You installed your SSL certificate. Your site loads over HTTPS. You even see the padlock icon in the address bar — for a moment. Then it disappears, or turns into a warning triangle, and the browser tells you your connection is “not fully secure.”
That is a mixed content warning. And it is one of the most confusing errors to fix because the SSL certificate itself is not the problem. Your certificate is working fine. The issue is somewhere in your content, your database, or your theme — and you need to track it down before it quietly hurts your SEO and drives visitors away.
This guide walks you through exactly what mixed content is, how to find it, and how to fix it — whether you are using a plugin, doing it manually, or running into the problem on Hostinger with Divi.
Common Signs of Mixed Content
- Padlock disappears
- “Not fully secure” messagev
- CSS/layout broken after SSL install
- Images blocked after enabling HTTPS
- Browser warning triangle
What Is Mixed Content?
When a browser loads your website over HTTPS, it expects every single resource on that page — every image, script, stylesheet, font, and iframe — to also load over HTTPS.
Mixed content happens when at least one of those resources still loads over plain HTTP. The page itself is secure, but it is pulling in something that is not. Browsers see that as a red flag, because an insecure resource can be intercepted and tampered with — even on an otherwise secure page.
Think of it this way: you lock the front door of your house but leave one window open. The house is not fully secure, even though the lock works perfectly.
Active Mixed Content vs Passive Mixed Content
Not all mixed content is treated the same way. Browsers distinguish between two types:
Active mixed content includes JavaScript files, stylesheets (CSS), iframes, and XMLHttpRequests. These can directly manipulate the page, so browsers block them entirely. If a stylesheet fails to load because of this, your site can look completely broken — missing fonts, wrong colours, no layout.
Passive mixed content includes images, audio, and video. These cannot manipulate the page directly, so browsers typically load them but show a warning. Your site still looks okay, but the padlock is gone or shows a warning icon.
In practice, both types are worth fixing. Active mixed content breaks your site. Passive mixed content removes the trust signal that HTTPS gives you.
Why Does Mixed Content Happen in WordPress?
Installing an SSL certificate does not automatically rewrite every URL on your site. WordPress stores full URLs — including the protocol — directly in the database. When you switch from HTTP to HTTPS, all those old stored URLs still say http://.
Here are the most common sources:
- Old blog posts and pages. Any image you uploaded or link you added before switching to HTTPS is stored in the database with an
http://URL. WordPress does not update these automatically. - Theme files. Some themes hardcode image paths or load Google Fonts, icon libraries, or external scripts using HTTP instead of HTTPS.
- Plugins. Older or poorly maintained plugins may enqueue CSS or JavaScript files over HTTP. Security plugins, page builders, and slider plugins are common culprits.
- Widgets and custom HTML blocks. If you ever pasted a link or embedded something manually into a widget or block, it may still use HTTP.
- External embeds. Older YouTube embed codes, Google Maps embeds, and some social media scripts used HTTP. These need to be updated at the source.
- Divi’s builder data. Divi stores page builder content in its own database tables and in post meta. If you built pages before switching to HTTPS, those URLs are stored separately and do not always get caught by standard search-replace tools.
Quick Reference: Mixed Content Causes and Fixes
| Symptom | Most Likely Cause | Fix |
|---|---|---|
| Broken padlock, “not fully secure” | HTTP resources in posts or pages | Better Search Replace or Really Simple SSL |
| Broken layout after SSL install | Theme or plugin loading CSS/JS over HTTP | Plugin fix or .htaccess redirect |
| Warning on some pages but not others | Specific posts with hardcoded HTTP links | Find via browser console, fix manually or in bulk |
| Warning after enabling HTTPS in WordPress settings | WordPress URL not updated in Settings → General | Update both URLs to https:// |
| Warning persists after all fixes | Cache not cleared, or Cloudflare Flexible SSL | Clear all caches, check Cloudflare SSL mode |
| Warning only in one browser | Browser cache or antivirus HTTPS inspection | Clear cache, test in incognito |
Step 1: Find the Mixed Content (Before You Fix Anything)
Do not start applying fixes blindly. Find the source first. There are three reliable ways to do this.
Method A: Browser Console (Free, Fast, Exact)
- Open the page showing the warning in Chrome
- Press F12 (or right-click anywhere → Inspect)
- Click the Console tab
- Reload the page
Any mixed content will show up as a warning or error in red or yellow. You will see the exact URL of the insecure resource, like:
Mixed Content: The page at 'https://yoursite.com/' was loaded over HTTPS,
but requested an insecure image 'http://yoursite.com/wp-content/uploads/old-image.jpg'.That tells you exactly what needs fixing and where it is coming from.
Method B: Why No Padlock Tool
Go to whynopadlock.com and enter your URL. It crawls your page and lists every insecure resource it finds. This is useful for a quick overview without opening developer tools.
Method C: Screaming Frog or Site Crawl
If you have a large site with many pages, a full crawl using Screaming Frog (free up to 500 URLs) will find HTTP links across all pages at once — not just the homepage.
Step 2: Check Your WordPress URL Settings
Before anything else, confirm that WordPress itself knows your site uses HTTPS.
- Go to Settings → General in your WordPress dashboard
- Check both the WordPress Address (URL) and Site Address (URL) fields
- If either still starts with
http://, change it tohttps:// - Click Save Changes
This is the most basic fix and is often overlooked. WordPress uses these URLs as the base when generating links and loading resources. If they say HTTP, you will keep getting mixed content regardless of what else you fix.
Note: After saving, WordPress may log you out. Log back in using your
https://URL.
Step 3: Fix Mixed Content With a Plugin
For most WordPress users, a plugin is the fastest and safest starting point. There are two worth knowing.
Option A: Really Simple SSL
This is the most popular option. Install and activate it from Plugins → Add New, then follow the setup wizard. It handles the URL update in Settings → General and adds a redirect from HTTP to HTTPS automatically.
It also rewrites URLs on the fly as pages are served, which catches things that are harder to fix at the database level. It is not a permanent database fix — it is a filter applied at render time — but for most sites it works well enough on its own.
Option B: SSL Insecure Content Fixer
If Really Simple SSL does not fully clear the warning, try SSL Insecure Content Fixer. It gives you more control with different fix levels:
- Simple — fixes scripts, stylesheets, and WordPress media. Start here.
- Content — also scans post and page content and text widgets.
- Widgets — extends the scan to all widgets.
- Capture — scans everything including headers and footers. Use this if the others do not work, but be aware it can slow your site slightly.
Go to Settings → SSL Insecure Content Fixer, choose a level, save, and clear your cache before testing.
Step 4: Fix Hardcoded HTTP URLs in Your Database
If the plugin fix does not fully resolve the warning, you have hardcoded http:// URLs stored in your database. This is the most common reason mixed content persists after using a plugin.
The safest way to fix this is with the Better Search Replace plugin.
How to Use Better Search Replace
- Back up your database first — this is not optional. On Hostinger, use hPanel → Backups, or use a plugin like UpdraftPlus.
- Install and activate Better Search Replace from the plugin directory
- Go to Tools → Better Search Replace
- In the Search for field, enter:
http://yourdomain.com - In the Replace with field, enter:
https://yourdomain.com - Select all database tables
- Check Run as dry run? first to see what will change without making any changes
- Review the results, then uncheck dry run and run it for real
Important — serialized data: WordPress stores some data in a format called serialized arrays, which include character counts as part of the data structure. If you use a basic SQL search-replace directly in phpMyAdmin and change a URL, those character counts break, which corrupts the data. Better Search Replace handles serialized data correctly, which is why it is recommended over doing this manually in phpMyAdmin.
What About Divi?
Divi stores page builder content in post meta fields and its own option rows, not just in the main post content field. When you run Better Search Replace across all tables, it will catch most of this. But if you still see warnings on Divi-built pages after the search-replace, check these specifically:
- Go to Divi → Theme Options → General and re-save the settings
- Go to Divi → Theme Builder and re-save any global templates
- Check any Divi Library sections that include image URLs
Also go to Divi → Theme Options → Builder → Advanced and make sure the static CSS file generation is enabled. After your database fix, click Clear next to the static CSS option to force Divi to regenerate all CSS files with the new HTTPS URLs.
Step 5: Force HTTPS via .htaccess
This step redirects all HTTP traffic to HTTPS at the server level, before WordPress even loads. It is a good layer to have even after fixing the content.
Open your .htaccess file in Hostinger’s File Manager (it is in public_html/) and add this before the existing WordPress rules:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Save the file, then test your site. Any HTTP URL should now redirect to HTTPS automatically.
Hostinger note: Hostinger uses LiteSpeed, which supports
.htaccessrules fully. This redirect will work without any additional configuration.
Step 6: Check Your SSL Setup on Hostinger
If you have not yet installed your SSL certificate, Hostinger makes this straightforward. SSL certificates on Hostinger are free and auto-renewed through Let’s Encrypt.
- Log in to hPanel
- Go to Hosting → Manage → SSL
- Click Install SSL next to your domain
- Once installed, enable Force HTTPS from the same SSL settings page
The Force HTTPS toggle in hPanel does the same job as the .htaccess redirect above. You do not need both — use whichever you prefer.
Step 7: Fix the Cloudflare SSL Mode (If You Use Cloudflare)
If your site uses Cloudflare as a CDN or for DNS, the SSL mode setting in Cloudflare matters a lot.
Cloudflare’s Flexible SSL mode is a common hidden cause of mixed content. In Flexible mode, Cloudflare connects to your origin server over HTTP — so even though visitors see HTTPS, the connection between Cloudflare and your server is not secure. This causes mixed content warnings that are almost impossible to debug from WordPress itself.
Fix it like this:
- Log in to your Cloudflare dashboard
- Go to SSL/TLS → Overview
- Change the mode from Flexible to Full or Full (Strict)
If you want Cloudflare to automatically upgrade any remaining HTTP resources to HTTPS, also enable Automatic HTTPS Rewrites under SSL/TLS → Edge Certificates. This rewrites HTTP links in your HTML before the browser sees them.
Step 8: Add the upgrade-insecure-requests Header (Optional Safety Net)
This is an advanced step that most beginners will not need, but it is worth knowing about. You can add a Content Security Policy (CSP) header that tells browsers to automatically upgrade any HTTP requests to HTTPS before loading them.
Add this to your .htaccess file:
Header always set Content-Security-Policy "upgrade-insecure-requests"This will not fix URLs stored in your database — those still need to be corrected. But it acts as a fallback for any stragglers that get missed, by telling the browser to attempt the HTTPS version of any resource before blocking it.
You can also add this as a meta tag inside the <head> section of your theme, using the wp_head hook, if you prefer not to edit .htaccess:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">Why the Warning Persists After Fixing Everything
This is the part that trips people up most. You run the search-replace, update the settings, install the plugin — and the warning is still there. Here is what to check.
You Did Not Clear the Cache
If you are using LiteSpeed Cache on Hostinger (which you likely are), the cached version of your pages still contain the old HTTP URLs. Go to LiteSpeed Cache → Manage → Purge All. Then test the page again.
Also clear your browser cache, or better — open a completely new incognito window and test from there. An incognito window will not use any locally cached version of the page.
Your WordPress Address Is Still HTTP
Go back to Settings → General and confirm both URLs start with https://. This is easy to miss.
An External Resource Is Loading Over HTTP
If the insecure resource is hosted on a third-party domain (not your own), you cannot fix it with a database search-replace. You need to either update the embed code manually (for example, change http://maps.google.com to https://maps.google.com), or remove the embed.
A Plugin Is Still Loading HTTP Assets
Go back to the browser console (F12 → Console) and check the URL of the remaining insecure resource. If it is a plugin file, the only options are to update the plugin (newer versions usually fix this), contact the plugin developer, or replace the plugin.
Antivirus or System Clock Issue
This one is rare but worth knowing: some antivirus programs inspect HTTPS traffic by installing their own certificate. When that certificate is outdated or misconfigured, it triggers SSL warnings that look like mixed content. If the warning only appears on your computer but not on others, check your antivirus settings.
Similarly, if your computer’s system clock is significantly off, browsers cannot validate SSL certificates correctly, which causes false security warnings. Check your system time and make sure it is synced correctly.
How to Stop Mixed Content from Coming Back
Once fixed, you want to keep it that way. A few habits make a big difference:
- Always use https:// when adding external links or embeds. When embedding a YouTube video, a map, or a third-party script, get the HTTPS version of the embed code.
- Use WordPress functions in your theme instead of hardcoded URLs. Functions like
home_url(),get_template_directory_uri(), andget_stylesheet_uri()adapt to your protocol automatically. If you ever move to HTTPS or change your domain, they update with it. - Run a scan monthly. Use Why No Padlock or the browser console to check your homepage and any pages you recently updated. Catching one rogue HTTP link early is much easier than discovering it weeks later.
- Check new plugins before you commit to them. A quick look at the browser console after installing a new plugin tells you immediately if it loads anything insecurely.
Does Mixed Content Affect SEO?
Yes, though indirectly. Google uses HTTPS as a ranking signal. A site with a valid SSL certificate and no mixed content warnings is treated as fully secure. A site with mixed content warnings is not — the padlock disappears, and in some cases browsers show “Not Secure” in the address bar.
When visitors see that warning, they leave. A higher bounce rate and fewer pages viewed signals to Google that your site is not providing a good experience, which feeds back into rankings over time.
More directly: if active mixed content causes your scripts or stylesheets to be blocked, your site may look broken to some visitors. A broken-looking site does not rank well, regardless of what your SEO plugin says.
Fix mixed content as soon as you notice it. It is one of those technical issues that compounds quietly if you leave it alone.
Related Reading
Frequently Asked Questions
What is a mixed content warning in WordPress?
It means your site loads over HTTPS, but at least one resource — an image, script, stylesheet, or embed — still loads over plain HTTP. Browsers flag this because the insecure resource could be intercepted or tampered with.
Does having an SSL certificate stop mixed content warnings?
No. Your SSL certificate secures the connection between the browser and your server, but it does not change URLs that are already stored in your database. Old HTTP links stay as HTTP until you update them.
Is mixed content a security risk?
Active mixed content (JavaScript and CSS) is a real security risk because it can be intercepted and manipulated in transit. Passive mixed content (images) is a lower risk but still removes the security indicator from your browser.
Can I fix mixed content without a plugin?
Yes. You can update your WordPress URL settings in Settings → General, do a database search-replace using Better Search Replace, and add a redirect in your .htaccess file. You do not need a dedicated SSL plugin to fix this.
Why does mixed content only appear on some pages?
Because the HTTP resources are specific to those pages — usually images or embeds that were added before you switched to HTTPS. Use the browser console on those specific pages to find the exact URLs causing the warning.
I fixed everything but the padlock is still missing. What now?
Clear all caches first — your caching plugin, LiteSpeed Cache, and your browser. Then test in a new incognito window. If it still shows, open the browser console on that page and reload — it will tell you exactly what resource is still loading over HTTP.
Still Seeing the Warning?
If you have worked through every step above and the warning is still there, the insecure resource is either coming from a third-party embed you cannot control, or it is buried in a plugin or theme file that needs to be updated or replaced.
Use the browser console to get the exact URL of the offending resource, then trace it back to where it is being loaded. That will tell you whether it is a post, a plugin, a theme file, or something external.
For more WordPress troubleshooting help, start with the Common WordPress Errors guide. And if you are working through a full HTTPS migration, the Technical SEO Audit Checklist covers the SEO side of switching from HTTP to HTTPS.
