Most website owners know by now that HTTPS is important for SEO. Google confirmed it as a ranking signal back in 2014, and browsers have been actively flagging non-HTTPS sites as "Not Secure" ever since. The majority of sites have made the switch. But switching to HTTPS doesn't automatically mean your site is clean — and the problem that persists quietly on millions of HTTPS sites is mixed content, a technical issue that undermines your security, your user experience, and potentially your rankings, all without any obvious warning in your CMS dashboard.

The Difference Between HTTP and HTTPS

HTTP (HyperText Transfer Protocol) is the foundation of data communication on the web. HTTPS adds a layer of encryption via SSL/TLS, which means data passing between a visitor's browser and your server is encrypted and can't be easily intercepted by third parties.

From an SEO and trust perspective, HTTPS matters for three reasons:

  • It's a ranking signal. Google uses HTTPS as a lightweight ranking factor — not the most powerful signal in its algorithm, but a consistent tiebreaker when other factors are roughly equal. Two pages with similar content, links, and on-page optimization will see the HTTPS version rank higher.
  • It affects user trust. Browsers display a padlock icon for HTTPS sites and a "Not Secure" warning for HTTP sites. Visitors who see that warning — especially on pages with forms or checkout flows — are significantly less likely to convert.
  • It's table stakes. At this point, being on HTTP isn't just a ranking disadvantage — it's a credibility problem. Users and search engines alike expect HTTPS as the baseline.

What Mixed Content Is and Why It Happens

Mixed content occurs when an HTTPS page loads one or more resources — images, scripts, stylesheets, iframes, fonts, or other files — over an insecure HTTP connection. The page itself is served over HTTPS, but some of its components are being fetched from HTTP URLs.

This almost always happens after an HTTP-to-HTTPS migration. The page URLs get updated to HTTPS, but references within the page content — particularly images embedded in blog posts, external scripts, and CSS files — still point to HTTP sources. The migration changes the page wrapper; it doesn't automatically update every URL reference within the content itself.

Other common sources of mixed content:

  • Hardcoded HTTP URLs in content. Images, videos, or embeds added to blog posts or pages using explicit http:// URLs in the HTML.
  • Third-party embeds. Older embed codes from YouTube, social media, maps, or analytics scripts that still use HTTP URLs.
  • External stylesheets or fonts. CSS or font files loaded from external servers that haven't been updated to HTTPS.
  • Legacy plugins or themes. WordPress plugins and themes that reference assets using hardcoded HTTP paths in their code.
  • Database-stored URLs. In CMS platforms like WordPress, the site URL and content URLs are often stored in the database. A migration that updates the site URL setting but doesn't run a database search-and-replace can leave thousands of HTTP references embedded in post content.

Active vs. Passive Mixed Content

Not all mixed content is equally serious. Browsers and Google treat two types differently:

Passive mixed content refers to resources that are displayed but don't interact with the page — primarily images and videos. A browser will typically still load these but display a warning indicator (the padlock may appear with a caution icon rather than a clean lock). The security risk is lower because an attacker intercepting an image can't easily use it to modify the page.

Active mixed content refers to resources that can interact with or modify the page — JavaScript files, CSS stylesheets, and iframes. Modern browsers block active mixed content entirely because an attacker who intercepts a JavaScript file over HTTP can inject malicious code into your HTTPS page, completely undermining the security the SSL certificate is supposed to provide. If your page has active mixed content that's being blocked, parts of your page may fail to load or function correctly.

The invisible problem: Mixed content often produces no obvious visual error on the page itself. The content loads, the layout looks fine, and nothing in your CMS flags a problem. The only indicators are in the browser's developer console — a place most site owners never look. This is why many sites that migrated to HTTPS years ago still have mixed content issues they're completely unaware of.

How Mixed Content Affects Rankings

The direct ranking impact of mixed content is debated, but the indirect effects are clear and significant:

It undermines your HTTPS ranking signal. The SEO benefit of HTTPS is tied to the security it provides. A page with active mixed content that browsers are blocking isn't truly secure — and Google's quality systems are sophisticated enough to detect and factor in security issues at the page level.

It degrades user experience. Blocked active mixed content means broken functionality — scripts that don't run, styles that don't load, interactive elements that fail silently. Users who encounter a broken page bounce quickly, and high bounce rates are a negative engagement signal that can suppress rankings over time.

It erodes trust signals. When browsers display a security warning alongside your content, conversion rates drop, time-on-site drops, and the page's overall engagement profile weakens — all factors that indirectly influence how Google evaluates page quality.

How to Find Mixed Content on Your Site

The most reliable way to find mixed content is to check your pages with a tool that fetches each URL and inspects what resources it loads, flagging any that come from HTTP sources. The Mixed Content / HTTPS Checker does exactly this — enter any URL and it returns a full breakdown of the page's resources, highlighting any that are being loaded over insecure HTTP connections. Run it on:

  • Your homepage
  • Your most important landing pages
  • A representative sample of blog posts, especially older ones published before your HTTPS migration
  • Any page with complex embeds, third-party widgets, or external media

You can also check individual pages manually in Chrome: open Developer Tools (F12), go to the Console tab, and look for warnings beginning with "Mixed Content." Each warning will tell you the exact URL of the insecure resource being loaded.

How to Fix Mixed Content

Once you've identified the sources, fixing mixed content is usually straightforward:

  • Update hardcoded HTTP URLs to HTTPS. For resources on your own server, simply change http:// to https://. Most servers serve the same resources over both protocols — you just need to update the reference.
  • Run a database search-and-replace. For WordPress and similar CMS platforms, tools like Better Search Replace can update HTTP URLs stored in the database to HTTPS across all posts and pages in one operation. Always back up your database first.
  • Update or replace third-party embeds. Get updated embed codes from third-party services — most now provide HTTPS embed codes by default. Replace any legacy HTTP embeds.
  • Use a Content Security Policy upgrade directive. Adding a Content-Security-Policy: upgrade-insecure-requests HTTP header tells browsers to automatically upgrade HTTP resource requests to HTTPS. This is a useful safety net but shouldn't replace fixing the underlying URLs.
  • Update plugin and theme assets. For hardcoded HTTP references in plugin or theme code, update to the current version (many have been patched) or replace with alternatives that use HTTPS correctly.

HTTPS and mixed content sit within the broader technical SEO foundation covered in the guide to what technical SEO covers. Alongside canonical tags, XML sitemaps, and robots.txt, getting your HTTPS implementation fully clean is one of the core tasks that determines how effectively search engines can trust, crawl, and rank your pages.