After you turn on SSL, your site should load with a padlock and https://. If it still shows "Not Secure" or the padlock has a warning, the usual cause is mixed content — some parts of the page still loading over insecure http://. This article explains how to find and fix it.
What "mixed content" means
When your page loads over secure https:// but some of its elements — images, scripts, stylesheets — still load over insecure http://, the browser flags the whole page as not fully secure. That mixed connection is "mixed content," and it is the most common reason a site with a valid certificate still shows a warning.
Before troubleshooting mixed content, confirm your certificate itself is active. See Your Free SSL Certificate (AutoSSL).
Before you begin
- An active SSL certificate on your domain.
- Access to your site's admin area (for example, the WordPress dashboard).
- A current backup, before changing site settings.
Step 1: Confirm the certificate is valid
- Visit your site at https://yourdomain.com.
- Select the padlock (or the "Not Secure" label) in the address bar.
- If it reports the certificate is missing or invalid — rather than mixed content — that is a certificate issue, not mixed content. See Renewing & Troubleshooting Your SSL Certificate.
Step 2: Identify the insecure elements
Your browser's developer tools list exactly what is loading insecurely.
- Open your browser's developer tools (usually the F12 key or right-click and choose Inspect).
- Open the Console tab.
- Reload the page and look for mixed content warnings — each one names a resource still loading over http://.
Tip: Note whether the insecure items are your own files (images, theme files) or come from another website. The fix differs slightly for each.
Step 3: Update your site to use HTTPS
For WordPress
- Go to Settings > General and make sure both WordPress Address (URL) and Site Address (URL) start with https://.
- Use a reputable plugin to find and replace remaining http:// links to your own domain with https://, or to handle mixed content automatically.
For other sites
- Edit your page code so links to your own resources use https:// (or protocol-relative //).
- Re-upload any pages you changed.
Warning: Update database URLs with a search-and-replace tool that handles serialized data (or a trusted plugin). Editing the database by hand can break WordPress settings. Back up first.
Step 4: Handle external resources
If the insecure item comes from another site:
- Switch to the https:// version of that resource if it offers one.
- Replace or remove the resource if it has no secure version.
Step 5: Clear caches and re-check
- Clear any caching plugin and your browser cache.
- Reload the page and confirm the padlock now appears with no warning.
- Re-check the developer console to confirm the mixed-content warnings are gone.
Next steps
- Certificate problem instead? See Renewing & Troubleshooting Your SSL Certificate.
- Review your free SSL. See Your Free SSL Certificate (AutoSSL).
Questions? Contact Exact Hosting Support.
Was this article helpful? If not please submit a request here
How helpful was this article?
Thanks for your feedback!