This tutorial is for websites using WordPress and Cloudflare Flexible SSL. Below is a step-by-step process of fixing “mixed content” error messages after converting your site to HTTPS.

“This site has insecure mixed content” or “Your connection to this site is not fully secure” means that the website is not fully secured due to images, videos, and links being served over HTTP. Lets fix this!

Step 1: Cloudflare Crypto

  • In your Cloudflare dashboard navigate to Crypto and select “Always Use HTTPS” and “Automatic HTTPS Rewrites” to ON.

Step 2: Update WordPress Site URL to HTTPS

Doing this updates all images and videos in your Media folder to HTTPS

  • Go into your WordPress dashboard > Settings > General
  • Update WordPress Address URL from http:// to https://
  • Update WordPress Site Address URL from http:// to https://

If your website continues to show mixed content error continue to Step 3

Step 3: Check your content

  • Go to WordPress dashboard > Pages
  • Check content (images, links, and videos) on all pages and manually update any http:// links to https://
  • If you made any blog posts check the content on there and manually update links from http:// to https://

Step 4: Find HTTP links using web browser and Missing Padlock

Whether you are using Google or Firefox you can view links that are giving the mixed content error

Firefox – Go to browser menu > Web Developer> Web console

Google – Go to browser menu > more tools > Developer tools > Console

Use Missing Padlock to crawl your website for HTTP links. I found other links that were not visible to me in the browser.

Step 5: Use Better Search and Replace

WordPress plugin Better Search and Replace replaces HTTP links with HTTPS. I used the HTTP links found by Missing Padlock and replaced them with HTTPS.

How I used Better Search and Replace and what worked for me

  1. Use the http:// link found in Missing Padlock and enter http:// link in “Search for” then enter the same link in “Replace with” but add the “s” for https://
  2. Select all tables if you do not know where the link is located
  3. Check “Run as dry run”. Dry run does not create any changes, it shows which tables contain that http:// link.
  4. Lastly, I selected the tables that came up from dry run, unchecked dry run, and replaced that link.
  5. Repeated this process for each http:// link

In conclusion, this process worked for me to get a fully secured website!