This guide helps you troubleshoot a website that does not show the padlock (lock icon) in the browser, even though it has an active SSL (TLS) certificate and HTTPS (secure HTTP) links. The most common cause is mixed content — a page served over HTTPS that still loads some resources over plain HTTP.
Quick fixes for WordPress
- If you are using WordPress, you can follow this guide to quickly update all pages to HTTPS.
- If you are using WordPress and no images are showing, follow this guide to fix that.
Identify mixed content
If the padlock is not displayed on all or some pages, even though you have followed our guide to enable SSL on your domain, it may be because something on the page is loaded over an http:// link.
All links that retrieve assets (images, stylesheets, fonts, etc.) must use HTTPS in order for the browser to show the padlock.
Troubleshoot with your browser
You can use your browser to troubleshoot this. In this example, we use Google Chrome.
Start by checking the right-hand side of the address bar, where you will see a red or black shield indicating that something is wrong on the website.
This means that parts of the website’s content have been hidden because they are not secure.
Right-click somewhere on the page and select “Inspect”.
A panel will open to the right of the page. Select the “Security” tab.
Reload the website and, if you choose to, allow the unsafe content to load via the shield. Please note that this is at your own risk. If you suspect that the website is infected with malware — for example due to multiple warnings from antivirus programs or browsers — you should not load this content.
You will now be shown the URLs that your website is trying to load over HTTP.
Update the links
Review your code, search for these HTTP links and update them to HTTPS. If you have resources that can only be loaded over HTTP, consider whether to keep them on the external site or to host them locally on your own website instead.