When things go wrong: SSL mixed content issues

insecure website message from browser Marina Reznor

Mixed content: yellow flags

Last week we discussed a major website red flag, the SSL certificate failure (When things go wrong: SSL Certificates). I mentioned the mixed content issue in the broader context of converting to an HTTPS from an HTTP protocol, but let’s dive a bit deeper into mixed content.

browser error messages
Typical web browser security messages (wired.com)

The first indication you have mixed content is when the green padlock icon in the web browser tool bar will be replaced with an “i” or a padlock with a yellow flag. You know your SSL certificate is current, so what could it be? You can click on the security icons for vague messages, or you can inspect your website yourself (the simple process is described well at really-simple-ssl, scroll half way down for directions).

Chances are the web browser has flagged an image you are linking to that is still running on an insecure server. Amazon is notorious for serving images from an HTTP, and if you’re linking to a book you have on Amazon this could be the culprit. You’ll have to figure out the work-around; it could be as simple as importing the image to your media file yourself and linking the image to the destination.

Isn’t there a plugin to fix that?

SSL Insecure Content Fixer is a nice plugin, free for WordPress.org installs, that will analyze your site and offer fixes. When installed, begin with the default settings (located on your Admin panel under Settings) and then go to Tools > SSL Tests to verify WordPress can detect the HTTPS. You are looking for a green check mark, but if there are issues or warnings the plugin suggests fixes. Full directions are on the their nice website, here.

Mmmmm, still getting that yellow flag.

Images linking to insecure sites aren’t the only cause of mixed content insecure site yellow flags – another cause can be that some webpages are not secured while only the home page (or shop page) is secure. In this instance you can try a free plugin (for WordPress.org installs) called WP Force SSL, but the best course of action might be to start with a call or chat with your hosting provider.

Leave a Reply

Your email address will not be published. Required fields are marked *