What is the difference between active and passive mixed content?

Active mixed content (scripts, iframes, stylesheets) is blocked by browsers — it can control your entire page. Passive mixed content (images, audio, video) shows warnings but is not blocked.

Does upgrade-insecure-requests fix all mixed content?

It fixes resources that are available over HTTPS. If a resource only exists on HTTP, the request will fail. You still need to fix hardcoded HTTP URLs for resources that are HTTP-only.

How do I find mixed content in WordPress?

Use Better Search Replace plugin or WP-CLI wp search-replace to find all http:// occurrences in the database. Also check theme files and plugins for hardcoded URLs.

Performance

Fix Mixed Content Warnings — HTTP Resources on HTTPS Sites

Your page loads over HTTPS but some resources — scripts, images, API calls — are requested over HTTP. Browsers block scripts and iframes (active mixed content) and warn about images and videos (passive mixed content). Here is how to find and fix all of them.

Browser Console Error

Mixed Content: The page at 'https://example.com' was loaded over HTTPS, but requested an insecure resource 'http://cdn.example.com/script.js'. This request has been blocked; the content must be served over HTTPS.

Find all mixed content

Open DevTools → Console. Look for "Mixed Content" errors. Each one tells you the exact URL being loaded over HTTP. You can also use CSPFixer to scan your page and enumerate all resource URLs.

Quick fix — upgrade-insecure-requests

The fastest fix: tell the browser to upgrade all HTTP requests to HTTPS automatically:

Content-Security-Policy: upgrade-insecure-requests;

This only works if the resource actually exists over HTTPS. If http://cdn.example.com/file.js cannot be loaded as https://cdn.example.com/file.js (wrong certificate, does not exist), it will fail.

Proper fix — update hardcoded URLs

In HTML

<!-- Wrong -->
<script src="http://cdn.example.com/script.js"></script>
<img src="http://images.example.com/photo.jpg">

<!-- Right -->
<script src="https://cdn.example.com/script.js"></script>
<img src="https://images.example.com/photo.jpg">

<!-- Protocol-relative (works for both HTTP and HTTPS) -->
<script src="//cdn.example.com/script.js"></script>

In CSS

/* Wrong */
background-image: url('http://images.example.com/bg.png');

/* Right */
background-image: url('https://images.example.com/bg.png');

In JavaScript fetch calls

// Wrong
fetch('http://api.example.com/data')

// Right
fetch('https://api.example.com/data')

// Or use a relative URL if same domain
fetch('/api/data')

In WordPress

Mixed content in WordPress often comes from hardcoded HTTP URLs in the database (posts, options, theme settings). Use a plugin like Better Search Replace to update all URLs:

-- Or with WP-CLI:
wp search-replace 'http://example.com' 'https://example.com' --all-tables

Verify all resources are now HTTPS

After fixing, open DevTools Console and reload. All Mixed Content warnings should be gone. Use CSPFixer to do a full scan of your page resources to confirm no HTTP URLs remain.

Run a live PageSpeed audit → SpeedFixer