You have successfully installed an SSL certificate on your SakuraHost account, and your site now loads over HTTPS. However, your browser still shows a warning icon instead of the reassuring green padlock. The culprit is almost certainly mixed content — a common issue that occurs when an HTTPS page loads some resources over insecure HTTP. This guide explains what mixed content is, how to identify it, and step-by-step methods to fix it across different platforms.

What Is Mixed Content?

Mixed content occurs when an HTML page loaded over a secure HTTPS connection includes resources — such as images, scripts, stylesheets, iframes, or fonts — that are loaded over an insecure HTTP connection. When this happens, the browser considers the page only partially encrypted, which undermines the security guarantees of SSL.

Types of Mixed Content

  • Mixed Active Content (Blocked): Scripts, stylesheets, iframes, XMLHttpRequest, and fetch requests loaded over HTTP. Modern browsers block these entirely because they can modify the page's behaviour and steal data. This usually breaks website functionality.
  • Mixed Passive Content (Warning): Images, audio, video, and other media loaded over HTTP. Browsers typically still load these but display a warning. While less dangerous, they still compromise the visual integrity of the secure padlock.
Browser Behaviour: Chrome, Firefox, and Edge all handle mixed content aggressively. As of recent versions, browsers may auto-upgrade HTTP requests to HTTPS or block them entirely. The Google Security Blog has documented the progressive tightening of mixed content policies.

Identifying Mixed Content

Method 1: Browser Developer Tools

Step 1: Open your website in Chrome or Firefox.
Step 2: Press F12 or right-click and select "Inspect" to open Developer Tools.
Step 3: Click the Console tab. Mixed content warnings appear as yellow warnings or red errors with messages like: "Mixed Content: The page at 'https://...' was loaded over HTTPS, but requested an insecure resource 'http://...'. This request has been blocked."
Step 4: Note every URL listed in these warnings. These are the resources you need to fix.

Method 2: Online Scanners

Use free online tools to scan your entire site for mixed content:

  • Why No Padlock: Scans a specific URL and reports all insecure resources.
  • Mozilla Observatory: Provides a comprehensive security scan including mixed content detection.
  • JitBit SSL Checker: Crawls your site and finds all pages with mixed content.

Fixing Mixed Content in WordPress

Step 1: Update Site URLs

In your WordPress dashboard, go to Settings > General. Ensure both the "WordPress Address (URL)" and "Site Address (URL)" fields use https://.

Step 2: Search and Replace Database URLs

Many mixed content issues come from hardcoded HTTP URLs stored in your WordPress database (in posts, pages, widgets, and theme options). Use a plugin like "Better Search Replace" or "Velvet Blues Update URLs" to perform a database-wide search and replace:

Search for: http://yourdomain.co.tz Replace with: https://yourdomain.co.tz
Always Back Up First: Before running any search and replace on your database, create a full backup through cPanel or your SakuraHost client area. Database changes are difficult to reverse without a backup.

Step 3: Install a Dedicated SSL Plugin

The "Really Simple SSL" plugin can automatically detect and fix most mixed content issues by dynamically rewriting HTTP URLs to HTTPS on page load. While this is an excellent quick fix, it is better to fix the root causes in your database and theme rather than relying on runtime fixes long-term.

Step 4: Check Theme and Plugin Files

Some themes and plugins hardcode HTTP URLs in their source files. Check your active theme's header.php, footer.php, and functions.php for any hardcoded http:// references. Also check custom CSS files and any embedded content in widgets.

Fixing Mixed Content in Custom HTML/PHP Sites

Protocol-Relative URLs

Replace absolute HTTP URLs with protocol-relative URLs where possible:

<!-- Instead of this: --> <img src="http://yourdomain.co.tz/images/logo.png"> <!-- Use this: --> <img src="//yourdomain.co.tz/images/logo.png"> <!-- Or better yet, use HTTPS explicitly: --> <img src="https://yourdomain.co.tz/images/logo.png">

Using Content-Security-Policy Header

You can add a Content-Security-Policy header to automatically upgrade insecure requests. Add this to your .htaccess file:

Header always set Content-Security-Policy "upgrade-insecure-requests"

This header instructs browsers to automatically upgrade all HTTP resource requests to HTTPS before making them. It is an excellent safety net while you work on fixing individual URLs.

Fixing Mixed Content in Joomla

Step 1: Log in to the Joomla administrator panel.
Step 2: Go to System > Global Configuration.
Step 3: In the Server tab, set "Force HTTPS" to "Entire Site".
Step 4: Use an extension like "Search & Replace" by Nonumber to find and replace HTTP URLs in your database content.

Fixing External Resources

Mixed content can also come from external resources — third-party scripts, images hosted on other domains, embedded content, and CDN resources. For each external resource:

  1. Check if the external service supports HTTPS (most do today).
  2. Update the URL from http:// to https://.
  3. If the external service does not support HTTPS, consider downloading the resource and hosting it locally on your SakuraHost account.
  4. For embedded iframes (e.g., maps, videos), ensure the embed code uses HTTPS.
Verification: After making changes, clear your browser cache and revisit your site. Check the Developer Tools console again to confirm all mixed content warnings are resolved. Run an SSL Labs test to confirm your overall SSL grade.

Prevention for the Future

To prevent mixed content from recurring, adopt these best practices: always use HTTPS URLs when adding images or links in your content; configure your CMS to use HTTPS by default; keep the upgrade-insecure-requests CSP header active as a safety net; and regularly scan your site for mixed content after installing new plugins, themes, or making content changes.

Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

Understanding SSL Certificates: Types, Benefits, and How They Work

.kb-article { line-height: 1.8; color: inherit; max-width: 900px; } .kb-article h2 { color:...
How to Install a Free SSL Certificate on SakuraHost (AutoSSL)

.kb-article { line-height: 1.8; color: inherit; max-width: 900px; } .kb-article h2 { color:...
How to Force HTTPS on Your Website Using .htaccess

.kb-article { line-height: 1.8; color: inherit; max-width: 900px; } .kb-article h2 { color:...
Understanding and Preventing DDoS Attacks on Your Website

.kb-article { line-height: 1.8; color: inherit; max-width: 900px; } .kb-article h2 { color:...
How to Scan and Remove Malware from Your Hosting Account

.kb-article { line-height: 1.8; color: inherit; max-width: 900px; } .kb-article h2 { color:...