A mixed content warning appears when an HTTPS page loads images, scripts, or stylesheets over unencrypted HTTP. The browser considers this a security risk.
When you move your site from HTTP to HTTPS, some resources may still use http:// URLs. This happens with images embedded in old content, external scripts, font files, or third-party widgets. The page itself loads securely, but parts of it do not.
Browsers detect this mismatch and either block the insecure resources (modern browsers block scripts and stylesheets by default) or display a warning in the address bar and developer console.
Active mixed content includes scripts, iframes, stylesheets, and fonts. Browsers block these by default because they can modify the page. An attacker could inject malicious JavaScript into an otherwise secure page.
Passive mixed content includes images, videos, and audio. Browsers load these but mark the page as less secure. The padlock icon changes to a warning triangle.
Open your browser's developer tools (F12), go to the Console tab, and look for messages like "Mixed Content: The page was loaded over HTTPS but requested an insecure image." Each message includes the exact URL of the offending resource.
You can also use free tools like Why No Padlock (whynopadlock.com) or JitBit's SSL Checker to scan your entire site.
The fix is straightforward: change http:// to https:// in every hardcoded resource URL. If the external resource does not support HTTPS, find an alternative provider. Most CDNs, font services, and analytics platforms support HTTPS natively.
For WordPress sites, plugins like Better Search Replace can bulk-update URLs in your database. For static sites, a find-and-replace across your source files resolves the issue.
Using protocol-relative URLs (starting with // instead of http:// or https://) lets the browser match the page's protocol automatically. This is a good practice for any embedded resource.
Our audit scans every page for mixed content warnings.
Get your free audit