Mixed content warnings are a severe problem for WordPress sites that implement SSL encryption. We explain diverse content warnings and show you how to avoid them.
There are many advantages to delivering content from your site over HTTPS:
- Firstly, helps give users confidence that communication between your area and their browser isn’t on.
- Secondly, guarantees that a man-in-the-middle attacker isn’t intercepting the content you send.
- Finally, can even help your site’s SEO.
But implementing HTTPS isn’t as simple as it might be. In this article, I want to look at the problem that often plagues established WordPress websites as they move to encrypted connections: mixed content warnings.
What Is A Mixed Content Warning?
Simply put, a mixed content warning is a message by browsers to indicate that a site is serving both secure and insecure content — an alarm that can be worrying for a visitor.
Some content encrypts HTTPS, and some is being over HTTP. Unfortunately, that puts users at risk because they expect content to encrypt, while in reality, a site that helps mixed content poses the same risks as a site that isn’t secure at all.
The browser’s address bar will indicate that the site is secure, but the unencrypt assets pose a significant risk, particularly if insecure scripts are loading.
A typical WordPress page contains assets drawn from numerous sources: the database, themes, plugins, WordPress core, etc. That can make it incredibly tricky to secure everything. So, a good way to avoid mixed content in WordPress.
Mixed content warnings are a problem because even if your site is secure. So, not serving any malicious content, users will see a prominent warning indicating that it is untrustworthy. For business websites or websites that involve the communication of sensitive data, mixed content warnings are not desirable.
Mixed content warnings often cause issues on established WordPress sites with large image databases. For example, if a single image that appears on a page is not served over HTTPS. So, users will see the warning.
It’s also an issue for sites that load third-party content over which they have little control. The paradigmatic example being advertising. Although many advertising networks now serve content over HTTPS. It’s not unusual to find mixed content warnings triggered by an insecure ad.
Finding Insecure Content
Finding insecure content is not easy, especially for sites with thousands of pages. The least appealing option is visiting every page, viewing the source, and searching for “HTTP” URLs. If you have some coding chops, you can automate the process. That works for some assets, but WordPress will often load scripts that load assets, that may load different hands. So on, making it impossible to be entirely sure that the source you load will be the same as the source every one of your users is sent.
Alternatively, you can use a service like SSL Check, which will recursively crawl a website and report on any insecure content it finds.
A final option is to use the WordPress plugin HTTPS Mixed Content Detector, which will log insecure items on pages as you visit them in your browser.