HTTPS and mixed content: closing the last insecure gaps
Getting the padlock is step one, not the finish line. Here are the gaps that survive the switch to HTTPS.
Getting the padlock feels like a finish line. You move the site to HTTPS, the browser stops shouting "Not secure," and the green-enough lock appears in the address bar. It is a real milestone. It is also step one of three, and the other two are the ones that quietly come undone over time: a certificate that lapses, and a secure page that keeps loading insecure things. Both wear away at the protection you thought you had, and neither announces itself.
This is a guide to the last insecure gaps in an otherwise encrypted site. What HTTPS actually buys you, why an expiring certificate is a trap rather than a warning, and how mixed content can leave the padlock standing while hollowing out what it stands for.
Why HTTPS is the floor, not the ceiling
HTTPS encrypts the connection between a visitor's browser and your server, so the data moving between them cannot be read or tampered with in transit. That matters for the obvious cases, a login form or a checkout, but it matters everywhere now. Modern browsers treat plain http:// as a second-class citizen, marking pages insecure and reserving newer capabilities for encrypted ones. Search engines and the wider web assume HTTPS by default. A site without it is not just exposed; it looks neglected.
RecapWP flags a site that is not using HTTPS as a high-severity finding, but it does not flip the switch for you. Moving a site to HTTPS is an infrastructure decision that touches your host, your certificate, and often your configuration, so it belongs with you and your host rather than a setting a plugin should silently change. The value here is the flag itself: it puts the most foundational gap at the top of the list where it cannot be ignored.
The certificate-expiry trap
An HTTPS certificate is not permanent. It has an expiry date, and when that date passes, the encryption does not gracefully degrade. The browser throws a full-page warning, the kind that makes a visitor assume the site has been compromised and leave. The padlock you worked for becomes a wall.
What makes expiry a trap rather than a simple deadline is that it is invisible right up until it bites. Most certificates renew automatically these days, which is exactly why people stop watching them, and automatic renewal is a process that can fail quietly: a billing lapse, a DNS change, a host migration that broke the renewal job. You find out when a customer tells you, or when traffic falls off a cliff.
RecapWP monitors the certificate's expiry date and surfaces it as a finding before it becomes an emergency. The severity is not fixed; it escalates as the date nears, so a certificate ninety days out is a gentle note and one expiring this week is loud. Like the move to HTTPS itself, the renewal stays with you and your host, because that is where the certificate actually lives. The plugin's job is to make sure the date never sneaks up on you.
The padlock tells a visitor the page is secure. Mixed content makes that a half-truth, and the browser knows it even when you do not.
Mixed content: a secure page loading insecure things
Here is the gap that survives even a perfect certificate. Your page is served over HTTPS, but somewhere in its markup it still pulls an asset over plain HTTP: an image hard-coded with an http:// URL, a script from an old CDN reference, a stylesheet from a theme that was set up before the migration. The page is encrypted; one of the things it loads is not. That is mixed content.
It sounds minor, and it is not. Even a single insecure asset on a secure page undermines the connection, because the browser can no longer guarantee that everything you received arrived untampered. So browsers respond in one of two ways. They warn, downgrading the padlock and telling the visitor the page is not fully secure, or they block the asset outright, which means a broken image, a missing stylesheet, or a script that never runs. Either way the cost is real: a damaged trust signal, or a visibly broken page.
Mixed content is insidious because it accumulates. A site can be flawlessly HTTPS today and grow a mixed-content problem tomorrow, the moment someone pastes an http:// image URL into a post, or a plugin writes one into the database. It rarely announces itself, because the page usually still mostly works. You have to go looking.
What RecapWP flags here versus what it fixes
This trio of findings draws a clean line between what a plugin should change for you and what it should not, and RecapWP draws it deliberately.
The two infrastructure items, a site not using HTTPS and an SSL certificate expiring, are detect-only. Both are high severity, both sit near the top of the findings list, and both are reported with the context you need to act, but neither is applied for you, because neither is RecapWP's to apply. They depend on your host and your certificate authority, and changing them blindly could take a site offline.
Mixed content is different. When a post loads an insecure http:// resource on an otherwise HTTPS page, that is a deterministic problem with a deterministic remedy: the reference should point at https://. So this finding, medium severity, carries a one-click fix. RecapWP applies it where the finding is, records the change in its apply-and-undo ledger, and lets you reverse it later if you ever need to. The detection and the fix are both rule-based, with no model deciding what to change. The code finds the insecure reference and rewrites it; nothing is guessed.
Make it a gap you keep closed
HTTPS is not a thing you do once and forget, because all three of these gaps drift. A certificate creeps toward its expiry. A new post arrives carrying an http:// image. A migration resets a setting you had right last year. The padlock you earned needs the same maintenance as the rest of your site's health, which is to say a regular look rather than a one-time fix.
The fastest way to know whether your own padlock is telling the whole truth is to run a scan and read what comes back. You will see plainly whether the site is fully on HTTPS, how close the certificate is to its date, and whether any page is quietly loading something insecure. The first two tell you what to take to your host. The last one is a click away from closed.
Stop reading about it. Run the scan.
RecapWP Pro runs dozens of deterministic checks across every area and fixes them for you, with undo, plus the full-site crawl, redirect manager, frontend auditor and the Ask RecapWP assistant.