server configurations that force HTTP for specific resource types, incorrectly configured CDN origin settings, or cached resources served from HTTP origins. Cloud misconfiguration<\/a> at the hosting and CDN level is a common but often overlooked source of mixed content in cloud-hosted environments.<\/p>\n\n\n\n Before you can fix mixed content, you need to find every instance of it. This is the step most guides underestimate. One missed HTTP reference means the padlock stays broken.<\/p>\n\n\n\n In your browser, Chrome or Firefox. Open your website and open the browser Developer Tools, F12. The Console tab will display all Mixed Content Errors & warnings in red and yellow, respectively, with their exact location of the HTTP resource being requested. This method is usually ok when targeting a few pages; you will need to review the entire website page by page.<\/p>\n\n\n\n In Chrome, click the padlock or site settings icon in the address bar, then “Connection is secure” or “Certificate.” Chrome will show whether any resources were blocked or upgraded. Firefox has a dedicated Security panel in developer tools that categorizes mixed content by type.<\/p>\n\n\n\n Sucuri SiteCheck, JitBit SSL Checker, and dedicated mixed content scanners<\/a> all scan multiple pages of your website at once and provide you with a complete list of your HTTP resources. For sites that have a lot of content, it is more efficient to check the pages in bulk.<\/p>\n\n\n\n For a broader security audit at the same time, website scanner tools<\/a> can identify mixed content alongside other security issues on your site in a single scan.<\/p>\n\n\n\n If you want to get rid of it for good, look in your site’s database and source code for any hardcoded HTTP links. WordPress plugins, such as Better Search Replace, can search the entire database for http:\/\/yoursite.com and replace it with https:\/\/yoursite.com. A code search for http:\/\/ strings in your HTML templates, CSS files, and JavaScript files will locate strings that can be referenced that may not be picked up by crawlers.<\/p>\n\n\n\n After you’ve determined the list of HTTP resources, there are a few categories of fixes.<\/p>\n\n\n\n For content on your own domain or any domain that also serves its content on HTTPS, all you need to do is update the URLs to be https instead of http. This is obviously the preferred way to resolve it.<\/p>\n\n\n\n If you have a large number of hardcoded HTTP references, bulk find-and-replace is more practical than manual editing. Use database search-and-replace tools for CMS-stored content, and find-and-replace in your IDE or version control system for code files.<\/p>\n\n\n\n Protocol-relative URLs omit the scheme entirely, using html<\/p>\n\n\n\n If the page is loaded over HTTPS, then protocol-relative URLs are loaded over HTTPS, as well. On an HTTP page, they load over HTTP. This is suitable for resources that are served from your own domain.<\/p>\n\n\n\n Note: URLs that are protocol-relative are not so popular these days as they were several years ago; in 2026, any protocol should be HTTPS, and then there’s no need for https:\/\/. However, they are still a suitable solution in some scenarios.<\/p>\n\n\n\n If external resources such as Google Fonts, CDN hosted<\/a> libraries, or social widgets are used, ensure that the provider provides a method of delivering these resources via HTTPS. For years, most of the third-party providers have been supporting HTTPS. Change the reference from http:\/\/fonts.googleapis.com\/ to https:\/\/fonts.googleapis.com\/.<\/p>\n\n\n\n If there’s no equivalent of the resource (like a PDF) to be found on HTTPS, you can either self-host the resource (download it and serve it from your own HTTPS domain) or you can remove it from the page. However, serving an HTTP-only third party resource from your HTTPS site is not a possible option that preserves your security configuration as it is the third party resource that causes the mixed content.<\/p>\n\n\n\n Set up web server to redirect all HTTP traffic to HTTPS. This is accomplished in Apache via a redirect rule in .htaccess. In Nginx it’s a server block redirect. This is not a solution for existing HTTP links within your content, but it will ensure that any http requests to your own domain will be upgraded to https at the server level prior to delivery of the resource.<\/p>\n\n\n\n All these things can be done manually, and sometimes this is required. WordPress has a few tools for resolving mixed content faster:<\/p>\n\n\n\n Use the Better Search Replace plugin. Search through all the tables for http:\/\/yourdomain.com and replace it with https:\/\/yourdomain.com. This will find and replace URLs stored in posts, pages, meta fields, and option values in the database.<\/p>\n\n\n\n First, run a dry run to understand the number of records that will be affected before using the actual replacement.<\/p>\n\n\n\n This plugin automatically takes care of the most common WordPress mixed content situations: WordPress URL\/URL2 settings, server\/WordPress redirects from HTTP to HTTPS, and find2fix for mixed content errors in the database. It should fix most sites that have simple mixed content as a result of an HTTP to HTTPS migration in a matter of seconds.<\/p>\n\n\n\n Change your WordPress Address (URL) and Site Address (URL) on Settings > General to both use https:\/\/. (They determine how WordPress creates links internally, so if you’re still on http:\/\/, WordPress will continue to create http:\/\/ links even if you have an SSL.)<\/p>\n\n\n\n Look for any hard-coded HTTP or HTTPS URL references in your theme or any plugins in its code files. Good quality themes and plugins are relatively free of this problem, but older plugins or less-updated plugins sometimes have HTTP references in their templates or stylesheets. Upgrade to more recent versions of plugins or files, or ask the developer for them.<\/p>\n\n\n\n When the site isn’t built on WordPress, it’s really the same approach but slightly different depending on your tech stack.<\/p>\n\n\n\n Content Security Policy (CSP) provides a server-side mechanism for handling mixed content that complements the URL-by-URL approach.<\/p>\n\n\n\n Two CSP directives are specifically relevant to mixed content.<\/p>\n\n\n\n upgrade-insecure-requests<\/strong><\/p>\n\n\n\n This header instructs the browser to upgrade all HTTP resource requests on the page to HTTPS automatically, before making the request. It’s a useful transitional measure during an HTTP to HTTPS migration, but it’s not a substitute for actually fixing the underlying HTTP references. If the HTTPS version of a resource doesn’t exist, the request fails rather than falling back to HTTP.<\/p>\n\n\n\n block-all-mixed-content<\/strong><\/p>\n\n\n\n This header instructs the browser not to block any mixed content, even if it would usually be upgraded to HTTPS automatically. This is the highest policy that will prohibit any resource loaded via http being loaded at all. You\u2019ll only want to use this when you are completely sure all your resources have been upgraded to HTTPS otherwise http pages won\u2019t load, because all resources were loaded via HTTP.<\/p>\n\n\n\n The headers you add are placed on your web server, not within the body of your web page. In Apache, these are set using a .htaccess file. In Nginx, they are set on the server block. Most web hosting providers provide a tool in your admin panel for setting custom response headers.<\/p>\n\n\n\n Fixing existing mixed content is one task. Preventing new mixed content from being introduced is an ongoing responsibility.<\/p>\n\n\n\n After you\u2019ve implemented the base URL, canonical URL and any other URL generation setting to HTTPS prior to building the site, it\u2019s a good practice to not create any new content to avoid making HTTP links to your pages.<\/p>\n\n\n\n Template files and CSS with relative URLs, such as \/images\/logo.png instead of http:\/\/yoursite.com\/images\/logo.png, will not generate mixed content no matter what protocol your site is served with. Habitually building templates with relative URLs stops mixed content in the first place.<\/p>\n\n\n\n If you need to embed or include an additional third-party script, widget or embed on your site, check that the provider serves content over HTTPS. Review the script’s source url. If the supplier can only offer a HTTP solution, seek an HTTPS alternative or host the file on your own server.<\/p>\n\n\n\n The upgrade-insecure-requests CSP directive also offers an additional safety mechanism after you’ve corrected any present mixed content in your website, acting as a buffer against any new HTTP references that might silently become mixed content later.<\/p>\n\n\n\nhttps:\/\/yoursite.com<\/code> contains the following in its HTML:<\/p>\n\n\n\n<img src=\"http:\/\/yoursite.com\/images\/logo.png\">\n<script src=\"http:\/\/analytics.example.com\/track.js\"><\/script>\n<link rel=\"stylesheet\" href=\"http:\/\/fonts.example.com\/font.css\"><\/code><\/pre>\n\n\n\n<\/span>Why Mixed Content Is a Real Security Risk<\/span><\/h2>\n\n\n\n
<\/span>Active vs Passive Mixed Content: Why the Distinction Matters<\/span><\/h2>\n\n\n\n
<\/span>How Browsers Handle Mixed Content in 2026<\/span><\/h2>\n\n\n\n
\n
<\/span>What Causes Mixed Content?<\/span><\/h2>\n\n\n\n
![\"What](\"https:\/\/getdarkscout.com\/blog\/wp-content\/uploads\/2026\/06\/What-Causes-Mixed-Content.webp\")
<\/figure>\n\n\n\n1. HTTPS migration without full URL updates<\/strong><\/h3>\n\n\n\n
http:\/\/<\/code> versions. The site URL changed. The content references didn’t.<\/p>\n\n\n\n2. Hardcoded HTTP URLs in the database<\/strong><\/h3>\n\n\n\n
http:\/\/<\/code> image URLs, links, and embeds. Simply changing the site URL setting doesn’t update these database-stored references.<\/p>\n\n\n\n3. Third-party scripts and embeds<\/strong><\/h3>\n\n\n\n
4. CSS background images with HTTP URLs<\/strong><\/h3>\n\n\n\n
5. Theme and plugin code in WordPress environments<\/strong><\/h3>\n\n\n\n
6. Outdated or misconfigured hosting environments<\/strong><\/h3>\n\n\n\n
<\/span>How to Find Mixed Content on Your Site<\/span><\/h2>\n\n\n\n
Method 1: Browser developer console<\/strong><\/h3>\n\n\n\n
Method 2: Browser security panel<\/strong><\/h3>\n\n\n\n
Method 3: “Why No Padlock?” online tool<\/strong><\/h3>\n\n\n\n
whynopadlock.com<\/code> Checks a URL and returns a detailed report of all HTTP resources found on the page. Paste your page URL, run the scan, and it shows you every mixed content source without requiring you to open developer tools. Useful for non-technical users or for quickly checking individual pages.<\/p>\n\n\n\nMethod 4: Online website scanners<\/strong><\/h3>\n\n\n\n
Method 5: Search your database and codebase directly<\/strong><\/h3>\n\n\n\n
<\/span>How to Fix Mixed Content<\/span><\/h2>\n\n\n\n
Fix 1: Update internal HTTP URLs to HTTPS<\/strong><\/h3>\n\n\n\n
Fix 2: Use protocol-relative URLs<\/strong><\/h3>\n\n\n\n
\/\/<\/code> instead of http:\/\/<\/code> or https:\/\/<\/code>:<\/p>\n\n\n\n<img src=\"\/\/yoursite.com\/images\/logo.png\">\n<script src=\"\/\/analytics.example.com\/track.js\"><\/script><\/code><\/pre>\n\n\n\nFix 3: Update third-party resource URLs to their HTTPS equivalents<\/strong><\/h3>\n\n\n\n
Fix 4: Replace or remove HTTP-only external resources<\/strong><\/h3>\n\n\n\n
Fix 5: Force HTTPS at the server level<\/strong><\/h3>\n\n\n\n
<\/span>Fixing Mixed Content in WordPress<\/span><\/h2>\n\n\n\n
![\"Fixing](\"https:\/\/getdarkscout.com\/blog\/wp-content\/uploads\/2026\/06\/Fixing-Mixed-Content-in-WordPress.webp\")
<\/figure>\n\n\n\nMethod 1: Better Search Replace plugin<\/strong><\/h3>\n\n\n\n
Method 2: Really Simple SSL plugin<\/strong><\/h3>\n\n\n\n
Method 3: Update WordPress settings<\/strong><\/h3>\n\n\n\n
Method 4: Theme and plugin review<\/strong><\/h3>\n\n\n\n
<\/span>Fixing Mixed Content on Non-WordPress Sites<\/span><\/h2>\n\n\n\n
\n
<\/span>Using CSP to Handle Mixed Content at the Server Level<\/span><\/h2>\n\n\n\n
Content-Security-Policy: upgrade-insecure-requests<\/code><\/pre>\n\n\n\nContent-Security-Policy: block-all-mixed-content<\/code><\/pre>\n\n\n\n<\/span>Preventing Mixed Content in the Future<\/span><\/h2>\n\n\n\n
Set your CMS base URL to HTTPS from the start<\/strong><\/h3>\n\n\n\n
Use relative URLs in templates and stylesheets<\/strong><\/h3>\n\n\n\n
Audit third-party scripts before adding them<\/strong><\/h3>\n\n\n\n
Add CSP upgrade-insecure-requests as a safety net<\/strong><\/h3>\n\n\n\n