So you did the right thing. You got that shiny SSL certificateEncrypts data between a user's browser and the server, indic... More, forced HTTPS, and your WordPress site now has the reassuring padlock in the browser bar. Or does it?

Instead, you see a grim “Not Secure” warning, or a broken padlock. In your console, a flood of red errors shouts about “Mixed Content.” Your scripts fail, your styles break, and your images won’t load. Panic sets in.

Breathe. This is a rite of passage. Mixed content warnings happen to nearly everyone after an HTTPS migration. It means your site is trying to load securely, but some elements—images, scripts, stylesheets—are still being called over the old, insecure HTTP protocol. Browsers block these elements to protect users, breaking your site.

This isn’t a disaster. It’s a cleanup job. Here’s your complete, step-by-step eradication guide.

Phase 1: The Diagnosis – Find the Culprits

You can’t fix what you can’t see. We need to locate every insecure request.

The Browser Console Method (Fast & Direct):

1. Go to your broken pageStatic content (e.g., "About Us," "Contact") not part of chr... More.
2. Open Developer Tools: Right-click, select “Inspect,” or press F12.
3. Click the “Console” tab. You will see a list of errors. Any that mention “blocked mixed content” or “HTTP” are your targets. Note the file URLs (e.g., http://yourdomain.com/wp-content/plugins/old-plugin/js/script.js).

The Online Scanner Method (Comprehensive):

Go to whynopadlock.com. Enter your URL. It will crawl your site and produce a detailed report of every insecure resource. This is your hit list.

Phase 2: The Fix – Four Attack Vectors, One Goal

The goal is simple: change http:// to https:// for every resource. How you do it depends on where the bad link is hardcoded.

1. Update Your WordPress Address (The Critical First Step)

This seems obvious, but it’s often missed. Log into your WordPress dashboardThe dashboard, or admin panel, is the backend interface wher... More (you may need to use the HTTPS URL directly if the site is broken).
Go to Settings > General. Ensure both the WordPress Address (URL) and Site Address (URL) begin with https://. Save. This is the cornerstone.

2. Run a Search & Replace in the DatabaseWhere all WordPress content, settings, and user data are sto... More (The Nuclear Option)

This is the most effective step. The old HTTP links are stored in your database—in posts, pages, themeTheme A collection of files that determine a site's design, ... More options, and widgetA small block that adds specific content/functionality to wi... More content.

WARNING: Always, always backupA copy of your WordPress site's files and database, saved to... More your databaseWhere all WordPress content, settings, and user data are sto... More first. Use your hosting control panel, a pluginSoftware that adds specific features or functionality to a W... More like UpdraftPlus, or ask your host to do it.

The Professional’s Tool: WP-CLI
If you have command-line access, this one command often solves it:

bash

wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --all-tables --precise

The Reliable PluginSoftware that adds specific features or functionality to a W... More: Better Search Replace
For most users, this pluginSoftware that adds specific features or functionality to a W... More is the safest path.

1. Install and activate Better Search Replace.
2. Go to Tools > Better Search Replace.
3. In the “Search for” field, enter your old address: http://yourdomain.com
4. In the “Replace with” field, enter your new address: https://yourdomain.com
5. Select all tables from the list.
6. Check the box for “Run as dry run?” first. This shows you what will be changed without doing it.
7. Review the dry run. If it looks correct, uncheck “dry run” and run it again.

3. Force HTTPS with .htaccess (The Enforcer)

Sometimes, third-party scripts or poorly coded themes/plugins still try to load via HTTP. You can force their hand by adding this to your .htaccess file (above the # BEGIN WordPress line):

apache

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>

This does a 301 permanent redirect from HTTP to HTTPS for all requests. It’s a powerful catch-all.

4. Tackle Stubborn PluginSoftware that adds specific features or functionality to a W... More & ThemeTheme A collection of files that determine a site's design, ... More Files

After the above steps, use your scanner again. If specific files from a pluginSoftware that adds specific features or functionality to a W... More or themeTheme A collection of files that determine a site's design, ... More are still causing errors, the developer may have hardcoded HTTP URLs.

1. Update Everything: Ensure all plugins and your themeTheme A collection of files that determine a site's design, ... More are updated. Developers often add HTTPS support in newer versions.
2. Contact Support: Report the issue to the themeTheme A collection of files that determine a site's design, ... More/plugin developer with the exact error. A good developer will provide a fix.
3. The Last Resort (For Developers): If you’re comfortable with code, you can sometimes fix it by enqueuing scripts properly in a child theme’s functions.php file, forcing the HTTPS version.

Phase 3: Verification & The Final Hardening

1. Clear All Caches: Your browser cache, your WordPress caching pluginSoftware that adds specific features or functionality to a W... More (like W3 Total Cache, WP Rocket), and your server or CDN cache (like Cloudflare). Caches love to hold onto the old HTTP versions.
2. Check Every PageStatic content (e.g., "About Us," "Contact") not part of chr... More Type: Don’t just check the homepage. Visit a blog postDynamic, time-based content (e.g., blog entries) displayed i... More, a pageStatic content (e.g., "About Us," "Contact") not part of chr... More, the shop, the contact form. Test in an incognito window.
3. Implement HSTS (Advanced): Once you’re 100% sure everything works on HTTPS, consider adding an HSTS headerThe top section of a website, usually containing the logo, n... More. This tells browsers to only use HTTPS for your site for a long time, preventing protocol downgrade attacks. You can often add this in your hosting control panel or via .htaccess (with caution).
4. Update External Services: Change your site URL in Google Search Console, Google Analytics, and any other external tools that ping your site.

The One-Week Monitoring Period

Consider the site “fragile” for a week after this fix. Monitor your console for any new errors. Sometimes, lazy-loaded images or dynamically loaded content from sliders will reveal hidden culprits.

Mixed content isn’t a sign you did something wrong. It’s the inevitable debris left behind after moving your entire site to a new, more secure foundation. This guide is your cleanup crew. Follow it methodically, and that padlock will turn green for good.