The easiest type of reference to correct are those that are in the content of your WordPress site. This may be an image or link that has been manually added to the page content, rather than being included by WordPress dynamically. Common examples of places where links are added by hand are:
- links to images, sites, or files hosted outside the current site,
- links added to widgets or menus,
- links added by hand to HTML-editable content regions (advanced form fields, table regions, etc.).
These references should be relatively easy to update using the backend/admin portion of the site. Additionally there are WordPress tools available that can provide search-and-replace functionality to quickly update URLs in some types of content regions.
Editing Your Theme or Plugin
Sometimes you may find that the offending, insecure URL is actually one being referenced by your theme or a plugin. This scenario is usually tougher to address and, in some cases, may not be something you can solve at all.
In general, theme and plugin files should always call resources at an “https” address as long as the site is using https. These files should be stored in the theme or plugins directory and as such, should all be delivered by the server securely. In rare occasions a theme or plugin may call a resource hosted elsewhere, at an insecure URL. If this is the case you (or a technical support person) will need to make some changes to your theme and/or plugins to correct the reference links to use https.
There are some tools to help with the process. WordPress has a plugin available (WordPress HTTPS) which will help you force all links in themes and plugins to use https. Unfortunately this plugin has not been updated in over 2 years, and while there is user feedback that the plugin still works and is safe, this is not a solution that we are willing to recommend. You may find other, newer tools that offer a similar assistance, such as SSL Insecure Content Fixer. Again, you may use these tools if you want but please consider making the changes manually. Wherever possible it’s preferred that you solve the issue where it exists, so that you will not need the plugin to achieve a secure site in the future.
Regardless of how you’re doing it, sometimes the remote link may not be available at a secure address. If the remote link is not available via an https address, then you have a few choices:
- Copy the content of that file and host it locally, as a theme or plugin file, or
- Contact the owner of that resource and ask them to host it securely.
Alternately you may be able to find a similar resource that is hosted securely, however this solution may require edits to your theme or plugin to allow it to continue to work successfully with the new resource.
It is worth noting that editing themes and plugins generally requires some level of expertise to do properly. In addition, changes to a theme or plugin will be removed if/when it is updated in the future. It is possible to create child themes or custom plugins to address these issues, however wherever possible it is better to have the owner of the theme or plugin try to address the absence of secure reference URLs. These days you should find that most developers are more than willing to host their resources securely, if they aren’t already. That said, this process may also identify out-of-date themes and plugins that are no longer supported and cannot be updated.