Ever since December of 2019, mixed content has been effectively blocked by Google Chrome.
Did you notice a difference in your browsing experience?
The truth is mixed content is often hard for users to detect – and many webmasters don’t even know what it is or how it works. But if you have an abundance of mixed content on your site, not only will it negatively affect your user experience, it could also tank your SEO rankings.
Confused?
Don’t worry. In this guide, we’ll teach you everything you need to know about mixed content, including what it is, how to find it, and how to correct a mixed content issue on your site.
As a web user, you can access webpages on the internet by submitting a request with an application layer known as hypertext transfer protocol (familiarly known as HTTP). This protocol makes it possible to access the HTML code of a site.
Modern webpages are often secured, allowing them to communicate securely over a computer network. Secure websites are given the HTTPS designation.
A webpage with mixed content is one that contains both HTTP and HTTPS material. You may access a secured, HTTPS page of a given website, but there could be scripts, images, videos, and other types of content that are served with a standard, insecure protocol (HTTP).
Security is the new standard. According to Google, Chrome users spend approximately 90 percent of their total browsing time on websites that utilize HTTPS – and that’s for both desktop and mobile users.
To give your website the HTTPS designation and utilize the HTTPS protocol, you’ll need to have an SSL certificate in place. You can purchase an SSL certificate through your domain registrar.
SSL certificates serve as a way to verify your website’s identity. When users submit information on your site, such as their password, email address, and credit card information, it will be encrypted, and therefore only visible when the proper key (your SSL certificate) is used to unlock it.
Once a secure connection has been formed between a web browser and a web server using HTTPS, all traffic between those network nodes will be secured.
However, if your SSL certificate expires, or if it’s rendered invalid in another way, web users will encounter a warning message instructing them that “Your connection is not private.” Though users can still power through this warning message, it will be a deterrent to most users.
There are two types of mixed content to familiarize yourself with: active and passive.
Passive mixed content includes any type of content that is isolated from the rest of the page. It usually includes images, video, audio, and other media content. With passive mixed content, man-in-the-middle attacks are harder to execute, so they’re seen as less of a threat; however, passive mixed content is still a problem.
A motivated attacker can take advantage of open HTTP requests to view an image or video on your site and swap it out for something different. In a relatively innocent maneuver, an attacker could use this as an opportunity to vandalize your site with vulgar images. In a more complex attack, an attacker could replace your images with clickable ads leading to other sites, and possibly to a phishing scam.
Additionally, an attacker could attempt to track the users of your site with mixed content requests, even if they don’t interfere with your content directly.
By contrast, active mixed content does interact with the entire page. It includes things like stylesheets, scripts, iframes, and other types of code that a web browser can download and/or execute. It’s inherently more dangerous because a motivated attacker can use it to get away with almost anything within that page.
For example, an attacker could completely rewrite the content of your page or use it as a vector to gain control of your entire website. They could display a totally different set of content, steal user session cookies, or more commonly, steal user login credentials.
After learning about how serious a threat mixed content can be, it should be clear why Google decided to start blocking mixed content.
Starting in December 2019, Google announced that Chrome would gradually evolve to block all mixed content by default on all web pages. As far back as 2018, Chrome would notify users when visiting a site without HTTPS with a message that the site is “Not secure.”
There are three main principles behind this decision:
As far back as 2014, Google has confirmed that HTTPS and website security were ranking signals. In other words, upgrading your site with an SSL certificate was a demonstration of trustworthiness and authority significant enough to increase your rankings in Google search results.
But does mixed content actually hurt your rankings?
The short answer is yes.
For starters, understand that more than 90 percent of popular webpages now utilize HTTPS to make their websites more secure. They’re benefitting from HTTPS security as a ranking factor; if your site isn’t properly secured, you’re going to suffer from a competitive disadvantage.
Additionally, when a user encounters a webpage with mixed content, they’re going to see a warning message telling them that they’re accessing unsecured content. Most users who see this will immediately click away and find a different site, leading to higher bounce rates.
Higher bounce rates and less user engagement mean you’re going to see a drop in search engine rankings – even if you don’t see a manual penalty from Google directly.
But you also have to remember that mixed content is about more than just search rankings; it’s also about the security of your users and the reputation of your business. Even if mixed content had no direct bearing on your search engine rankings, your users would still be met with a terrible first impression when visiting your site for the first time.
It’s vital for the success of your business that you find and correct any mixed content issues on your site.
So how do you do it?
There are a few different ways to find mixed content on your site.
For starters, you could try accessing various pages of your site using a Google Chrome browser. Since Chrome automatically blocks content and displays a warning message when it finds mixed content, you’ll get an immediate and undeniable red flag if you have any mixed content to fix.
Of course, this is a manual and time-intensive approach. You’re typically better off using a website audit tool or working with an SEO agency to run a full site audit. This audit will alert you not just to any instances of mixed content on your site, but also technical onsite SEO issues such as missing meta tags, slow loading times, and mobile optimization issues.
If you have a mixed content issue, you’ll want to fix it as soon as possible to improve your SEO rankings, increase user trust, and keep your customers and web users secure.
Here’s how to do it:
Does your site have a mixed content problem? Or are you struggling to rank, but unsure what the issue is? You may benefit from the help of a professional SEO agency. Contact us today for a free consultation!
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |