"Mixed content isn't a ranking factor" is technically true and operationally misleading. Modern browsers block insecure scripts and stylesheets on HTTPS pages outright - they don't load them at all. The page Googlebot sees can be missing layout, missing JS-injected content, and missing the visual hierarchy that ranking algorithms actually evaluate. The mixed-content warning isn't the SEO problem; the broken render that follows is.
This guide skips the basic "what is mixed content" framing (the tool below covers that) and focuses on how mixed content hurts SEO indirectly, the five sources of it on real sites, and the fix workflow that closes the issue site-wide in about 30 minutes.
Scan any page for mixed content right now
Paste any HTTPS URL below. The tool fetches the page, parses every script, image, stylesheet, and iframe, and flags every resource still loading over HTTP - useful both for auditing your own site and for spot-checking after a migration.
Why mixed content actually hurts SEO (despite "not being a ranking factor")
The "mixed content isn't a ranking factor" line is true at the most literal level: Google doesn't dock you for the warning itself. The indirect path is what actually moves rankings:
- Modern browsers block insecure active content. An HTTP-loaded stylesheet, JavaScript file, or iframe on an HTTPS page is blocked outright. The browser doesn't ask the user; it simply doesn't load the resource. Passive content (images, videos, audio) currently loads with a warning, but Chrome and Firefox have been progressively tightening this and the trend is "block everything."
- Google indexes what the browser renders, not what your source code says. When Googlebot renders the page (now a default step, not optional), it sees the same broken render the user sees. Missing styles, missing layout, missing JS-injected content. Whatever rankings you're earning are based on that broken version.
- Core Web Vitals signals derive from the rendered page. CLS (Cumulative Layout Shift) gets worse when stylesheets fail to load and the layout reflows. LCP (Largest Contentful Paint) gets worse when hero images fail. Mixed content silently degrades both.
- Trust signals leak. The browser's lock icon disappears, replaced by a "Not fully secure" indicator. Bounce rate climbs on pages that handle conversions, payments, or sign-ups. Increased bounce on transactional pages is a behavioural signal Google does pay attention to.
None of these are direct ranking penalties. All four feed signals into the algorithm that are ranking inputs.
The five sources of mixed content on real sites
If you're hunting mixed content after a migration, this is where it almost always lives. Work through them in order - each fix is mechanical.
1. Hardcoded http:// URLs in legacy post content
The single biggest source of mixed content on migrated WordPress sites. Years of posts written before HTTPS was standard contain image, video, and link tags with absolute http:// URLs. The migration to HTTPS rewrites the site URL, but doesn't touch the content stored in the database.
The fix: a database-wide search-replace. WP-CLI does it in one command:
wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --all-tables --skip-columns=guidThe --skip-columns=guid flag is important: GUIDs are immutable identifiers, not display URLs, and changing them breaks RSS subscribers. Always run a database backup first - search-replace operations are destructive.
For non-WordPress sites, the equivalent is a SQL UPDATE that targets your posts, media, and custom_fields tables (or whichever tables hold body content). The Better Search Replace WordPress plugin offers the same power with a UI, useful when CLI access isn't available.
2. Hardcoded http:// in template files
Theme files, partials, and CMS macros sometimes still emit http:// URLs for site assets - either because the theme was written pre-HTTPS or because a developer copy-pasted from a tutorial. Search the codebase for the literal string http:// and replace each match with https:// (or with a relative path, which is more robust to future protocol changes).
The audit move: after grepping, run the embedded checker on a sample of 10-20 page types (homepage, category, single post, single product, archive, search results) to confirm the template fixes covered every layout variant.
3. Embed snippets pasted from years ago
Analytics tags, social-share widgets, ad scripts, video players, and chat widgets - any embed snippet pasted into the site before HTTPS was universal. Many of these are still in <head> partials emitting http://www.google-analytics.com/ or similar. Modern browsers will block them outright on HTTPS pages, so analytics stops firing and ads stop loading.
The fix is usually replacing the snippet with the current version from the vendor (Google Analytics 4, modern social share APIs, the current player embed, etc.). Don't try to patch the URL by hand - the vendor likely changed the API too.
4. Image / media CDN URLs from before the CDN went HTTPS
If you offload media to a CDN (Cloudinary, S3 + CloudFront, imgix, Bunny.net), the CDN URL is stored alongside the image record in your database. If you onboarded the CDN before HTTPS was standard, those URLs are http://. Most modern CDNs auto-respond to HTTPS requests, so the fix is usually just rewriting the stored URLs (same WP-CLI search-replace pattern) - the CDN itself doesn't need any change.
5. Misconfigured load balancer / origin redirects
Sneaky and often the last source you think to check. The CDN serves visitors over HTTPS. The CDN talks to your origin over HTTP. The origin emits a Location: http://yourdomain.com/... header on a redirect. The browser follows the redirect, sees mixed content (or in newer browsers, blocks the navigation entirely).
The fix is at the infrastructure layer: ensure the origin emits HTTPS Location headers, or have the CDN rewrite Location headers from http:// to https:// at the edge. Audit redirect chains after every infrastructure change - this issue appears at exactly the moments nobody is looking for it.
The biggest mistake: trusting the browser console
The browser DevTools console is the obvious tool to reach for when hunting mixed content - and it's the wrong one for an audit, because the console only inspects the page you've opened. Mixed content tends to cluster on the pages nobody checks manually: archive pages, paginated category lists, low-traffic legacy posts, the search results page, the 404 page. The homepage almost always renders cleanly because it's the most-fixed page on every site.
The audit move: use a crawler. The embedded checker above accepts any URL; for a full sweep, point a crawler (Screaming Frog, Sitebulb, the Search Console URL Inspection bulk-check) at your sitemap and let it visit every URL. Mixed-content issues will cluster around predictable URL patterns - one fix usually closes hundreds of pages at once because the source is a shared template or a CMS-stored URL.
What a clean mixed-content audit looks like
Run this after any HTTPS migration, after any CDN onboarding or change, after any major theme or framework upgrade, and on a quarterly cadence regardless. Takes about 30 minutes for a small site, an hour for a larger one with significant legacy content.
- Confirm HTTPS is enforced site-wide. Visit
http://yourdomain.comin a browser. It must 301 tohttps://yourdomain.com. Do the same forhttp://www.yourdomain.comif you have a www subdomain. Any URL on your domain that responds to HTTP should redirect to its HTTPS equivalent. - Crawl the site for HTTP-loaded resources. Run the embedded checker (or a crawler like Screaming Frog) over your sitemap. Group findings by resource URL - usually 80% of mixed-content issues come from 3-5 distinct source URLs (a single CDN image base, a single legacy embed snippet, a single template file).
- Run a database search-replace if you're on WordPress, Shopify, or any CMS that stores content URLs in the DB. Use WP-CLI's
search-replace(or the Better Search Replace plugin), targeting all tables but skipping theguidcolumn. Always run a backup first. - Grep your codebase for the literal string
http://. Replace template-level matches withhttps://or a relative path. Ignore matches in test fixtures, comments, or vendor code - just fix the active rendering paths. - Add the upgrade-insecure-requests CSP header. Set
Content-Security-Policy: upgrade-insecure-requestsin your server config. The browser will auto-upgrade any in-pagehttp://requests tohttps://before they fire - belt-and-braces protection while you fix the underlying source. - Audit redirect chains. Spot-check 10 redirect endpoints (top traffic pages, recent migrations, shop / category URLs). The full chain should resolve over HTTPS at every hop. Any
http://Location header in the chain is a misconfigured redirect - usually at the load balancer or origin server. - Enable HSTS once you're confident. Set
Strict-Transport-Security: max-age=31536000; includeSubDomainsonly after you've verified HTTPS works site-wide for at least a few weeks. HSTS is stored client-side and is hard to roll back, so don't enable it until the site is rock-solid.
Grab the one-page audit checklist
A printable version of the 30-minute audit, plus copy-pasteable WP-CLI search-replace queries and the Content-Security-Policy header that auto-upgrades insecure requests while you fix the source.
Quick quiz: are you ready to audit your own mixed content?
Five questions, takes two minutes. We'll show you the right answer and a one-line explanation after each one.
Mixed content & HTTPS - quick check
5 randomized questions drawn from a pool of 12. Different every time you take it. Takes about two minutes.
You've finished the Technical SEO pillar
That's the full Technical SEO pillar: status codes, robots.txt, sitemaps, the crawl/index gates, and HTTPS hygiene. Each guide has a working tool, a checklist, a download, and a quiz - the four embeds are deliberate, because the goal is to close the loop from "I read about it" to "I can audit my own site right now."
The next pillar in the SEOGraphy Learn hub is On-Page SEO, covering page titles, meta descriptions, header structure, canonical strategy, and Open Graph for social previews.