Menu

All help articles

Fix insecure content

Updated on October 22nd, 2024

Note

Serving your site securely via HTTPS (which displays the padlock icon in-browser), requires an SSL certificate. Flywheel offers free SSL certificates, or you can provide your own. If your site doesn’t have one installed yet, start here.

If you’ve recently forced HTTPS on your site and are noticing some broken images or assets — or if they’re loading properly but you’re seeing “insecure content” warnings and not seeing the padlock in the browser bar – this is likely due to images and other assets being called into the page insecurely.

There are a few ways to tackle this issue, so read on!

Use relative links

When you’re forcing HTTPS, your browser tries to require all site assets to be served via the secure HTTPS protocol. But if you have hard-coded HTTP URLs or active plugins that are using HTTP explicitly, you’ll likely see a warning in the browser address bar instead of the famous padlock, meaning that while your site is loading over HTTPS, it’s calling insecure assets over plain HTTP.

There are a few ways to go about addressing this problem. The best way is to use your browser’s developer tools (and console, specifically) to determine what assets are being called via HTTP. Once you’re aware of those URLs, you can track them down in your site’s content, settings, template files or plugins, and switch them to HTTPS.

In most cases, you can also use relative links with WordPress. For example, if you have a link that looks like this:

http://www.mysite.com/wp-content/uploads/01/image.jpg

You can either replace “http” with “https” to force the image to load securely, or you can make it a relative link by removing the domain entirely, like so:

/wp-content/uploads/01/image.jpg

Relative links follow the lead of whatever protocol the page is already using, so if you’re forcing HTTPS, a relative link will always load over HTTPS automatically.

Update links in the database

Sometimes a site’s database can make reference to HTTP links. If you’re not familiar with the MySQL language, you can use a search-and-replace plugin like Better Search Replace to automate the process of updating HTTP links and URLs to HTTPS in your database. Just be aware that you should use the full protocol and domain together in both the “search” and “replace” fields, like so: searching for “http://example.com” and replacing with “https://example.com”.

Note the full protocol at the beginning and lack of a slash or other text at the end of those domains. Aside from the extra “s,” the two should be identical.

Warning

Be extremely cautious when making updates directly to the database; a mistake can break your site, so it’s best to make a backup before making any changes or replacements.

The above techniques should fix the issue, but it will depend somewhat on the site and theme. If your theme stores its settings and other data in unusual ways in the database, or if the theme files themselves contain references to the HTTP version of your domain, you’ll likely need to make a manual replacement. This will also be the case if you have background images stored as HTTP links in your site’s CSS.

Note

If your site is on our Flywheel Cloud Platform, our system will automatically update your database links to HTTPS once an SSL certificate is successfully installed and propagated to our global load balancers (roughly an hour after SSL installation)!

Check your theme or page builder’s caching/performance options

Some themes and site builders have their own layer of cache or offer a feature which generates static CSS files. While these things can improve site performance, they can also prevent protocol (HTTP/HTTPS) changes from showing immediately. Linked below are some resources from some of the more popular site builders which explain how to update static CSS files and/or clear theme cache.

Try plugin-based solutions

If you’ve looked through your theme files and plugins but are still not getting the padlock icon, there are plugins available to try to help rewrite HTTP URLs to HTTPS on the fly. There are also plugins available that can help resolve this. Once activated, the plugin will attempt to switch any HTTP URLs to HTTPS so they can be served properly. Note, however, that plugins are not able to change hard-coded URLs in content or in theme or plugin files.

If a plugin doesn’t seem to be working right away, be sure to head to Settings > SSL Insecure Content from the WordPress admin menu and adjust as recommended. Depending on how your site is configured, “Simple” mode may work for you, or you may need to change it to a higher setting.

We also use Why No Padlock to help identify any remaining insecure assets. It’s a very simple website that you can enter your site’s web address into (don’t forget the HTTPS!). Enter your URL and click ‘Run’ to see the results. Any URLs that are being called insecurely will be listed for you to investigate.

If you’re still stuck after that, or if you have any other questions, contact us, and we’ll be happy to do what we can to help identify any other insecure asset issues and recommend fixes.

Note

Forcing HTTPS through the Advanced tab of the site’s Flywheel dashboard may not change the site or home URLs you see in WordPress settings to HTTPS. This is normal; the redirect happens at the server level, before those URLs can come into play. We often leave the home and/or site URLs as HTTP to prevent other issues, but it won’t affect the site’s loading via HTTPS.

Need help?

If you have any questions our Happiness Engineers are here to help!

Was this article helpful?

Yes No
or contact Support

Getting Started

New to Flywheel? Start here, we've got all the information you'll need to get started and launch your first site!

View all

Account Management

Learn all about managing your Flywheel user account, Teams and integrations.

View all

Billing

Everything about billing, invoices and payments can be found here.

View all

Features

Flywheel hosting plans include a ton of great features. Learn about how to get a free SSL certificate, set up a staging site, and more!

View all

Platform Info

All the server and setting info you'll need to help you get the most out of your Flywheel hosting plan!

View all

Site Management

Tips and tricks for managing your sites on Flywheel, including going live, troubleshooting issues and migrating or cloning sites.

View all

Developer Hub

Learn how to connect, deploy, and more with SSH on Flywheel's platform.

View all

Growth Suite

Learn more about Growth Suite, our all-in-one solution for freelancers and agencies to grow more quickly and predictably.

View all

Managed Plugin Updates

Learn more about Managed Plugin Updates, and how you can keep your sites up to date, and extra safe.

View all

Local

View the Local help docs

 

Flywheel help

Help is just a click away! Log into Flywheel dashboard to instantly chat with an expert, respond to a ticket, or follow along with in-depth documentation. We happily offer support 24 hours a day, 7 days a week, 365 days a year!

Log in

Try Flywheel today

Launch your next site on WordPress in minutes.

 Free migrations  24/7/365 support  14 day demo sites
Get started
Features
Flywheel for
Resources
Company
Customers

© 2013–2024 WPEngine, Inc. All rights reserved.
WP ENGINE®, VELOCITIZE®, TORQUE®, EVERCACHE®, and the cog logo service marks are owned by WPEngine,Inc. | Privacy Policy

1WP Engine is a proud member and supporter of the community of WordPress® users. The WordPress® trademarks are the intellectual property of the WordPress Foundation, and the Woo® and WooCommerce® trademarks are the intellectual property of WooCommerce, Inc. Uses of the WordPress®, Woo®, and WooCommerce® names in this website are for identification purposes only and do not imply an endorsement by WordPress Foundation or WooCommerce, Inc. WP Engine is not endorsed or owned by, or affiliated with, the WordPress Foundation or WooCommerce, Inc.