Insecure and Mixed Content Warnings

If you’ve recently added an SSL certificate you may expect to see a secured padlock symbol in the URL bar when visiting your site. However, in some cases you can run into an issue called “mixed content”, “insecure content” or show scripts have been blocked. These issues mean that the site is being requested over secured URL, but some individual assets on the page aren’t being loaded securely over an SSL.


About Mixed Content

A common example of mixed content would be when an image is loaded as insecure (http://mydomain.com/image.jpg), but the page was requested with SSL (https://mydomain.com). This can have one of two effects on your site:

  • The secured padlock symbol does not appear, or is broken
  • The secured padlock symbol does appear, but an image or resource does not

You can confirm if your site is being affected by mixed content errors by checking the Inspect Element console. You will see yellow warnings if the insecure content is causing the padlock to not show, and red warnings if the content has been blocked from displaying because it is insecure.

  • In most browsers right-click or ctrl-click anywhere on your page and choose Inspect.
  • Click on the Console tab. If your browser has flagged anything as insecure it will show here.

You can also use tools like Why No Padlock to help identify which content is not loaded over HTTPS or if there are any issues with your SSL.


Resolving Mixed Content Errors

To resolve the errors and show a fully secured site, you will need to change HTTP to HTTPS on all assets.

  1. Verify there is a valid SSL installed by clicking on the padlock icon.
    • Check the date to confirm the certificate is not expired
    • The domain should match the URL shown in your address bar
  2. Configure the page to force HTTPS requests:
    • Open the SSL page from your User Portal
      1. Click the environment name
      2. Click SSL
    • Secure All URLs — Each page loads over HTTPS by default. Do not use plugin settings to force HTTPS with this option or you will receive a redirect loop error.
    • Secure Specific URLsSpecified pages load over HTTPS by default. Verify the page you are testing is secured.
  3. Change your site’s URL in the Settings > General page of your WordPress Admin Dashboard from HTTP to HTTPS.
  4. Purge the server caches within the WP Engine plugin tab.


Additional Steps

If this has not resolved the issue, it means your site has some URLs hardcoded into the database or files. There are several methods to approach resolving this.

NOTE: Make a backup of your website before modifying content.

  1. Search your database for insecurely referenced assets and replace them with a secured version.

NOTE: Be sure to replace with the correct www or non-www version of your domain. This should match what is set as your Primary Domain.

  1. Insecure Content Fixer plugin
  2. HTML Post-Processing rule
  3. Purge server caches.
    • You can do this from your WordPress Admin Dashboard, under the WP Engine tab.
  4. Open the page in an incognito window, to help bypass local caching.
    • With the page open, Press Ctrl + Shift + N (Windows, Linux, and Chrome OS) or ⌘ + Shift + N (Mac).

NOTE: Incognito browser sessions still carry cache for the duration of the session. Start a new incognito session for each test.

  1. Review your theme and plugin files.
    • Check plugin or theme code in the WordPress Admin Dashboard, or over SFTP to see if there are any URLs which are hardcoded as HTTP in the files themselves.


SSL and CDN

If your site is using our included CDN there are a few caveats to keep in mind.

  • WP Engine CDN zones have two different domains for HTTP and HTTPS connections.
    • Insecure (default): http://ZONEID.wpengine.netdna-cdn.com
    • Secure: https://ZONEID-wpengine.netdna-ssl.com
  • If you need to find the CDN URL for your site:
    1. After enabling CDN right-click or ctrl-click a page on your site and select View Page Source
    2. Search the source code for your site for a URL like the following example. Your Zone ID is the characters at the beginning of this path.
    3. CDN zone strings are different for every environment.
  • You may need to request our Support team enable SSL on your CDN zone.
    • NOTE: If you are using your own custom CDN domain (EX: cdn.yourdomain.com) you must provide our Support team with an SSL certificate and key file to secure that domain on the CDN server. Let’s Encrypt SSLs cannot be used on custom CDN domains.
  • Are you using a minification plugin and using a CDN? (EX: Autoptimize or WP Rocket)
    • Review the plugin settings and be sure to fill in the secured CDN URL.

NEXT STEP: Test your spite speed with WP Engine’s Page Performance

Enterprise-grade security and performance for all

Global Edge Security provides a managed web application firewall (WAF), advanced DDOS mitigation, CDN, and automatic SSL installation all powered by Cloudflare.