How to Fix Mixed Content After Migration: The Complete 2026 WordPress Guide

You’ve just completed the crucial migration of your WordPress site to a new host, or perhaps you finally made the smart switch from HTTP to HTTPS. You type in your new, secure URL, and… the browser bar shows that ominous padlock with a yellow triangle, or worse, a “Not Secure” warning. Your heart sinks. You thought the hard part was over, but now you’re facing a site that looks broken, feels insecure, and is almost certainly upsetting both visitors and Google.

This, my friend, is the dreaded mixed content error. It’s one of the most common and frustrating post-migration headaches. But take a deep breath. You haven’t broken your site, and fixing it is entirely within your reach.

This comprehensive guide is your definitive manual for identifying, understanding, and completely eradicating mixed content errors after a WordPress migration in 2026. We’ll move from basic concepts to advanced debugging, ensuring your site is not just secure, but also optimized for speed and SEO.

What Is Mixed Content, and Why Should You Care?

At its core, a mixed content error is a security conflict. It happens when your main webpage is loaded securely over HTTPS (Hypertext Transfer Protocol Secure), but the browser fetches some of the sub-resources—like images, JavaScript files, CSS stylesheets, or iframes—over an insecure HTTP connection.

Think of it like building a state-of-the-art, secure bank vault (your HTTPS page) but then leaving a few windows made of old, thin glass (HTTP resources). The overall structure seems strong, but the weak points compromise everything.

Why This Is a Critical Problem

1. Browser Warnings & User Trust: Modern browsers (Chrome, Edge, Firefox) actively warn users. You’ll see messages like “This page is not fully secure” or the security padlock will be crossed out. This instantly erodes professional credibility and increases bounce rates.

2. Blocked Resources: Browsers may actively block “active” mixed content like scripts and stylesheets. This can break your site’s layout and functionality entirely. “Passive” content like images may still load but with warnings.

3. SEO Impact: Google has confirmed HTTPS as a ranking signal. A site with mixed content isn’t fully HTTPS. Furthermore, blocked resources can inflate your Largest Contentful Paint (LCP) and other Core Web Vitals metrics, directly harming your search rankings. For a deep dive on Core Web Vitals, see our guide on How to Optimize Core Web Vitals in WordPress for Better Google Ranking.

4. Security Risk: The core purpose of HTTPS is encryption. HTTP resources are unencrypted and vulnerable to “man-in-the-middle” attacks, where data can be intercepted or altered. This is catastrophic for sites handling logins or payments.

Why Does Mixed Content Appear After Migration?

Migration is a disruptive process. Files and databases are copied, URLs change, and sometimes, not everything updates cleanly. Here are the primary culprits:

• Hard-Coded HTTP URLs in the Database: This is the #1 cause. Your posts, pages, theme settings, and plugin configurations are stored in the database. If they contain absolute URLs (e.g., http://yoursite.com/wp-content/uploads/logo.jpg), they will break after you move to https://yoursite.com.

• Serialized Data Issues: WordPress serializes arrays and objects in the database (like widget configurations, menu structures). A simple text find/replace can break this serialization if not done correctly, corrupting data.

• Hard-Coded Links in Theme/Plugin Files: Some older or poorly coded themes/plugins might have HTTP URLs written directly into their .php, .js, or .css files.

• External Resources: You might be loading a font from an old HTTP Google Fonts link, a script from an external HTTP source, or an embedded iframe (like an old YouTube embed).

• Incomplete .htaccess Redirects: If your server isn’t correctly forcing all traffic from HTTP to HTTPS, some requests might still slip through the old way.

Step 1: Diagnose – Find Every Single Mixed Content Error

You can’t fix what you can’t see. Let’s become detectives.

Method A: The Browser Console (Immediate & Free)

This is your first and most powerful tool.

1. Go to your HTTPS homepage.

2. Right-click anywhere and select “Inspect” (or press F12 / Ctrl+Shift+I).

3. Click on the “Console” tab.

4. Refresh the page (F5).

5. You will now see red error messages. Look for keywords: “Mixed Content”, “blocked due to MIME type”, or “This request has been blocked; the content must be served over HTTPS.”

Each error will list the exact insecure URL causing the problem. Jot these down.

Method B: Online Scanners (Site-Wide Audit)

The console shows errors for one page. Use these tools to scan your entire site:

• Why No Padlock? (https://www.whynopadlock.com/)

• SecurityHeaders.com (Check the “HTTPS” tab)

• JitBit’s SSL Checker (https://www.jitbit.com/sslcheck/)

These will provide a list of insecure resources across multiple pages.

Method C: WordPress Health Check & Debug Bar

Go to Tools > Site Health in your WordPress admin. The “Info” tab under “Directories and Sizes” should show your WordPress and Site Addresses using https://.

For advanced users, install the “Debug Bar” plugin along with the “Debug Bar Console” add-on. It can help trace script and style dependencies.

Step 2: The Fix – A Step-by-Step Remediation Plan

Now, let’s systematically eliminate the errors. PRO TIP: Always take a full backup before making database or file changes. If you need a refresher, our guide on How to Backup WordPress to Google Drive Automatically has you covered.

Phase 1: Update the WordPress Database (The Core Fix)

WARNING: Direct database manipulation carries risk. If you are uncomfortable, consider using a plugin or seeking professional help from our WordPress Support Service.

The Recommended Plugin Method: Better Search Replace

This plugin handles serialized data correctly.

1. Install and activate “Better Search Replace.”

2. Go to Tools > Better Search Replace.

3. In the “Search for” field, enter your old site URL: http://yourdomain.com

4. In the “Replace with” field, enter your new secure URL: https://yourdomain.com

5. Select ALL database tables. (Typically, wp_posts, wp_postmeta, wp_options are the key ones, but a full sweep is safe).

6. Check the box “Run as dry run?” FIRST. This shows what would be changed without making changes.

7. Review the dry run report. If it looks correct, uncheck “dry run” and run the replacement again.

For Hard-Coded References in Files (Theme/Plugins):

Sometimes URLs are baked into PHP constants. Add these lines to your wp-config.php file (above the /* That's all, stop editing! */ line). This forces WordPress to use HTTPS in its generated URLs.

define('WP_HOME','https://yourdomain.com');
define('WP_SITEURL','https://yourdomain.com');

If you have issues with your wp-config.php file, our guide on How to Secure wp-config.php is essential reading.

Phase 2: Force HTTPS with Server Rules

Ensure all traffic is redirected from HTTP to HTTPS. This is done at the server level, which is more efficient than a WordPress plugin.

For Apache Servers (using .htaccess):
Add this code to the top of your .htaccess file in your website’s root folder:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

For Nginx Servers:
Add this block to your server configuration file (usually inside the server block for port 80):

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$server_name$request_uri;
}

After making these changes, test by typing http://yourdomain.com into a new browser tab. It should instantly redirect to https://yourdomain.com.

Phase 3: The Content-Security-Policy (CSP) “Upgrade-Insecure-Requests” Header (Advanced)

This is a powerful, modern fix. By adding a specific HTTP header, you instruct the browser to automatically try to load all HTTP resources over HTTPS before blocking them. It’s a great safety net.

You can add this via your .htaccess file (Apache):

Header set Content-Security-Policy "upgrade-insecure-requests;"

Or in your Nginx server config:

add_header Content-Security-Policy "upgrade-insecure-requests;";

Important: This doesn’t change the URLs in your database; it tells the browser to handle them differently. It’s a fantastic complementary fix after you’ve done the primary database cleanup. For more on securing your site’s headers, see our article on How to Secure WordPress REST API (wp-json) from Attacks.

Phase 4: Clear All Caches

Old, cached versions of your pages containing HTTP links will stubbornly persist. You must clear:

1. WordPress Caching Plugin: (e.g., W3 Total Cache, WP Rocket, LiteSpeed Cache).

2. Server-Level Cache: (e.g., Varnish, Memcached). This might be in your hosting control panel.

3. CDN Cache: (e.g., Cloudflare, StackPath). Purge everything.

4. Browser Cache: Do a hard reload (Ctrl+Shift+R on Windows/Linux, Cmd+Shift+R on Mac).

Step 3: Verification and Advanced Troubleshooting

After implementing the fixes, go back to your Browser Console and online scanners. The mixed content warnings should be gone, replaced by a green, secure padlock.

What If Errors Persist? (The Stubborn Cases)

1. Third-Party Scripts/Embeds: The error URL is from another domain (e.g., http://someothersite.com/widget.js). You must contact that service and ask for their HTTPS version, or find an alternative. You can use the CSP header to “report-only” these errors first.

2. Hardcoded URLs in Compiled/Custom Code: Check your child theme’s functions.php, any custom plugin files, or scripts enqueued by your theme. Search the file system for http://yourdomain.com.

3. WooCommerce or E-Commerce Specific Settings: Check WooCommerce > Settings > Advanced > Page setup. Ensure the Cart, Checkout, and My Account page URLs are correct. Also, verify System Status for any HTTP API descriptions. For related performance issues after fixes, our guide on How to Speed Up WooCommerce Product Pages can help.

4. SSL Certificate Issues: Very rarely, the problem could be an incomplete certificate chain. Use the SSL Labs Test (https://www.ssllabs.com/ssltest/) to diagnose.

Prevention: How to Avoid Mixed Content in Future Migrations

An ounce of prevention is worth a pound of cure. Here’s your checklist for the next migration:

1. Use Migration-Specific Plugins: For standard moves, plugins like Duplicator Pro, All-in-One WP Migration, or Migrate Guru handle URL replacement well.

2. Always Use Relative Protocol URLs (Protocol-Relative URLs) – With Caution: Instead of http:// or https://, use // at the start of a URL (e.g., //yourdomain.com/image.jpg). The browser will use the same protocol as the page. Note: This practice is debated for future-proofing but can help in some themes/plugins.

3. Use WordPress Functions for Paths: Developers, always use home_url(), site_url(), get_template_directory_uri(), and wp_get_attachment_url() instead of hardcoding paths.

4. Test with a Staging Site First: Never perform a major migration or HTTPS switch directly on your live site. Use a staging environment. Learn how in our guide on How to Create a Staging Site in WordPress.

5. Run a Post-Migration Audit: Immediately after migrating, run the browser console and online scanner checks as outlined in Step 1.

Frequently Asked Questions (FAQs)

What exactly is a mixed content error?

A mixed content error occurs when a webpage loaded over a secure HTTPS connection contains resources (like images, scripts, or stylesheets) that are loaded over an insecure HTTP connection. This creates a security vulnerability and can trigger browser warnings, degrade user trust, and harm your SEO performance.

Why do mixed content errors appear after a WordPress migration?

During a migration, especially moving from HTTP to HTTPS, WordPress database serialized data may still contain the old HTTP URLs for media, theme files, or scripts. Hard-coded links in your theme or plugin files, custom CSS, or content added via page builders that use absolute HTTP paths are also common culprits.

What is the fastest way to find all mixed content errors on my site?

Use your browser’s Developer Tools Console. In Chrome or Edge, right-click, select ‘Inspect,’ go to the ‘Console’ tab, and reload your page. Any mixed content warnings will be listed with the exact insecure URL. For a full site audit, use an online scanner like ‘Why No Padlock?’ or SecurityHeaders.com.

Can I fix mixed content without a plugin?

Yes. The most reliable method is a manual search and replace in your database for old HTTP URLs (be careful with serialized data). You must also check and update hard-coded links in theme/plugin files, widgets, menus, and customizer settings. However, for most users, a trusted plugin like ‘Better Search Replace’ for the database and a redirection plugin for server rules is the recommended approach.

My browser still shows ‘Not Secure’ after fixing all links. What now?

First, clear all caching layers: your WordPress cache plugin, server cache (like Varnish), and CDN cache. Then, perform a hard reload (Ctrl+Shift+R). If it persists, the issue may be a third-party script or iframe from an external HTTP source. Use the ‘Content Security Policy’ header to report or upgrade such requests, or contact the external provider.

Do mixed content errors affect SEO?

Absolutely. Google explicitly states that HTTPS is a ranking signal. Mixed content prevents your site from being fully secure, which can negatively impact user experience signals. More directly, it can hinder your Core Web Vitals scores by causing additional browser security checks and blocking resource loads, increasing load times—both key SEO factors.

Conclusion: A Secure Site is a Successful Site

Fixing mixed content after a migration is non-negotiable in 2026. It’s a fundamental step towards providing a secure, fast, and trustworthy experience for your users—a factor Google rewards directly.

The process, while technical, is methodical: Diagnose, Update, Redirect, and Verify. By following the steps in this guide, you can systematically hunt down every insecure resource and secure your WordPress site completely.

Remember, a fully implemented HTTPS site with a green padlock is more than just a badge; it’s a statement of professionalism and care for your visitors. If the process feels overwhelming or you’re short on time, our expert team at WPThrill is ready to handle it for you. Our WordPress Support Service specializes in post-migration cleanups, performance optimization, and ongoing maintenance to keep your site secure and soaring in the rankings.