Detect and remove mixed content


Leave your reply

The IONOS Community will no longer be available starting on 1 January 2021. We invite you to follow us on Twitter or Facebook.

If you have any questions about our products, you can find additional information in the IONOS Help Centre. Alternatively, our support team will be happy to help you on Twitter at @IONOS_help_UK.

Despite activated SSL encryption, your website does not receive the coveted "green padlock" for secure connections, but only a reference to mixed content. Trust in the security of your website does not arise so probably.

mixed content

What's wrong?

In this article, you'll learn how to find and remove or replace mixed content on your website to achieve proper SSL encryption for your website.

Tip: If you Managed WordPress you do not need to make these adjustments. We automatically optimize your content in the background to prevent mixed content.

What is Mixed Content?

Mixed content occurs when a website that is accessed in encrypted form via HTTPS delivers content partially unencrypted via HTTP. Typical candidates for mixed content are images, audio and video files, iFrames, CSS and JavaScript files, and objects.

Depending on the browser used, the mixed content is displayed in the address bar:


A fully encrypted delivery of all website content via HTTPS would look like this in the address bar of the browser:

Secure connection

The developer tools (console) in Google Chrome or in the Firefox browser provide you with a detailed overview of which website content triggers the mixed-content warning.

In the Google Chrome browser, the developer tools are hidden in the main menu below: Ads > Developers > Developer tools (keyboard shortcuts: Ctrl+Shift+I / Cmd+Opt+I)

In the Console area, you can now see in detail which contents or data lead to the displayed mixed content:

Developer Tools

A good alternative to the developer tools of browsers is the online tool Why No Padlock. There you simply enter the URL of your website. After a short time, you will receive clear, meaningful and very detailed instructions on what content you need to customize to remove mixed content.

Why no padlock

Distinguish between active and passive mixed content

To get a little deeper into the technology, there are two types of mixed content:

1. mixed passive content is web content that cannot be modified by other parts of a website, but is simply delivered. This includes images, videos, audio files, and object sub-resources that are integrated into a Web page.

2. mixed active content is web content that is part of the Document Objects Model (DOM) of a website. These web contents can change parts of a web page and their behavior lastingly. These include links, scripts (e.g. JavaScript), XML http request objects, iFrames, CSS files that work with URLs, and object data attributes.

Remove and replace mixed content (WordPress)

In principle, the problem in WordPress can be solved in two simple steps:

Convert HTTP Links to HTTPS Links

You can use various methods to replace the links in the WordPress database.

Important : Before you make any adjustments to your WordPress database, please make sure you create a database backup: Backup database with phpMyAdmin

a) WordPress Plugin: Better Search Replace.
A simple but efficient WordPress plugin, which also offers the possibility of a test run (a so-called dry run) for searching and replacing in the database. Individual database tables can also be selected or deselected.

Better search replace

b) PHP script: Database Search and Replace of Interconnect/it
A PHP script to be copied via (S)FTP or into a folder to be created first, to the web space in the folder where WordPress is installed.
After that you can use http(s)//wordpress.adresse/created-folder/
Database Search and Replace for more features than the Better Search Replace Plugin:
Transfer files via SFTP with FileZilla The biggest advantage of this method is the independence from a working WordPress installation. In other words, if the WordPress database no longer works, it is no longer possible to login to the WordPress backend and you do not have access to my plugins. However, changes to the WordPress database via Database Search and Replace are still possible without any problems.

(c) WP-CLI: WP-CLI is installed on all of IONOS's web hosting servers.
With this handy command line tool you can easily customize links in the WordPress database with Search and Replace.
To do this, access your web space via SSH and change to the folder of your WordPress installation: Shell Access (SSH) with PuTTY

Here you adjust the links with this command:

wp search-replace '' ''
wp search-replace '' ''

301 Set up redirect

If the links belonging to the website have been switched from HTTP to HTTPS, you only need to set up a permanent 301 redirect.

Apache: If the website runs on an Apache web server, you must add the following lines to the .htaccess file associated with the web page:

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{SERVER_PORT} 80
  RewriteRule ^(.*)$$1 [R,L]

Nginx: If the website in question runs on a Nginx web server, you must add the following in the VHost configuration of the Nginx web server, for example:

server {
listen 80;
return 301$request_uri;

Your browser still displays the mixed content warning?

Unfortunately, there are no general steps for troubleshooting at this point.
Due to the large number of WordPress themes and plug-ins, developers often anchor external resources (e.g. Google Fonts) permanently in the source code via HTTP. Of course the link adaptation does not help here. There the source code of the theme/plugin must be created manually.

Another reason may be image, iFrame, CSS and JavaScript files from external sites that are built in after searching and replacing HTTP links or are simply not offered via HTTPS.

This article was published on 12 Sep 2018 by sebastian.zientek as part of the topic SEO ###ARTICLEINFO_SENTENCE_END###.