Kapsule CloudAtlas

Fixing Mixed Content Warnings After Enabling HTTPS

Fixing Mixed Content Warnings After Enabling HTTPS

Once you enable HTTPS on your site, you may notice the browser padlock shows a warning, or disappears entirely, even though SSL is active. This is called a mixed content error, and it means some resources on your page are still being loaded over plain HTTP.

What is mixed content?

A mixed content error occurs when an HTTPS page tries to load a resource (image, script, stylesheet, font, iframe) from an HTTP address. Browsers block or warn about these requests because they represent a security gap: the page is encrypted but one of its components is not.

Active mixed content (scripts, stylesheets) is blocked by most browsers outright. Passive mixed content (images, video) may load but the browser removes the padlock.

Why does this happen after enabling SSL?

Your database still contains URLs that were saved when the site ran over HTTP. This is very common for WordPress sites migrated from another host, or sites that operated on HTTP for a period before SSL was added. The URLs are stored in:

  • Post content and excerpts
  • Theme settings and customiser data
  • Widget content
  • Plugin settings
  • Media attachment URLs in the database

Simply enabling SSL does not update these stored URLs. You need to do a search-and-replace across the database.

How to fix it

If your plan includes SSH access, this is the fastest and most thorough method. Connect via SSH and run:

wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --all-tables

Replace yourdomain.com with your actual domain. The --all-tables flag ensures it checks every database table, including serialised option values.

Run a dry-run first to preview what will change:

wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --all-tables --dry-run

After running the replacement, flush the WordPress cache:

wp cache flush

See the Using WP-CLI on your WordPress site article for instructions on connecting via SSH.

Option 2 -- Better Search Replace plugin

If you do not have SSH access, install the free Better Search Replace plugin from the WordPress plugin directory:

  1. In wp-admin, go to Plugins > Add New and search for "Better Search Replace".
  2. Install and activate it.
  3. Go to Tools > Better Search Replace.
  4. In Search for, enter: http://yourdomain.com
  5. In Replace with, enter: https://yourdomain.com
  6. Select all tables (click the first table, then Shift-click the last).
  7. Leave Run as dry run ticked first and click Run Search / Replace to preview.
  8. Once you are satisfied, untick dry run and run it again to apply the changes.

Option 3 -- Force HTTPS in KPanel site settings

KPanel can redirect all HTTP traffic to HTTPS at the server level. Open your site in KPanel, click Settings, and look for the Force HTTPS toggle. Enable it and save.

This handles redirects but does not fix database URLs already stored as http://. Use Options 1 or 2 for those.

Common sources of mixed content

Theme and plugin hardcoded URLs Some older themes and plugins hardcode http:// URLs in their templates or option values. After running the database search-replace, check your theme customiser settings and any plugin settings panels that store URLs.

Old media attachments WordPress stores the full URL of each uploaded file in the database. A search-replace across all tables (using --all-tables in WP-CLI or selecting all tables in Better Search Replace) will update these.

Inline styles or content with absolute URLs Some page builder content contains absolute http:// image URLs typed directly into content fields. The search-replace will catch most of these, but inspect the browser console for any remaining ones.

External resources If mixed content warnings remain after the database replacement, the issue may be a resource loaded from a third-party domain that does not support HTTPS. Check the browser console for the specific URL causing the warning, then find the plugin or theme section that references it.

How to check if the issue is resolved

Browser padlock: After clearing your cache and reloading the page, the padlock in the address bar should appear solid and green/locked. If it shows a warning triangle, mixed content remains.

Browser console: Open your browser's Developer Tools (F12), go to the Console tab, and reload the page. Mixed content errors show as warnings or errors with the word "Mixed Content" and the URL of the offending resource.

Online tools: Services like Why No Padlock will scan a URL and list every mixed content item found.

Still seeing issues?

If mixed content persists after running the database replacement, open a support ticket and include the URL and a screenshot of the browser console. Our team can review the specific resources causing the problem.

Was this article helpful?

Related articles

Connecting via SFTP: FileZilla, Cyberduck, and Command Line

A complete guide to connecting to your site via SFTP using FileZilla, Cyberduck, or the terminal, including troubleshooting common connection errors.

SSL Certificates and HTTPS

What SSL is, how Kapsule handles it automatically, what to do if your certificate has not issued, and how renewal works.

Accessing your database with phpMyAdmin

phpMyAdmin is a browser-based database management tool. Kapsule provides single sign-on access to phpMyAdmin for every website — no separate password needed.

Migrating a website from cPanel to Kapsule

This guide covers moving a WordPress or PHP website from a cPanel host to Kapsule. The process takes 30–90 minutes depending on your site's size.

Still need help?

Our support team is here on business days, NZT.

Open a ticketEmail support
Back to Help Centre