So I had been confounded. I used to have a sweet green securely loaded blog for ages and I didn’t know what I had changed to make it start throwing up mixed content warnings. I didn’t recall changing ANYTHING on the blog at all. Yet, when pages were accessed over https, they loaded assets over http – in spite of WordPress HTTPS being active.
The problem turned out to be W3TC Disk Enhanced page caching. It does not seem to distinguish between http and https versions of the page, resulting in the https version of the page serving the http page – of course, with assets loaded over http.
I used to redirect the non ssl version of the blog to the ssl version, but for some reason, I decided to only use an HSTS header. Since the blog automatically loaded over https, I did not anticipate problems. However, the site being available over http apparently caused enough traffic (that ignored HSTS or was not capable?) to create cached pages that became a nuisance.
Two ways to fix this. I chose the easy one first. Redirected my non-ssl site to ssl. Done.
If this results in any noticeable drop of traffic or complaints from anyone who needs to use it without ssl for any believable reason, I will choose method two: relying on HSTS alone again and using either the disk basic or opcode cache for page caching instead of “page enhanced” – this ought to work.
You can check your website on whynopadlock.com to identify the exact assets loaded that are giving mixed content errors.