After enabling SSL and redirecting your website to HTTPS, your browser may still show warnings like:
- “Not secure”
- Mixed content (some resources are loaded via HTTP)
- Broken padlock icon in the address bar
This happens because WordPress may still contain http:// links in the database or the theme/plugin code. Below are the recommended steps for GARMTECH Hosting (Plesk + LiteSpeed).
Step 1: Make sure HTTPS works first
- Confirm you have a valid SSL certificate in Plesk (Websites & Domains → domain → SSL/TLS Certificates).
- Confirm HTTP → HTTPS redirect is enabled (Plesk hosting settings or .htaccess rules).
Step 2: Update WordPress site URLs
- Log in to WordPress Admin.
- Go to Settings → General.
- Set both fields to HTTPS:
Step 3: Replace old HTTP links in the database (recommended)
Even after changing the site URLs, WordPress content (posts, images, widgets) can still reference http://. The clean solution is a database search/replace:
- Option A (preferred): Use WordPress Toolkit in Plesk if it offers a search/replace tool.
- Option B: Use a WordPress search/replace plugin (run a backup first).
What to replace:
Search: http://example.com
Replace: https://example.com
Step 4: Clear caches
- In WordPress, clear LiteSpeed Cache (Purge All).
- If you use Cloudflare or another CDN, purge its cache too.
- Hard refresh your browser (or test in an incognito window).
Step 5: Find the remaining mixed-content resource
If the warning still appears:
- Open the page in Chrome/Edge.
- Press F12 → open Console.
- Look for “Mixed Content” messages. They usually show the exact file URL that still uses HTTP.
Common sources are:
- theme CSS/JS files that hardcode
http://
- old image URLs inside content
- external scripts (fonts, analytics) loaded over HTTP
