You've installed an SSL certificate in Plesk, your site loads over HTTPS — but visitors still see a padlock warning or a broken layout. Images aren't loading, CSS is missing, or the browser console shows red errors. This is a Plesk mixed content HTTPS error: the page itself is served securely, but some resources on it are still requested over plain HTTP.
This guide shows you how to diagnose exactly which resources are causing the problem and fix them permanently — using browser DevTools, Plesk's panel settings, and server-level headers when needed.
What Is Mixed Content and Why Does It Break Your Site?
Mixed content happens when an HTTPS page loads one or more resources (images, scripts, stylesheets, iframes, fonts) via HTTP. Browsers treat this as a security risk because an attacker could intercept the unencrypted HTTP resource and inject malicious code into an otherwise secure page.
There are two types:
- Passive mixed content — images, audio, video loaded over HTTP. Browsers show a warning but still display the resource.
- Active mixed content — JavaScript, CSS, iframes loaded over HTTP. Modern browsers (Chrome, Firefox, Edge) block these entirely. This is why your layout breaks or scripts stop working.
The browser console error looks like:
Mixed Content: The page at 'https://yourdomain.com' was loaded over HTTPS,
but requested an insecure resource 'http://yourdomain.com/wp-content/uploads/image.jpg'.
This request has been blocked; the content must be served over HTTPS.💡 None of these worked? Skip the guesswork.
Get Expert Help →Step 1: Identify Mixed Content Errors with Browser DevTools
Before you can fix mixed content, you need to know exactly which URLs are still loading over HTTP.
Press F12 (Windows/Linux) or Cmd + Option + I (Mac) to open DevTools.
Reload the page. Look for red or yellow warnings mentioning "Mixed Content" or "blocked:mixed-content". Each warning shows the exact URL of the insecure resource.
In DevTools, click the Security tab. If the page has mixed content, it shows "Non-Secure Origins" listing every HTTP resource that was requested.
Mixed content often appears on specific pages but not others — check your homepage, a blog post, a product page, and your contact form separately. The Console clears on each navigation.
For sites with many pages, tools like Why No Padlock (whynopadlock.com) or JitBit SSL Checker (jitbit.com/sslcheck/) scan an entire site and list all mixed content URLs in one report.
In WordPress Admin, go to Settings → General. Change both WordPress Address and Site Address from http:// to https://.
The WP CLI command (run via Plesk's SSH terminal) updates all HTTP URLs in the database at once:
wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --skip-columns=guidAlternatively, use the Better Search Replace WordPress plugin for a UI-based approach.
Clear your WordPress cache plugin, Plesk's nginx cache, and any CDN cache after the database update.
For Custom Sites and CMS Platforms
Search your codebase for hardcoded http:// URLs in template files, config files, and CSS. In Plesk's File Manager or via SSH:
grep -r "http://yourdomain.com" /var/www/vhosts/yourdomain.com/httpdocs/ --include="*.php" --include="*.css" --include="*.js"Replace each occurrence with https://yourdomain.com or use a protocol-relative URL (//yourdomain.com) for resources that must work over both HTTP and HTTPS.
In Plesk, go to your domain → Hosting & DNS → Apache & Nginx Settings.
In the Additional nginx directives field, add:
add_header Content-Security-Policy "upgrade-insecure-requests;" always;In the Additional Apache directives field, add:
Header always set Content-Security-Policy "upgrade-insecure-requests"Reload your site and check DevTools Console — mixed content warnings should be gone. The browser will now automatically rewrite HTTP resource requests to HTTPS before making the connection.
Important: upgrade-insecure-requests only works for resources on your own domain. External resources (third-party scripts, CDN assets, embedded iframes) must be fixed at the source or added to your own HTTPS-enabled CDN.
In Plesk, go to your domain → Hosting & DNS → Hosting Settings. Check Permanent SEO-safe 301 redirect from HTTP to HTTPS and click OK.
This adds a server-level redirect so http://yourdomain.com permanently redirects to https://yourdomain.com for all pages and resources.
Fix 4: Fixing External Resources and CDN-Served Assets
Mixed content from external domains (Google Fonts, analytics scripts, CDN assets) requires different handling since you can't change their URLs directly.
Third-party scripts
Most major third-party scripts (Google Analytics, fonts, social widgets) already support HTTPS. Check the embed code — if it starts with http:// instead of https:// or //, update the snippet from the provider's dashboard or documentation.
CDN configuration
If you're using a CDN like Cloudflare, BunnyCDN, or KeyCDN:
- Ensure the CDN zone is configured to serve over HTTPS
- Update CDN URLs in your site config from
http://cdn.yourdomain.comtohttps://cdn.yourdomain.com - Enable "Full SSL" or "Full (strict)" mode in Cloudflare if applicable
Embedded iframes
If you're embedding content from another site via <iframe>, the embedded site must support HTTPS. If it doesn't, you can't force HTTPS on it — the only option is to remove the embed or find an alternative source that supports HTTPS.
Verify the Fix and Monitor Ongoing
After applying fixes:
1. Clear all caches — server cache, CDN cache, browser cache, WordPress/CMS cache.
2. Reload with hard refresh — Ctrl+Shift+R (Windows) or Cmd+Shift+R (Mac) to bypass local browser cache.
3. Check DevTools Console again — confirm no mixed content warnings remain.
4. Verify the padlock is solid — Chrome shows a closed padlock with no warning text for fully secure pages.
5. Test all page types — homepage, blog posts, product/service pages, contact form, checkout if applicable.
For ongoing monitoring, consider setting up a weekly scan with Why No Padlock or Screaming Frog to catch new mixed content introduced by plugin updates or new content.
Resolving mixed content errors is a core part of keeping a Plesk-hosted site secure and performant. If you're managing multiple client sites on Plesk and need ongoing SSL, security, and performance management, CloudHouse Technologies' server management service handles all of this proactively so your clients always see a clean padlock.