How to fix mixed content on WooCommerce

Steps for WooCommerce

1. In your WordPress admin, install the free plugin 'Really Simple SSL' (Plugins → Add New → search 'Really Simple SSL') — it performs a sitewide HTTP→HTTPS redirect and fixes many mixed-content issues automatically by filtering content URLs.
2. Go to Settings → SSL (added by Really Simple SSL) and enable 'Mixed content fixer' to replace HTTP URLs in dynamically rendered content.
3. For database-stored content (product descriptions, page builder content, widget text), run a search-replace in the database: use the free plugin 'Better Search Replace' (Plugins → Add New) to replace 'http://yourdomain.com' with 'https://yourdomain.com' across all tables — always take a full database backup first.
4. Check your active theme and child theme files (Appearance → Theme File Editor) and any custom plugins for hardcoded HTTP asset URLs; update to HTTPS.
5. For WordPress.org sites with server access, add the following to your wp-config.php as a safety net: define('FORCE_SSL_ADMIN', true); and ensure your .htaccess has a full HTTP→HTTPS redirect rule.
6. Add <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> to your theme's header.php (inside <head>) or via a plugin like 'Header and Footer Scripts'.
7. Reload your site in an incognito browser window and check the padlock/console for any remaining warnings.

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

What is mixed content?

Mixed content happens when a web page is loaded securely over HTTPS but one or more of its resources — images, scripts, stylesheets, fonts, videos, iframes, or API calls — are still requested over plain HTTP. Browsers treat this as a security problem because the encrypted connection protecting your page can be undermined by an unencrypted resource. There are two kinds: "passive" mixed content (images, audio, video) which browsers may still display but flag with a warning, and "active" mixed content (scripts, stylesheets, iframes) which modern browsers block entirely, breaking functionality. A clean HTTPS store means every single request on every page uses HTTPS — no exceptions.

Mixed content directly harms your store in four ways. First, browsers show a "Not Secure" warning or remove the padlock icon, which destroys shopper trust and causes cart abandonment — studies consistently show customers abandon checkout when they see security warnings. Second, blocked active mixed content (a blocked script or stylesheet) can silently break your add-to-cart button, checkout form, live chat widget, or payment processor embed, costing you direct revenue with no obvious error message to trace. Third, Google has stated that HTTPS is a ranking signal; mixed-content warnings can undermine that signal and signal a poorly maintained site. Fourth, if your store is subject to PCI-DSS (required for card payments), serving payment-related resources over HTTP is a compliance violation that can result in fines or loss of payment processing privileges.

See the complete Mixed content guide for every platform and the full background.