How to enable SSL/HTTPS on a Joomla site (detailed guideline)

By now, you might have known that Google prefers SSL/HTTPS based sites which means a better treatment in indexing and search result listing. The latest news is, Google Chrome browser has started flagging all HTTP websites as “Not Secure” (untrustworthy) without any exceptions. Are you scared? You should be. But don't worry! Now I will show how to enable SSL/HTTPS on a Joomla site in few easy steps.

We'll discuss on:

• The quickest solution
• A FREE and easy method
• The manual and advanced ways

Did you know?

SSL/HTTPS enhances user-privacy by encrypting the data transmitted between a browser and the server. 

Before adding SSL, you site’s URL looks like http://www.example.com. Activating SSL will make it https://www.example.com. To get it done, we need to work both in the site’s hosting server and domain SSL certificate control sides. An SSL certificate can secure one or more domains; to create an SSL host for a domain, you must have a certificate that secures that domain.

The quickest solution: SSL from your hosting provider

As the first step you have to contact your hosting support and ask them if they can make your site available via HTTPS. Many hosting companies offer SSL certificates (from free Let's Encrypt and other providers) for their customers. And from cPanel you can set SSL for your domain in less than a minute (for example, using the  AutoSSL feature). If you use cPanel, you can utilize this method to enable HTTPS on your site. To enable AutoSSL for free, follow this official tutorial from cPanel.

FREE and easy: Cloudflare Flexible SSL

Cloudflare, the renowned web security & performance company and CDN provider, makes SSL activation easy. For websites, blogs, and anyone who wants to explore Cloudflare, they have a free plan. Cloudflare has a free service called 'Flexible SSL' that lets you add HTTPS to your site easily.

Figure: Cloudflare dashboard.

The process is simple: First we'll see the Cloudflare side configuration. Then the Joomla-side config will follow.

1. Create an account with Cloudflare
2. Add your website to your Cloudflare account
3. Wait some time until Cloudflare fetches your DNS records
4. Verify the DNS record
5. Complete the set up procedure (details on this official tutorial)
6. Login to your domain registrar and change your domain's Name Servers as provided by Cloudflare (this can take a few hours)
7. Create an 'Always HTTPS' Page Rule on Cloudflare for your domain (details on this official help article)
8. Go to the Crypto section of Cloudflare and set the SSL option to Flexible.

The Cloudflare-side setup is done. Now configure your Joomla site to turn SSL on. Follow the process below (a screenshot is given after the texts).

1. Go to System > Global Configuration > Server tab
2. Set the Force HTTPS option to Entire Site
3. Save & Close settings

(However, this can also be done by editing the .htaccess file of the site, which someone may find a bit complex than the built-in method.)

Figure: Joomla-side configuration to turn HTTPS on.

It's done! Clear browser cache and server-side caches. If you see any yellow warning (mixed content), then fix that issue by following the methods detailed in our another post here.  

The manual and advanced ways

The above free methods are easy & quick HTTPS solutions. If you want to get an advanced paid SSL certificate for your website, you may need some manual tasks. Here is an example outline for configuring SSL semi-manually on a cPanel based site. Remember, if you don't have cPanel (or have no panel at all), you can still enable HTTPS on other ways depending on which SSL certificate you are using (both free and paid ones). Now let's see cPanel's semi-manual way. However, the terms may vary to cPanel's version to version. 

Server-side configuration

Get and activate an SSL certificate. Then Login to your site’s cPanel interface.

Figure: cPanel security settings section.

Now follow the instructions below.

1. Open SSL/TLS Manager found in the Security section
2. Click Manage SSL Sites under Install and Manage SSL for your website (HTTPS)
3. Copy the certificate code you received from the certificate authority (normally via email) including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and paste the code into the Certificate: (CRT) field on the coming page.
4. Click the Autofill by Certificate button and the system will attempt to fetch the domain name and the private key (otherwise do it manually).
5. If not filled in already, copy and paste the CA Bundle into the box under Certificate Authority Bundle (CABUNDLE).
6. Click on the Install Certificate button

The certificate should be now installed on your site server. The next step is to configure HTTPS/SSL inside Joomla. You can verify the certificate installation using this tool. A detailed tutorial for cPanel and SSL can be found here. If you are not using cPanel, you can see this link to get detailed instructions for Apache OpenSSL, NGINX etc. 

One more step: Configure HTTPS/SSL inside Joomla

After installing & enabling the SSL certificate on your server, configure your Joomla settings to force HTTPS on the entire site. Visit the admin panel.

1. Go to System > Global Configuration > Server tab
2. Set the Force HTTPS option to Entire Site
3. Save & Close settings

Figure: Joomla-side configuration to turn HTTPS on.

And it’s all done. You’ve just enabled HTTPS on your Joomla site. Don't forget to clear your browser cache and other server-side caches. 

How to fix mixed content warnings on Joomla

When a Joomla site doesn’t fully protect or secure all content (attachments, images, menu links, css or javascript files), a browser will display a “mixed-content” warning because of the old HTTP based URLs. The best way to avoid mixed content issues is to serve all content via HTTPS instead of HTTP. You can manually fix this issue by adding the new secured (HTTPS) links to these fields. But sometimes you need to put more effort into. Please read our related tutorial "How to do SSL check & fix" to solve these.

Adding HTTPS to a Joomla site can be done in several methods. Here we've just shown a few common ways. The procedures may need to be customized depending on your site's unique needs. Please share your experience and suggestions with the community via comments. Stay secure, happy developing! 

Note: This post was originally published on December 19, 2015. It has been updated on July 26, 2018 to add additional information.