WordPress with ssl form let's encrypt, but homepage not fully secure. "Attackers might be able to see images.." message

Sending images via http protocol is what triggers this issue. Using any content from a cdn that does not use https will also trigger this issue. This quote explains it pretty simply (the yellow padlock / warning of unencrypted content/images):

If a yellow padlock appears with a mini yield sign, the likely cause is links in your site still refer to an unsecured page. Make sure that all your images, menu items and links use https in the URL. source

I would use a tool to help identify all non-encrypted file transports. One such tool would be something like Why No Padlock.


Did you enable https after installing WordPress? If so, you must change the WordPress address and Site Address under "General Settings" in WordPress. Make sure both addresses use https.

If your WordPress site address is set to use http, your server will force https but WordPress will serve certain images, like the favicon, over http. This triggers a "mixed content" warning.