Mixed Content: Why You Shouldn’t Use HTTP Content On Your HTTPS Website

http content on your https website

Mixed content happens if your site is secure, and yet you uploaded other content on a connection that is not secure. This can happen to anyone, but few bloggers notice it.

Today, I want to deal with this subject and tell you what mixed content is, how it happens, and why you shouldn’t use HTTP content on your HTTPS website.

What is mixed content? 

Mixed content refers to those that have a connection mixture of secure and not secure. Most of the time, this happens when you upload your written posts on a website that has an HTTPS connection. Later on, you decide to update it and add some videos, images, and other website stuff like scripts.

The thing that happens is that when you uploaded your images and videos, they were uploaded on a connection that is not secure or a connection that operates on HTTP only.

So, what happens now is that your text is secure, which is accessible via the protocol HTTPS. Still, your images and videos are not secure, which are accessible via the protocol HTTP.

The result is mixed content because there is a mixture of HTTP and HTTPS content for the same web page.

Is this bad? Yes, it is.

The HTTP protocol weakens the entire page, making it vulnerable to attacks. What can happen is that the attacker can replace the content of your website, specifically the ones that are loaded via HTTP.

The worst thing that can happen is that the attacker can take control over the entire page and not just the content that is on the insecure connection.

The two types of mixed content

There are two types of mixed content called passive and active.

Passive mixed content is not as dangerous as the active one. In passive mixed content, you are still vulnerable to security issues. If an attacker chooses to hack you, he can intercept your insecure images’ requests because they are loaded as HTTP.

If he gets access to this, he can replace the images. He can also make changes to how the buttons function. If you have infographics, he can change them with something else, like an ad for his business.

On the other hand, active mixed content gives an attacker the ability to control the entire page. Active mixed content is one where the content could interact with the entire page.

An example of this is a script loaded as HTTP content. Other examples are codes and stylesheets used to display your web page.

The business impact of mixed content

Mixed content does not only bring the danger of getting hacked. It can affect your business in so many ways.

Here are some other things that can happen if you have mixed content.

  • Loss of revenue – if a hacker decides to change your images with theirs, you will not make money with any ads. If parts of your website show images of products and services you sell, these images will be gone, and no consumer will see them. Instead, they will see the image that the hacker used.
  • Loss of traffic – if you have mixed content, Google and other browser providers will warn the user. This warning indicates that your site is not secure. You are lucky if the consumer can still access your page and only see a small warning at the URL.

The big problem is that in many cases, your webpage will not display. Instead, the browser will tell the user that the site he is trying to access is insecure. Some browsers will ask the user if he wants to continue. Some will not.

Regardless of what the browser does, it is likely that the user will not stay long or will not access your site at all. And if you do not have traffic, your business is going to suffer.  

  • Data breach – the last danger is a data breach where the hacker intercepts your content. If your HTTP content is a script where you ask consumers to put in their info, you are in a real tight spot. If the hacker gets to intercept info, God knows what he will do with them.

He can send unsolicited emails to them and pretend that it is you. There are so many bad things that a hacker can do, and the last thing you want is for you and your users to be at the end of that spectrum.

As you can see, hackers do not just do hacking for fun. They do it because they want an unethical way to get money. The worst thing that can happen to you is to get blackmailed by these crooks.

You have to treat mixed content with seriousness and utmost priority. If you don’t, it is like a timebomb that is just waiting to blow.

How to avoid mixed content

Now that we know why you should not have mixed content, let us talk about how you can avoid it.

  • STEP 1: Find out if there is mixed content

First off, you need to know if it exists on your website. What you can do is to subscribe to an SEO service, like Semrush or AHREFs. Tools like this will automatically determine mixed content and let you know.

The alternative to finding mixed content is to visit each of your webpages. If your domain name is hosted with SSL and yet you see on your browser that the page is “Not Secure,” then it is very likely that you have mixed content.

To verify, right-click on the page and click on View Source Page. Click CTRL+F and then look for “mixed content” or simply look for areas where there are HTTP instead of HTTPS.

  • Step 2: Fix the issue

The second step is to make sure that your site domain has SSL. The site’s SSL may have expired. If you have SSL and some of your content still shows not secure, then you may have to re-upload your files because the first time you did it, it is not secure yet.  

This is tedious, I know. Mixed content is a bigger problem than you think. One thing you can do is to download and install a mixed content error plugin. However, you can only use this approach with WordPress.

Once installed, it will find the mixed content for you, and you can migrate all of them to a secure connection or HTTPS. It is automatic, so it will take only a few clicks to make this happen.


Google Chrome and other browsers are in the process of updating their software. Shortly, these browsers will no longer show content that is hosted on HTTP. The worst thing about this is that if your site has mixed content, the browser will treat the entire page as HTTP and consider it insecure. Website security is of paramount importance to users.

As such, the user trying to access your web page will not see a page at all. Instead, he will see a warning from his browser saying that your site is insecure.

And as you know, traffic is the bloodline of every website. As such, you have to determine if you have any HTTP content and then fix these. Reload them on secure hosting and make your entire business an HTTPS website.

John Kilmerstone

I'm an Aussie living in Japan who enjoys traveling, photography, and blogging. Please visit this website and explore the wonderful world of blogging. Discover how to turn your passions and pastimes into an online business.

Recent Posts