Ultra Web Hosting Docs

Mixed Content & "Not Secure" Warnings

You installed an SSL certificate, but the browser still shows "Not Secure" or a broken padlock. This is mixed content: the page loads over HTTPS, but some images, scripts, or stylesheets still load over insecure http://. The fix is to make every asset use HTTPS.

What Mixed Content Is

When a secure page pulls in even one resource over plain http://, the browser flags the whole page as not fully secure. It may also silently block those insecure resources, which is why images or styles can vanish after you switch to SSL. The goal is simple: every URL on the page should start with https://.

Tip Open your browser's developer console (F12) and look at the Console tab. Mixed content warnings list the exact http:// URLs that need fixing — a fast way to find every offender.

Step 1: Force HTTPS in .htaccess

First, make sure every visitor is sent to the secure version of your site. Add this redirect to the top of your .htaccess file in public_html:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This rewrites any http:// request to https:// with a permanent redirect. If you already have a RewriteEngine On line, do not add a second one.

Step 2: Update Your WordPress Addresses

If you run WordPress, the site's own address settings are often still stored as http://.

  1. In the WordPress admin, go to Settings > General.
  2. Set both WordPress Address (URL) and Site Address (URL) to your https:// address.
  3. Save. WordPress will log you out; log back in over HTTPS.

Step 3: Search-Replace the Database

Old posts and settings can contain hardcoded http:// links to your own domain. Update them in bulk with a database search-replace.

  1. Back up your database first from phpMyAdmin in cPanel.
  2. Run a search-replace of http://yourdomain.com to https://yourdomain.com across the database.
  3. A tool like WP-CLI's search-replace or a trusted plugin handles serialized data safely — do not run a raw SQL replace on serialized fields.
Warning Always back up the database before a search-replace. Use a tool that understands serialized data (WP-CLI or a reputable plugin) rather than a manual SQL query, which can corrupt serialized options.

Step 4: Use a Plugin (the Easy Route)

If editing files and the database sounds daunting, a plugin like Really Simple SSL handles most of the work automatically: it forces HTTPS and rewrites insecure resource URLs on the fly. Install it, activate it, and follow its one-click configuration.

Step 5: Fix Hardcoded URLs

Some http:// links are baked into theme files, widgets, or page-builder content and won't be caught by the steps above. Using the console warnings from earlier:

Verify the Fix

Reload the site in a private window and confirm the padlock is solid with no console warnings. If assets still load insecurely, re-check the console for the remaining http:// URLs and trace each to its source. For SSL certificate setup and renewal, see our SSL guide.

Need a Hand?

If you have forced HTTPS and updated your URLs but a stubborn warning remains, open a support ticket with your domain and the exact resource URL the browser is flagging.