HTTPS
Inspector

The most common cause is mixed content. Your page loads over HTTPS, but some resources on it (images, scripts, stylesheets, fonts) are still being loaded over plain HTTP. Even one insecure resource triggers the warning. This tool scans any page and lists every insecure resource so you can fix them. It also grades your overall HTTPS setup from A+ to F.

If the certificate itself is valid, mixed content is almost always the reason. Your page is pulling in images, scripts, or stylesheets over plain HTTP. Browsers remove the padlock when this happens. Scan the page with this tool and it identifies every resource causing the problem, showing the exact URLs you need to update to HTTPS.

The fastest method is a search-and-replace on your database, changing http://yourdomain.com to https://yourdomain.com. Use WP-CLI (wp search-replace) or a plugin like Better Search Replace. Then check your theme files for hardcoded HTTP URLs. Make sure Settings → General has both addresses starting with https://. Add a redirect in .htaccess so all HTTP requests go to HTTPS automatically. Then scan with this tool to verify everything is clean.

Yes. Google has used HTTPS as a ranking signal since 2014, and Chrome shows "Not Secure" in the address bar for mixed content pages. That warning increases bounce rates and reduces trust. Search engines also struggle to index pages where blocked scripts or stylesheets prevent content from rendering properly. Fixing mixed content ensures your pages work as intended for both users and crawlers.

PCI DSS requires HTTPS with a valid SSL certificate and no mixed content. This tool grades your HTTPS implementation from A+ to F, checking your certificate, TLS protocol version, cipher strength, and mixed content. If your grade is low, the tool shows exactly what needs fixing to meet the security baseline for payment processing.

An expired certificate will cause browsers to block access entirely, not just show a warning. This tool checks your SSL connection and shows the TLS protocol version and cipher suite in use. If the certificate is expired or misconfigured, the scan will fail and report the specific error. Check regularly to catch expiring certificates before they cause downtime.

Active mixed content (scripts, stylesheets, iframes) can alter the page or steal data. Browsers block these entirely. Passive mixed content (images, audio, video) is lower risk but modern browsers increasingly block these too. Both types break the padlock. Active content is the higher priority to fix because it can prevent parts of your site from working at all.

The grade reflects your overall HTTPS health. A+ means zero insecure resources and your site uses TLS 1.3. A means zero mixed content. B means 1-2 insecure items. C means 3-5. D means 6-10. F means more than 10 insecure resources were detected.

Yes. TLS 1.0 and 1.1 are deprecated and insecure. Modern browsers flag or block connections using old TLS versions. TLS 1.2 is the minimum acceptable standard, and TLS 1.3 is preferred for faster, more secure connections. This tool checks which TLS version your site uses. If you're on 1.0 or 1.1, contact your hosting provider to upgrade.

After migrating to HTTPS, internal links and embedded resources sometimes still reference old HTTP URLs. This causes mixed content errors that can break page layouts and trigger browser warnings. Scan affected pages with this tool to identify every resource still loading over HTTP, then update those references. For WordPress, a database search-and-replace is usually the quickest fix.