Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets, iframes) over insecure HTTP connections. This undermines the security guarantees of HTTPS because an attacker could tamper with the HTTP resources.
Types of Mixed Content
- Active mixed content — Scripts, stylesheets, iframes, and other resources that can alter the page. Modern browsers block these by default.
- Passive mixed content — Images, audio, and video. Browsers may still load these but display a warning (no padlock icon).
Common Causes in WordPress
- Hardcoded
http://URLs in post content or theme files - Plugins loading resources via HTTP
- External embeds (iframes, scripts) using HTTP
- Images inserted before the HTTPS migration with absolute HTTP URLs
What InspectWP Checks
InspectWP scans your page for any resources loaded over HTTP on an HTTPS page and lists them all. This helps you identify and fix every mixed content issue.