Ever since December of 2019, mixed content has been effectively blocked by Google Chrome.
Did you notice a difference in your browsing experience?
The truth is mixed content is often hard for users to detect – and many webmasters don’t even know what it is or how it works. But if you have an abundance of mixed content on your site, not only will it negatively affect your user experience, it could also tank your SEO rankings.
Confused?
Don’t worry. In this guide, we’ll teach you everything you need to know about mixed content, including what it is, how to find it, and how to correct a mixed content issue on your site.
Table of Contents
What Is Mixed Content?
As a web user, you can access webpages on the internet by submitting a request with an application layer known as hypertext transfer protocol (familiarly known as HTTP). This protocol makes it possible to access the HTML code of a site.
Modern webpages are often secured, allowing them to communicate securely over a computer network. Secure websites are given the HTTPS designation.
A webpage with mixed content is one that contains both HTTP and HTTPS material. You may access a secured, HTTPS page of a given website, but there could be scripts, images, videos, and other types of content that are served with a standard, insecure protocol (HTTP).
SSL Certificates and Mixed Content
Security is the new standard. According to Google, Chrome users spend approximately 90 percent of their total browsing time on websites that utilize HTTPS – and that’s for both desktop and mobile users.
To give your website the HTTPS designation and utilize the HTTPS protocol, you’ll need to have an SSL certificate in place. You can purchase an SSL certificate through your domain registrar.
SSL certificates serve as a way to verify your website’s identity. When users submit information on your site, such as their password, email address, and credit card information, it will be encrypted, and therefore only visible when the proper key (your SSL certificate) is used to unlock it.
Once a secure connection has been formed between a web browser and a web server using HTTPS, all traffic between those network nodes will be secured.
However, if your SSL certificate expires, or if it’s rendered invalid in another way, web users will encounter a warning message instructing them that “Your connection is not private.” Though users can still power through this warning message, it will be a deterrent to most users.
Active vs. Passive Mixed Content
There are two types of mixed content to familiarize yourself with: active and passive.
Passive mixed content includes any type of content that is isolated from the rest of the page. It usually includes images, video, audio, and other media content. With passive mixed content, man-in-the-middle attacks are harder to execute, so they’re seen as less of a threat; however, passive mixed content is still a problem.
A motivated attacker can take advantage of open HTTP requests to view an image or video on your site and swap it out for something different. In a relatively innocent maneuver, an attacker could use this as an opportunity to vandalize your site with vulgar images. In a more complex attack, an attacker could replace your images with clickable ads leading to other sites, and possibly to a phishing scam.
Additionally, an attacker could attempt to track the users of your site with mixed content requests, even if they don’t interfere with your content directly.
By contrast, active mixed content does interact with the entire page. It includes things like stylesheets, scripts, iframes, and other types of code that a web browser can download and/or execute. It’s inherently more dangerous because a motivated attacker can use it to get away with almost anything within that page.
For example, an attacker could completely rewrite the content of your page or use it as a vector to gain control of your entire website. They could display a totally different set of content, steal user session cookies, or more commonly, steal user login credentials.
Why Mixed Content Is Blocked by Google
After learning about how serious a threat mixed content can be, it should be clear why Google decided to start blocking mixed content.
Starting in December 2019, Google announced that Chrome would gradually evolve to block all mixed content by default on all web pages. As far back as 2018, Chrome would notify users when visiting a site without HTTPS with a message that the site is “Not secure.”
There are three main principles behind this decision:
- Security concerns. Obviously, Google has a vested interest in keeping web users secure when using Google products. If you visit a webpage with active mixed content unwittingly and enter your login credentials, an attacker could intercept those credentials and begin working to steal your identity in a matter of minutes.
- Confusion and user experience. Mixed content is also ambiguous, confusing, and damaging to the average user experience. Because of mixed content, a user may believe they’re accessing a secure site (thanks to the HTTPS designation in the URL), but they may unsuspectingly be accessing a page with content served over an unsecured HTTP protocol. In other words, the page appears to be secure, but is not fully secure. It’s both secure and unsecured at the same time. Rather than attempting to explain the nuances of this situation to every user who happens across it, Google opted to simplify things by blocking all forms of mixed content directly.
How Mixed Content Affects SEO
As far back as 2014, Google has confirmed that HTTPS and website security were ranking signals. In other words, upgrading your site with an SSL certificate was a demonstration of trustworthiness and authority significant enough to increase your rankings in Google search results.
But does mixed content actually hurt your rankings?
The short answer is yes.
For starters, understand that more than 90 percent of popular webpages now utilize HTTPS to make their websites more secure. They’re benefitting from HTTPS security as a ranking factor; if your site isn’t properly secured, you’re going to suffer from a competitive disadvantage.
Additionally, when a user encounters a webpage with mixed content, they’re going to see a warning message telling them that they’re accessing unsecured content. Most users who see this will immediately click away and find a different site, leading to higher bounce rates.
Higher bounce rates and less user engagement mean you’re going to see a drop in search engine rankings – even if you don’t see a manual penalty from Google directly.
But you also have to remember that mixed content is about more than just search rankings; it’s also about the security of your users and the reputation of your business. Even if mixed content had no direct bearing on your search engine rankings, your users would still be met with a terrible first impression when visiting your site for the first time.
It’s vital for the success of your business that you find and correct any mixed content issues on your site.
So how do you do it?
How to Find Mixed Content on Your Site
There are a few different ways to find mixed content on your site.
For starters, you could try accessing various pages of your site using a Google Chrome browser. Since Chrome automatically blocks content and displays a warning message when it finds mixed content, you’ll get an immediate and undeniable red flag if you have any mixed content to fix.
Of course, this is a manual and time-intensive approach. You’re typically better off using a website audit tool or working with an SEO agency to run a full site audit. This audit will alert you not just to any instances of mixed content on your site, but also technical onsite SEO issues such as missing meta tags, slow loading times, and mobile optimization issues.
How to Fix a Mixed Content Issue
If you have a mixed content issue, you’ll want to fix it as soon as possible to improve your SEO rankings, increase user trust, and keep your customers and web users secure.
Here’s how to do it:
- Locate the mixed content. Head to the source code of the page in question and see if there are any URLs with “HTTP” instead of “HTTPS.” If you view the source code in a Google Chrome browser, you’ll get visual warnings where these instances occur, so it should be easy to spot even if you’re not an experienced web developer.
- Find the HTTPS version. If you’re loading an image, script, or other type of content with HTTP, see if there’s an HTTPS version available. If so, all you have to do is add an “S” to the URL and you’ll be back in business.
- Find an alternative. If your chosen resource isn’t available with an HTTPS URL, you’ll have to find an alternative solution. You may be able to find an identical copy of this resource on a secure site elsewhere. You may be able to download the content and host it on your own secure server. And if all other options fail, you can consider omitting the content altogether or finding a replacement for it.
- Check to see if the error is resolved. Once you apply the fix, see if the error has been resolved. If you’re successful, you should no longer see a warning message about mixed or insecure content when visiting this webpage in Chrome. If you continue to see a warning message, it means there may be other mixed content issues to resolve; head back to the source code and repeat these steps to get closer to success.
Does your site have a mixed content problem? Or are you struggling to rank, but unsure what the issue is? You may benefit from the help of a professional SEO agency. Contact us today for a free consultation!
Tim holds expertise in building and scaling sales operations, helping companies increase revenue efficiency and drive growth from websites and sales teams.
When he's not working, Tim enjoys playing a few rounds of disc golf, running, and spending time with his wife and family on the beach...preferably in Hawaii.
Over the years he's written for publications like Forbes, Entrepreneur, Marketing Land, Search Engine Journal, ReadWrite and other highly respected online publications. Connect with Tim on Linkedin & Twitter.
