There are various tools for checking that your website is secure. These tools are great as a starting point but aren’t fully bulletproof so the below is a good workflow if you fixed all instances that an SSL checkers like https://www.jitbit.com/sslcheck/ picked up.
First check DOM related items by clicking view-source:YOUR-URL from the URL/search bar. Then got to Edit > Find in your menu bar (click CTRL+F / CMD+F) to search all instances of “http:” and replace them with https. Be careful not to just search “http” because that will still match instances of “https” so you need that colon in there.
Then check your stylesheet, and other template pages that were hand-coded for “http:” mentions. A common culprit is references to @import fonts that have http requests in them as well as background-image properties throughout your stylesheet.
Then check your functions.php, front-page.php and other template pages in your active theme folder. The easiest way to do this is to log in to your FTP client, download the theme folder and run the search on instances of “http:” for that folder on your computer. (TL;DR Actually the fastest way would be via commands in your hosting account’s cpanel, but that’s a bit advanced for this post and as more and more wordpress sites go to “managed wordpress” hosting, access to command line may not exist.) Replace internal http requests (like yourwebsite.com type URLs) with https and for external requests simply use // to skip the http: or https: part. This is a good practice as a lot of sites are switching to https or will be soon, and you DON’T want to list a non-secure request as secure or chrome may throw a scary message to the user upon clicking that request. I’ll see if I can add a screenshot).
Then check your loaded DOM – not your source code. I’ve made this mistake a few times of skipping it and any scripts that dynamically load URL references won’t get caught in a “Find” search on the actual source code that you see when you view-source. So right click > inspect element or go to View > Developer > Developer Tools, and make sure in that window that you are in the “Elements” tab at the top of the window, that’s your fully rendered DOM. There you can click CTRL+F or CMD+F to search HTTP: (it shows at the bottom of that window and is a bit subtle if you don’t know where to look for the search bar). Then it will auto highlight those references. An example of http references you may find there is any scripts that get loaded from a popup plugin, this is a common culprit for us. Just think – anywhere you added code manually to a plugin that was not on your specific site’s theme files, or would have been loaded into your database.
Last but not least, if you are still not showing the “Secure” badge you can run a search on your mySQL database in phpmyadmin – this will cover finding all hardcoded instances of “http:” in most plugin configurations or related stored information, posts, pages, and any custom post types like portfolio item descriptions, etc.
Good luck and happy troubleshooting!