This tutorial is for websites using WordPress and Cloudflare Flexible SSL. Below is a step-by-step process of fixing “mixed content” error messages after converting your site to HTTPS.
“This site has insecure mixed content” or “Your connection to this site is not fully secure” means that the website is not fully secured due to images, videos, and links being served over HTTP. Lets fix this!
Step 1: Cloudflare Crypto
- In your Cloudflare dashboard navigate to Crypto and select “Always Use HTTPS” and “Automatic HTTPS Rewrites” to ON.
- Link to Cloudflare’s article about mixed content error
Step 2: Update WordPress Site URL to HTTPS
Doing this updates all images and videos in your Media folder to HTTPS
- Go into your WordPress dashboard > Settings > General
- Update WordPress Address URL from http:// to https://
- Update WordPress Site Address URL from http:// to https://
If your website continues to show mixed content error continue to Step 3
Step 3: Check your content
- Go to WordPress dashboard > Pages
- Check content (images, links, and videos) on all pages and manually update any
http:// links to https://
- If you made any blog posts check the content on there and manually update links from
http:// to https://
Step 4: Find HTTP links using web browser and Missing Padlock
Whether you are using Google or Firefox you can view links that are giving the mixed content error
Firefox – Go to browser menu > Web Developer> Web console
Google – Go to browser menu > more tools > Developer tools > Console
Use Missing Padlock to crawl your website for HTTP links. I found other links that were not visible to me in the browser.
- Link to Missing Padlock SSL Checker
Step 5: Use Better Search and Replace
WordPress plugin Better Search and Replace replaces HTTP links with HTTPS. I used the HTTP links found by Missing Padlock and replaced them with HTTPS.
How I used Better Search and Replace and what worked for me
- Use the
http:// link found in Missing Padlock and enter http:// link in “Search for” then enter the same link in “Replace with” but add the “s” for https://
- Select all
tablesif you do not know where the link is located
- Check “Run as dry run”. Dry run does not create any changes, it shows which tables contain that
- Lastly, I selected the tables that came up from
dryrun, unchecked dry run, and replaced that link.
- Repeated this process for each
In conclusion, this process worked for me to get a fully secured website!