I’m always preaching about secure websites. It’s not too hard to secure a website and most good hosts now offer a free security certificate. It does take a few steps to get it installed correctly. But it’s pretty easy on a WordPress site these days.
When I perform a website audit one of the first things I check is the health of their website and make sure it has an SSL certificate properly installed. Why? Because too many websites either don’t run under HTTPS or they have a certificate installed incorrectly which means often the website has the security certificate, but some items on the page are not, which means the web page is showing both secure and non-secure content or “mixed-content”.
Some clients ask if having a secure site really matters if they aren’t running an ecommerce site. So I explain:
- Google has been preaching the need for secure websites for at least 3 years. It is important to Google, which means it should be important to you and your digital marketing efforts.
- SSL health is part of Google’s algorithm, which means it will influence your keyword rank and overall website traffic from search.
Now, I can add this to the list:
- In December 2019, the Chrome browser will begin blocking content on website pages that include a mix of SSL and non-SSL content. OMG! This can make these web pages appear broken and make it more difficult for the rendering of all your content within the page. And how do you think this will make your business look to your visitors ? Not well I’m guessing.
This means pages that have mixed content (secure and non secure) will produce a warning message to your website visitors. This begins with the introduction of Chrome 79, but it is just the start of what is to come. The initial roll out will offer an unlocking option, but in January of 2020 Google will remove the unblocking option.
You may think you have no issues and that your content is safe and secure, but I encourage you to take a closer look. If you crawl your website fully, you’ll be surprised at what lies beneath. Scripts, styles, links, and images can all cause issues without you even knowing they are present.
Google’s Definition of Mixed Content
Mixed content occurs when initial HTML is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page, and the initial request was secure over HTTPS. Modern browsers display warnings about this type of content to indicate to the user that this page contains insecure resources.
There two types of mixed content are:
Passive mixed content refers to content that doesn’t interact with the rest of the page, and thus a man-in-the-middle attack is restricted to what they can do if they intercept or change that content. Passive mixed content includes images, video, and audio content, along with other resources that cannot interact with the rest of the page.
Active mixed content interacts with the page as a whole and allows an attacker to do almost anything with the page. Active mixed content includes scripts, stylesheets, iframes, flash resources, and other code that the browser can download and execute.
Learn more about mixed content and managing it via Google’s Web Fundamentals for developers.
Ways to Locate Mixed Content
There are multiple routes you can take to find mixed content. The best route will depend on factors such as your time, your coding ability, and the size of your website. A small five page website could be manually reviewed fairly quickly, but a one hundred page website would take an extensive effort and much more time than most people have to allocate. If your website is large and thousands of URLs, you are looking at a massive undertaking.
Here are some ways you can locate your mixed content issues:
- Request a website audit from a trusted SEO professional.
- Manually review the source code of your website page by page.
- Use Screaming Frog to crawl the website. This is a paid tool, but relatively low cost as it only has an annual fee.
- Use SEMrush to crawl the website. This is a much more expensive tool, but for SEO consultants like me, it is a must-have tool.
- Use JitBit SSL Checker, which is a free online scanner that will scan up to 400 pages of your site.
Tools that can fix mixed content on a WordPress website:
- Use SSL Insecure Content Fixer WordPress Plugin to scan your site and alert you to insecure resources and help you fix them.
- iThemes Security Pro – has a force SSL feature that works beautifully!
Once your mixed content issues are found, you need to fix the offending items quickly.
Don’t wait until December to review your website. Get ahead of this important change by auditing your website and fixing all those technical SEO issues that creep in. Technical SEO is a core part of today’s SEO and you cannot have high rank and search traffic without a healthy website.
If you’d like professional help auditing or cleaning up your website, I’d love to help. I’ve been doing professional website audits for many years and have been a webmaster since 2000. I’d love to help you clean up your website and boost your SEO.