Running your WordPress site overย HTTPS isย no longer optional.ย ๐ Not only is it more secure (everything is encrypted, nothing passed in plain text), but it also builds trust, is an SEO ranking factor, and provides more accurate referral data. Performance issues tied to encryption have been fixed for the most part thanks toย HTTP/2ย and Letโs Encrypt has changed the entire industry by providing you with an easy way to get free SSL certificates.
(Suggested reading: if youโre using legacy TLS versions, you might want to fixย ERR_SSL_OBSOLETE_VERSION Notificationsย in Chrome).
We have an in-depth guide on how to migrate fromย HTTP to HTTPS, andย a very common problem website owners encounter afterward is โmixed content warnings.โ Today weโll show you a few different ways you can fix these on your WordPress site.
- What is a Mixed Content Warning?
- What Causes Mixed Content Warnings?
- How to Fix Mixed Content Warnings
What is a Mixed Content Warning?
A mixed content warning appears in a userโs browser when the WordPress site is loading both HTTPS and HTTP scripts or content at the same time. You canโt load both as they are completely separate protocols. When you migrate to HTTPS,ย everything needs to be running over HTTPS.
Wired actually documented theirย transition from HTTP to HTTPSย and a mixed content warning snag they ran into:
โ[โฆ] one of the biggest challenges of moving to HTTPS is preparing all of our content to be delivered over secure connections. If a page is loaded over HTTPS, all other assets (like images and Javascript files) must also be loaded over HTTPS. We are seeing a high volume of reports of these โmixed contentโ issues, or events in which an insecure, HTTP asset is loaded in the context of a secure, HTTPS page. To do our rollout right, we need to ensure that we have fewer mixed content issuesโthat we are delivering as much of WIRED.comโs content as securely possible.โ
Below are some examples of what happens in the browsers if you donโt fix these warnings.
Chromeย Mixed Content Warning Example
Here is an example of what happens in Chrome when a mixed content warning fires on a WordPress site. According toย NetMarketShare, Chrome currently leads in the pack in terms of browser market share, being used by over 60% of the web. So the following warning is most likely what most of your visitors would see.
Chrome mixed content warning
Firefox Mixed Content Warning Example
Here is an example of what happens in Firefoxย when a mixed content warning fires on a WordPress site.
Firefox mixed content warning
Microsoft Edge Mixed Content Warning Example
Here is an example of what happens in Microsoftโs Edge browser when a mixed content warning fires on a WordPress site.
Microsoft Edge mixed content warning
Internet Explorer Mixed Content Warning Example
Here is an example of what happens in Internet Explorerย when a mixed content warning fires. As you can see, IE is probably one of the worst because it actually breaks the rendering of the page until the popup is clicked. Thankfully, Internet Explorer doesnโt hold that much of the browser market share anymore.
Internet Explorer mixed content warning
What Causes Mixed Content Warnings?
Weโve found that the most common time mixed content warnings appear is right after someone migrates their WordPress site from HTTP to HTTPS. HTTP links simply get carried over and this causesย mixed content warnings to start firing. Another reason could be that you just added a new service or plugin.
- Plugin developers sometimes use absolute paths (
http://yourdomain.com/style.css) in their plugins or themes to link to CSS and JavaScript instead of using relative paths (/style.css). - Images have hardcoded URLs (
http://yourdomain.com/image.png) that point to HTTP. These could be within a post, page, or even a widget. - Your linking to HTTP versions of external scripts. (Hosted jQuery, Font Awesome, etc.)
- You have embedded video scripts usingย HTTP instead of HTTPS.
How to Fix Mixed Content Warnings
Follow the simple steps below to fix your WordPress mixed content warnings. This assumes you have already done the following:
- Installed an SSL certificate
- Redirected HTTP to HTTPSย (sitewide)
Weโll be using our development site (wpdev.ink) in the examples.
Step 1
The first thing you need to do is find out which resources are still loading over HTTP. Browse to the page where itโs happening and launchย Chrome DevTools. Remember, it might only be happening in certain areas of your site, not globally.
- Windows:ย F12 or CTRL + Shift + I
- ย MAC:ย Cmdย +ย Optย +ย I)
You can also open Chrome DevTools from the tools menu.
Launch Chrome DevTools
Step 2
There are are a couple places you can check which resources arenโt loading over HTTPS. The first is the โConsoleโ tab. Note: You might need to refresh the page after you have Chrome DevTools open for it to properly load everything.
Below we can easily see that there is an insecure image being linked to an HTTP version of the site and a link pointed to an HTTP hosted version of jQuery.
You can also look in the โSecurityโ tab. It will show you the non-secure origins and you can click to โView the request in the network panel.โย Note: You might need to refresh the page after you have Chrome DevTools open for it to properly load everything.
Chrome DevTools security
And last but not least, you can view the requests in the โNetworkโ tab.ย Note: You might need to refresh the page after you have Chrome DevTools open for it to properly load everything.
Chrome DevTools network
If you arenโt using Chrome, or just want a quick summary of the errors, you can also use a free tool likeย Why No Padlock. It scans an individual page and shows you all of the insecure resources.
Why No Padlock?
Checking HTTPS Warnings in Bulk
If youโre worried about the rest of your site you might want to check it in bulk. Here are some recommended options.
- There is a free little tool calledย SSL Checkย from JitBit which you can use to crawl yourย HTTPSย WordPress site and search for insecure images and scripts that will trigger a warning message in browsers. The number of pages crawled is limited to 200 per website.
- Theย Ahrefs audit toolย now has the ability to detect HTTPS/HTTP mixed content. If you already have access to this, or someone on your marketing team does, this can be a great way to be thorough.
- HTTPS Checkerย is desktop software you can install that will scan your site.ย It can help you check for โnot secureโ warnings and content after big changes. It is available on Windows, Mac, and Ubuntu. The free planย allows you to check up to 100 pages.
Step 3
The next step is confirming that those resources loading over HTTP are accessible over HTTPS. They most likely are, you just need to update the links. If our example above weโll use theย insecure image and hosted jQuery.
http://wpdev.ink/wp-content/uploads/2018/06/website-never-done.jpghttp://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js
If we take both of those URLs, input them into our browserโs address bar, and append HTTPS on the beginning, we can see that they load just fine. Therefore we simply need to proceed to do a search and replace on our site.
Alternatively, you can also do a search and replace with theย interconnect/it Search Replace DB PHP Scriptย orย WP-CLI.
Step 4
After you finish doing the search and replace youโll want toย double check your siteย to confirm the mixed content warnings are gone. We recommend just visiting your site and clicking around on a few pages while looking at the browser status indicator up in the address bar.
On our site, we can see that the insecure image is now fixed, but the hosted jQuery warning still remains. The reason is that we ran a search and replace on resources loading from our own domain. This is an external script which has to be manually updated.
Mixed content warning
In this case, the script had been manually added in our WordPress header (header.php). The script should be using a relative URL, so we updated it to:ย //ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js
HTTP external script
For most of you, the search and replace will most likely fix all of your issues. Itโs really own those of you that have hardcoded something on your WordPress site that might run into additional issues. If you think there is an external script hardcoded in one of your plugins or theme, and youโre having trouble tracking it down, feel free to reach out to the developer for assistance.
Chrome No Mixed Content Warnings Example
Here is an example of what happens in Chrome when everything is loading correctly over HTTPS with no mixed content warnings.
Chrome no mixed content warnings
Firefox No Mixed Content Warnings Example
Here is an example of what happens in Firefox when everything is loading correctly over HTTPS with no mixed content warnings.
Firefox no mixed content warnings
Microsoft Edge No Mixed Content Warnings Example
Here is an example of what happens in Microsoft Edge when everything is loading correctly over HTTPS with no mixed content warnings.
Microsoft Edge no mixed content warnings
What About HSTS?
Some of you might be wondering why you canโt simply useย HSTSย (HTTP Strict Transport Security) fix this. HSTS was created as a way to force the browser to use secure connections when a site is running over HTTPS. Itโs a security header in which you add to your web server and is reflected in the response header as Strict-Transport-Security.
HSTS isnโt a quick fix for all mixed content warnings.ย HSTS merely handles redirects whereas the mixed content warning is a feature of the browser itself. You also donโt have control over third-party sites enabling HSTS. Therefore you need to always updateย http://ย URLs.
Credits: Kinsta
