SSL certificates are a must-have for websites on today’s web. Not only are they vital for creating secure connections between your users’ devices and your site’s server, but it’s basically mandatory for many web browsers. If you opt-out of installing an SSL, major web browsers like Chrome and Firefox will greet potential visitors with a warning that your site is “not secure”. It’s no surprise, then, that more websites than ever are secured with SSL.
That said, sometimes issues can arise even when you install an SSL certificate that can prevent the creation of a secure connection. One of those issues is insecure content.
HTTP vs HTTPS connections
To explain insecure content, you’ll first need to understand a little bit more about the difference between HTTP and HTTPS connections. You’ve probably noticed both appear in your web browser’s address bar at some time or another as a prefix of the website you were visiting. HTTP is short for Hypertext Transfer Protocol and allows for data transfer over the web between a web server and a client, such as a web browser. HTTPS, which is short for Hypertext Transfer Protocol Secure is much the same except with a vital difference — the data transfer is encrypted, meaning that no third parties can access the information sent over this connection.
When a website has an SSL certificate, its webpages will load via the HTTPS protocol. At least, that’s how it’s supposed to work. However, when a website features insecure content, your site will likely load through HTTP and your users may be hit with a message like, “this page contains both secure and nonsecure items”.
Encountering such a message after going through the effort of installing an SSL is understandably frustrating. Wasn’t the SSL certificate supposed to make everything secure?
As we’ve talked about before on this blog, SSL certificates aren’t a quick fix for all your site’s security needs. And if your site already has issues, it’s not going to override that. Insecure content usually occurs due to an issue with your website’s coding and isn’t anything to do with an SSL certificate.
What is insecure content?
When we talk about website content in this context, we’re talking about everything that makes up the pages on your site, from CSS, Javascript, and HTML to images and videos.
Before a webpage is loaded on your browser, it sends a message to the server, requesting the content that makes up that page. Most web pages are made up of a combination of the content we previously mentioned, and each resource is downloaded via separate requests. Once the content has been downloaded, the page is displayed in your browser.
Insecure content occurs when some of the content downloaded is loaded via HTTP rather than HTTPS. When your website features both secure and insecure content this is known as mixed content. This common reason for mixed content is that some of your site’s content is actually hosted on a different website without an SSL certificate, so they’re loading over a connection that isn’t encrypted. Another possible scenario is that the external content is hosted on a site with an expired or invalid SSL.
Why is insecure content such a big deal?
If any of the content on your site loads via a HTTP connection, then your whole site will load through HTTP by default — even if you have an SSL certificate. SSL certificates can only encrypt the connection between content hosted on your server and a user’s browser, and not content hosted elsewhere.
A website with mixed content could leave its users susceptible to man-in-the-middle attacks, which is when malicious across intercept and modify the connection between a browser and the server.
Beyond that, mixed content can affect website traffic and site usability. Users could potentially be greeted with a message warning them about the mixed content on your site and may understandably opt not to continue.
Many browsers have even started blocking insecure content entirely. In a January 2021 update, Google Chrome by default started blocking the HTTP file downloads of images, docs, and PDFs from HTTPS sites. Even if users can access your site, if your site depends on many unsecured resources, it may be left virtually unusable.
Locating and fixing your site’s insecure content
If you discover that your website has insecure content and you have no idea where to start with finding it and fixing it, don’t despair. There are many resources that can help:
- Why No Padlock? – Just enter your website URL and this simple tool finds any insecure items on your SSL-secured page.
- HTTPS checker – This will check for any HTTP content on your site, as well as common HTTPS migration issues
- This helpful guide will help more technically inclined users to find and fix the content issues manually themselves.
Now that you know what your insecure content is, you have a few options when it comes to fixing it:
- Install the SSL Insecure Content Fixer plugin: This WordPress plugin will find and solve most insecure content issues for you.
- Delete the insecure content files from your site entirely
- If legal, reupload the files directly to your site
- Link the content from a more secure site
Wrap up
Dealing with the issue of insecure content on your site can be a pain, particularly when you’ve just gone through the hassle of installing an SSL certificate. Fortunately, finding and fixing it is generally pretty easy thanks to a myriad of free tools at your disposal. If you discover that your site has insecure content, be sure to deal with it sooner rather than later, for the sake of your website and user security.
Still haven’t secured your site with an SSL? Check out the range of affordable SSL certificates Namecheap has to offer.
How to fix your website’s insecure content .