You have made the switch to HTTPS — congratulations. Your SSL certificate is installed, your site loads with a padlock icon, and Google rewards HTTPS sites with a ranking boost. But then you notice something: on certain pages, the padlock disappears, replaced by a warning icon or "Not Secure" label. The culprit is mixed content — insecure HTTP resources loading on your otherwise secure HTTPS page. In this guide, we cover how to find and fix every type of mixed content warning on cPanel hosting.
What Is Mixed Content and Why It Hurts SEO
Mixed content occurs when an HTTPS page loads sub-resources (images, scripts, stylesheets, fonts, iframes) over plain HTTP. Browsers classify mixed content into two categories:
- Mixed Active Content (Blocked): Scripts, stylesheets, iframes, and XMLHttpRequests loaded over HTTP. Modern browsers block these entirely because they can alter page behavior. This breaks functionality.
- Mixed Passive Content (Warned): Images, audio, and video loaded over HTTP. Browsers allow these to load but display a warning (no padlock). This degrades trust signals.
The SEO impact is threefold:
- Lost HTTPS ranking boost: Google grants a small ranking advantage to fully secure HTTPS pages. Mixed content undermines this because the page is not truly secure.
- Broken page functionality: Blocked active content (scripts, CSS) can cause layout issues, missing functionality, and increased CLS — directly hurting Core Web Vitals scores.
- User trust erosion: A missing padlock increases bounce rates, especially on e-commerce sites where users look for security indicators before entering payment information.
Common Causes of Mixed Content
Mixed content typically originates from these sources:
| Source | Examples | Frequency |
|---|---|---|
| Hardcoded HTTP URLs in content | Images in blog posts, pages | Very common |
| Theme/template files | CSS background images, font URLs | Common |
| Plugin/extension assets | JavaScript files, CSS from plugins | Common |
| Third-party embeds | YouTube (old embed code), maps, widgets | Moderate |
| Inline CSS | style="background: url(http://...)" | Moderate |
| Database-stored URLs | WordPress options, widget content | Common in CMS |
| External resources | CDN URLs, analytics scripts, ad networks | Moderate |
| Canonical/hreflang tags | HTTP URLs in meta tags | Often overlooked |
Step 1: Find All Mixed Content
Browser Console Method
- Open your site in Chrome, press
F12, and go to the Console tab. - Navigate through your pages. Any mixed content generates a console warning:
Mixed Content: The page at 'https://yourdomain.com/page' was loaded over HTTPS, but requested an insecure resource 'http://yourdomain.com/image.jpg'. This request has been blocked; the content must be served over HTTPS. - Each warning identifies the exact insecure URL and the HTML element that references it.
Site-Wide Scan Method
Manually checking every page is impractical for large sites. Use these tools instead:
- Screaming Frog SEO Spider: Configure it to crawl your HTTPS site and flag insecure URLs. Check the "Insecure Content" report.
- JitBit SSL Checker: A free online tool that crawls your site and lists all HTTP resources.
- Google Search Console: The HTTPS report in Search Console may highlight pages with mixed content issues.
- Why No Padlock: Enter a URL to get a quick list of insecure resources on that specific page.
Step 2: Fix Mixed Content in cPanel
Fix 1: Force HTTPS via .htaccess (Catch-All)
The most effective first step is to add a blanket HTTP-to-HTTPS redirect in your .htaccess file. Open File Manager in cPanel, navigate to public_html, and edit .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]This ensures any HTTP request to your site automatically redirects to HTTPS. It fixes mixed content for resources hosted on your own domain — images, CSS, and JS files requested over HTTP will redirect to their HTTPS versions. For more details on configuring redirects, see our comprehensive cPanel redirect guide.
Fix 2: Add Content-Security-Policy Header
For an additional layer of protection, add a CSP header that upgrades insecure requests:
# Automatically upgrade HTTP requests to HTTPS
<IfModule mod_headers.c>
Header always set Content-Security-Policy "upgrade-insecure-requests"
</IfModule>The upgrade-insecure-requests directive tells browsers to silently change HTTP URLs to HTTPS before making the request. This catches hardcoded HTTP URLs in your HTML without needing to edit every page. It works for both your own resources and third-party resources (as long as they support HTTPS).
Fix 3: Update Hardcoded URLs in WordPress
If you run WordPress on cPanel, the most thorough fix is a search-and-replace across the database:
- Backup your database first through cPanel's phpMyAdmin or the Backup Wizard.
- Install the Better Search Replace plugin (or use WP-CLI if you have SSH access).
- Search for
http://yourdomain.comand replace withhttps://yourdomain.com. - Run a dry run first to see how many replacements will be made.
- Execute the replacement.
- Also update Settings > General: change both "WordPress Address (URL)" and "Site Address (URL)" to use
https://.
Fix 4: Update Theme and Plugin Files
Some mixed content comes from hardcoded HTTP URLs in theme templates or plugin files. Access these through cPanel File Manager:
- Navigate to
public_html/wp-content/themes/your-theme/. - Search through template files (header.php, footer.php, functions.php) for
http://URLs. - Replace them with
https://or use protocol-relative URLs (//yourdomain.com/file.jpg) — though HTTPS is preferred over protocol-relative in 2026.
For non-WordPress sites, check your CSS files for background-image: url(http://...) and JavaScript files for hardcoded HTTP API endpoints or resource URLs.
Fix 5: Update Third-Party Embeds
Common third-party sources of mixed content:
- YouTube embeds: Old embed codes may use
http://. Update tohttps://www.youtube.com/embed/.... - Google Maps: Older iframe embeds may use HTTP. Update to the HTTPS version.
- Font services: Google Fonts and other font CDNs support HTTPS. Update your
<link>tags. - Ad networks: Most major ad networks now support HTTPS. Check with your provider if ads are loading over HTTP.
- Analytics/tracking scripts: Ensure all tracking pixels and scripts use HTTPS.
Step 3: Verify the Fix
After making changes, verify mixed content is fully resolved:
- Clear browser cache and visit your site. Look for the padlock icon in the address bar.
- Check the browser console (F12 > Console) for any remaining mixed content warnings.
- Re-scan with Screaming Frog or JitBit to confirm site-wide compliance.
- Test on multiple browsers — Chrome, Firefox, and Safari handle mixed content slightly differently.
- Check Google PageSpeed Insights for any remaining security warnings.
Preventing Mixed Content in the Future
Once fixed, prevent mixed content from recurring:
- Use relative URLs for internal links and resources:
/images/photo.jpginstead ofhttps://yourdomain.com/images/photo.jpg. Relative URLs automatically use the page's protocol. - Configure your CMS for HTTPS: Set the site URL to HTTPS so the CMS generates all URLs correctly.
- Add CSP headers permanently: Keep the
upgrade-insecure-requestsheader in your.htaccessas a safety net. - Audit new plugins/themes before installing: Check that they do not introduce hardcoded HTTP URLs.
- Set up monitoring: Use automated cron jobs or external monitoring to periodically scan for mixed content regressions.
HTTPS Migration Checklist for SEO
Mixed content is just one part of a successful HTTPS migration. Here is the complete checklist:
- Install SSL certificate (free via Auto SSL on MassiveGRID's high-availability cPanel hosting, or install a custom certificate through cPanel's SSL/TLS Manager).
- Add HTTP-to-HTTPS 301 redirects in .htaccess.
- Fix all mixed content (this guide).
- Update canonical tags to use HTTPS.
- Update your XML sitemap to list HTTPS URLs.
- Update
robots.txtsitemap reference to HTTPS. - Update Google Search Console property (add HTTPS version).
- Update Google Analytics settings to use HTTPS.
- Update all internal links to HTTPS (database search-replace for CMS sites).
- Verify external services (CDN, analytics, ads) use HTTPS.
- Update social media profiles and external listings with HTTPS URLs.
- Monitor Search Console for crawl errors during the transition.
Troubleshooting Stubborn Mixed Content
Mixed Content From External Scripts You Cannot Control
If a third-party service only offers HTTP, you have limited options: replace the service with an HTTPS alternative, proxy the resource through your own server, or remove it entirely. In 2026, any reputable service supports HTTPS. If a provider does not, it is a red flag about their security practices.
Mixed Content Only Appearing on Certain Pages
This usually indicates page-specific content (images in blog posts, custom HTML blocks) containing hardcoded HTTP URLs. For WordPress, the database search-replace method catches these. For static sites, search your HTML files using cPanel File Manager's search function or via command line.
Padlock Missing Despite No Console Warnings
Some resources (like favicons loaded in browser tabs) may not trigger console warnings but still affect the padlock. Check all resources in the Network tab, filtering by protocol. Also verify that your site itself is not loading in an iframe on a non-HTTPS page.
Frequently Asked Questions
Does mixed content directly lower my Google rankings?
Google has not stated that mixed content is a direct ranking signal. However, it undermines the HTTPS ranking boost, can break page functionality (hurting Core Web Vitals), and increases bounce rates due to security warnings. The cumulative effect on rankings can be significant, especially in competitive niches.
Is the upgrade-insecure-requests header safe to use?
Yes, it is widely supported (97%+ of browsers) and recommended by Google. It silently upgrades HTTP requests to HTTPS without breaking anything — as long as the resources are available over HTTPS. If a resource does not exist at its HTTPS URL, the request will fail. Test key pages after enabling this header.
Can mixed content appear after a WordPress plugin update?
Yes. Plugin updates can reintroduce hardcoded HTTP URLs, especially in plugins that store configuration in the database. After updating plugins, spot-check a few pages using browser DevTools to catch any new mixed content warnings.
Should I use protocol-relative URLs (//example.com) to fix mixed content?
Protocol-relative URLs were a common fix in the past, but they are no longer recommended. Since virtually all websites should be on HTTPS in 2026, use explicit https:// URLs. Protocol-relative URLs can cause issues with some CDNs and services, and they add unnecessary ambiguity.
How long after fixing mixed content will my SEO improve?
The HTTPS ranking signal is applied at the page level, so the benefit appears as Google recrawls each fixed page. For most sites, this takes 1-4 weeks depending on crawl frequency. You can accelerate the process by requesting re-indexing through Google Search Console's URL Inspection tool for your most important pages.