Front page defaced after enabling "Always use HTTPS."


My website is not one which has a purchased SSL Certificate and I’m using the free version of Cloudflare. Navigating to the “Crypto” menu, I enabled “Always use HTTPS” about an hour ago and it completely defaced the front page of the website.

Additionally, the URL bar in the Chrome browser displays the warning:

This page is trying to load scripts from unauthenticated sources.

And now there is an “https://” displayed before the name of the website for the front page, when there wasn’t one before.

If I navigate to any other page but the front page, everything appears to be fine.

I have tried disabling all plugins (website uses Wordpress) and Cloudflare (as well as restoring the settings to how they were before), but that has not fixed the issue. I’ve read that this is a SSL Mixed Content problem, but I don’t know where to go from there.

I have read this help page:

Website: (currently with a maintenance message).


I think this is something you need to fix in WordPress so that it doesn’t generate http links but refers all of the website’s resources with https.

Or you might want to try Cloudflare’s automatic HTTPS rewrites which can do that for you (unless you have external HTTP resources, which makes this harder/impossible):

How to disable HTTPS completely, temporarily?

Hi. Is it possible to view the main page or could you potentially take down the maintenance page for a bit for more in-depth community analysis?


Enabling “Automatic HTTPS Rewrites” results in the front page not looking as defaced as it was before, but it leads to all the images on the website no longer appearing, and not only those on the front page anymore. When that option is disabled, only the front page appears with an “https,” but enabled, it is all the pages, which I assume is the explanation.


I have currently deactivated maintenance mode. “Automatic HTTPS Rewrites” is currently enabled, with “Always use HTTPS” currently being disabled.


Thanks! Could you turn “Always use HTTPS” back on though? I understand you don’t want your site appearing broken to the public, but I need to see it that way for a few moments…


“Always use HTTPS” has been reactivated. Should I disable “Automatic HTTPS Rewrites” to replicate the issue as I described it before?


Oh, yes please :smiley: I’ll go take a look


“Automatic HTTPS Rewrites” has been disabled.

Though this time, “https” is on all the pages and not just the front page, so all of them look bad.


It appears to be your images. When you had “Automatic HTTPS Rewrites” enabled it was just one: Persona-5-Background.jpg. Now, with the rewrites disabled, it’s all of them (in addition to some CSS).

I would suggest re-enabling “Automatic HTTPS Rewrites” for now.

Are you using a specific Wordpress plugin for your background image?


I have reenabled "Automatic HTTPS Rewrites."The background image is not part of a plugin, but part of the theme. All plugins save for the Maintenace mode plugin and Wordpress Jetpack are currently disabled.

Edit: Actually, correction: The images appear when I access them from the backend: "" They do not appear on the main website where they’re supposed to be.


I’m seeing images and :lock: in both FF and Chrome!

Chrome still has issues with your emoji though I had this issue once and I’ll ned to dig around a bit to remember how I fixed it…


As JuM stated before, I used Wordpress in the admin dasboard to go to Settings > General, and then changed the URL of the website from “” to “”. This seems to have fixed issues on the front end.

However, I can no longer access the administrator dashboard myself… so that’s another issue.

In any case, there is still an error message that says “This page is trying to load scripts from unauthenticated sources,” and that is worrying.


Yes, your wp-admin page is in an infinite redirect now. This can happen if you’re using Flexible SSL and make URL changes in WP settings > general. This is sometimes fixed by installing this plugin. I’ve painted myself into this corner before whereby I needed to install that plugin but was unable to access wp-admin to do so. To get back into wp-admin I had to dive into the db and revert those URL changes back to just http, then put Cloudflare into development mode, navigate to the non-https wp-admin, and install the plugin… You could also potentially install the plugin via SFTP though I’m not sure if you can ‘activate’ it.

Which browser are you seeing this with?


Okay, thank you. This was a mess, but I changed the website’s URL through the database, installed the plugin, changed the URL back to https, and I can now access both the front-end and the back-end.

I am using Chrome. Before, there would be a red alert notification to the far right of the address bar that would give that notice, but since I made the last changes, it’s no longer there. And there’s the green “Secure” lock too, now, so I guess the website now has a proper HTTPS connection.

Thanks a lot for your help. I appreciate it.


No problem :+1: