To fix mixed content, find every resource loaded over http:// on your HTTPS pages (images, scripts, styles, fonts) and change them to https:// or protocol-relative URLs. Update the database for CMS sites, then re-scan. Browsers block or downgrade mixed content, so this restores the padlock.
Mixed content happens when an HTTPS page loads some resources over insecure HTTP. Browsers warn about or block these, weakening security and breaking the padlock. The fix is to serve every resource over HTTPS. This guide covers how, including bulk-fixing CMS databases.
Check your website
See how your site handles how to fix mixed content warnings — free, no account needed.
Business impact
Mixed content warnings tell visitors your "secure" page is not fully secure, undermining exactly the trust HTTPS is meant to create. Blocked resources can also break layout and functionality. Fixing it restores a clean padlock and a professional, trustworthy experience.
Why this happens
Mixed content usually appears after migrating from HTTP to HTTPS, when old hard-coded http:// URLs remain in content, themes, or the database. Other causes: third-party embeds served over HTTP, hard-coded asset URLs in templates, and plugins that output insecure links. Active mixed content (scripts) is blocked outright; passive (images) may load with a warning.
How to confirm the issue
Manually: open the page, check the browser console for "Mixed Content" warnings, and look for a broken/again padlock. DevTools lists each insecure request.
With Plexa Trust: run a scan for the mixed-content / HTTPS findings and re-scan after fixing.
Step-by-step fix
Identify insecure resources via the browser console's mixed-content warnings.
Update hard-coded
http://URLs tohttps://in templates and content.For CMS sites, run a database search-replace from http:// to https:// (back up first).
Replace or remove third-party resources that do not support HTTPS.
Optionally add a CSP
upgrade-insecure-requestsdirective as a safety net.Re-scan and confirm the padlock is clean.
Platform-specific fixes
WordPress
Back up your database.
Use a search-replace plugin (e.g. Better Search Replace) to change http://yourdomain to https://yourdomain.
Or use Really Simple SSL to auto-fix mixed content.
Clear caches and re-check.
Cloudflare
SSL/TLS → Edge Certificates → enable Automatic HTTPS Rewrites.
This rewrites eligible http:// resource links to https:// on the fly.
Shopify / Wix / Squarespace
These host HTTPS automatically; mixed content usually comes from embedded HTTP code blocks.
Edit custom embeds/widgets to use https:// URLs.
Apache / Nginx
Add a CSP directive as a safety net:
Send header
Content-Security-Policy: upgrade-insecure-requeststo auto-upgrade requests.Still fix the underlying hard-coded URLs — this is a backstop, not a cure.
How to verify the fix
Fix the source URLs, using upgrade-insecure-requests only as a safety net.
Always back up before a database search-replace.
Re-scan with Plexa Trust to confirm no insecure resources remain.
Common mistakes
Relying only on upgrade-insecure-requests without fixing hard-coded URLs.
Forgetting to update the CMS database, not just the theme.
Leaving HTTP-only third-party embeds in place.
Frequently asked questions
What is mixed content?
When a page served over HTTPS loads some resources over insecure HTTP. Browsers warn about or block these, undermining security.
Why is my padlock broken after moving to HTTPS?
Almost always mixed content — old http:// URLs still in your content, theme or database. Update them to https://.
What is the difference between active and passive mixed content?
Active (scripts, iframes) is blocked because it can alter the page; passive (images, media) may load with a warning. Fix both.
How do I fix it across a whole WordPress site?
Back up, then run a database search-replace from http://yourdomain to https://yourdomain, or use a plugin like Really Simple SSL.
What does upgrade-insecure-requests do?
A CSP directive that tells browsers to load http:// resources over https:// automatically. Use it as a safety net, not a substitute for fixing URLs.
What if a third-party resource has no HTTPS version?
Replace it with an HTTPS-capable alternative or host the asset yourself over HTTPS.
Does mixed content affect SEO?
It weakens the security signal and can break pages, which indirectly affects trust and rankings. A clean HTTPS setup is best.
How do I confirm it is fixed?
Re-scan with Plexa Trust and check the browser console shows no mixed-content warnings and the padlock is clean.
Think you've fixed it?
Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.
Verify with a free scan