Joomla SSL Certificate: How to Enable HTTPS

In today’s web environment, a secure connection is no longer optional for a Joomla site. A valid SSL/TLS certificate protects visitor data, improves search‑engine rankings, and eliminates browser warnings that can drive traffic away. Following the official Joomla documentation as our reference, in this guide we walk through every step of a joomla ssl setup, from obtaining a free certificate to configuring Joomla and the web server, and we finish with troubleshooting tips and a short FAQ.

SSL vs TLS: What Is the Difference?

The terms SSL and TLS are used interchangeably in everyday conversation, but they refer to different protocol generations. SSL (Secure Sockets Layer) was developed by Netscape in the mid-1990s. After several vulnerabilities were found, the protocol was replaced by TLS (Transport Layer Security).

• SSL 2.0 and 3.0 are now considered insecure and disabled by all modern browsers.
• TLS 1.0 and 1.1 were deprecated in 2020 due to weak cipher support.
• TLS 1.2 is the minimum version accepted by current browsers.
• TLS 1.3 provides faster handshakes and stronger encryption. Most updated servers support it.

When we say “install an SSL certificate” on a Joomla site, we really mean installing a TLS certificate. The certificate is a digital document that binds a public key to your domain name. The TLS protocol then uses that certificate to establish an encrypted connection between the browser and your server.

Why SSL/TLS Matters for Joomla Sites

• SEO advantage – Google treats HTTPS as a ranking signal, so a secured Joomla site can rank higher than an identical HTTP site.
• Visitor trust – Modern browsers display a padlock icon for secure connections; a missing padlock triggers warnings that discourage users.
• Data protection – SSL/TLS encrypts the data exchanged between the browser and your server, preventing eavesdropping on login credentials, personal information, and payment details.

Wildcard, Single-Domain, and Multi-Domain Certificates

Before you start your joomla ssl setup, you need to pick the right certificate type. Here is a quick comparison:

Type	Covers	Best For	Cost
Single-Domain	One domain (e.g., example.com)	Simple Joomla sites with no subdomains	Free (Let’s Encrypt) or $10-50/year
Wildcard	All first-level subdomains (e.g., *.example.com)	Joomla sites with subdomains like blog, shop, or staging	$50-200/year (free via Let’s Encrypt DNS validation)
Multi-Domain (SAN)	Multiple distinct domains	Agencies managing several Joomla installations	$100-300/year

For most Joomla site owners, a single-domain certificate from Let’s Encrypt is the practical choice. If you plan to add subdomains later, go with a wildcard certificate. The hosting providers we reviewed in our Best Joomla Hosting guide all support free Let’s Encrypt certificates.

Prerequisites Before Enabling SSL

1. Obtain a certificate – You can purchase a commercial certificate or use a free one from Let’s Encrypt. The certificate must match the domain (or sub‑domain) you use for Joomla.
2. Check hosting support – Most shared, VPS, and dedicated hosts provide SSL installation via cPanel, Plesk, or a custom control panel. Verify that your host allows you to install the certificate and edit the .htaccess file.
3. Back up your site – Before making any changes, create a full backup of files and database. Follow our guide on Joomla Backup: How to Back Up and Restore Your Site for a safe workflow.
4. Know your Joomla version – The steps below work for Joomla 3.x and Joomla 4.x. Some menu labels differ slightly, but the overall process is the same.

Step 1 – Get a Free SSL Certificate with Let’s Encrypt

Many hosts integrate Let’s Encrypt directly into cPanel. Below is a typical workflow; adjust the exact wording to match your control panel.

1. Log in to your hosting control panel (cPanel, Plesk, etc.).
2. Locate the SSL/TLS or Security section and click Let’s Encrypt (or Free SSL).
3. Select the domain that hosts your Joomla installation, e.g., example.com and www.example.com.
4. Choose the Install button. The system will generate the certificate, private key, and intermediate chain automatically.
5. When the process finishes, you should see a status message such as “Certificate installed successfully”.

If your host does not provide a one‑click installer, you can use a tool like Certbot on a VPS. The essential command for Apache looks like:

sudo certbot --apache -d example.com -d www.example.com

After the certificate is installed, you will have three files (or their equivalents) on the server:

• Certificate (.crt)
• Private key (.key)
• Intermediate bundle (.ca-bundle)

Step 2 – Update Joomla’s configuration.php

Joomla stores the base URL and SSL settings in the configuration.php file located in the root of your site. We need to tell Joomla that the site will be accessed via HTTPS.

1. Open configuration.php with your preferred editor (cPanel File Manager, FTP, or SSH).
2. Locate the line that defines $live_site. If it is empty, you can leave it as is; Joomla will use the current request URL. However, for forced HTTPS it is safer to set it explicitly:

$live_site = 'https://example.com';

Replace example.com with your own domain.

3. Find the $force_ssl variable. Joomla offers three options:

Value	Description
0	Do not enforce SSL.
1	Force SSL only for the admin area.
2	Force SSL for the entire site (frontend + backend).

Set the value to 2 if you want all traffic to use HTTPS:

$force_ssl = 2;

Save the file and close the editor.

Step 3 – Force HTTPS via Joomla Global Configuration

Joomla also provides a graphical option to enable SSL. This method works in conjunction with the changes made in configuration.php and is useful for double‑checking the setting.

1. Log in to the Joomla administrator backend (/administrator).
2. Navigate to System → Global Configuration.
3. Click the Server tab.
4. Find the Force HTTPS dropdown. The three choices correspond to the values shown in the table above.
5. Select Entire Site (value 2).
6. Click Save & Close.

When you save, Joomla writes the same $force_ssl = 2; line into configuration.php. If you already edited the file manually, the UI will simply reflect the current setting.

Step 4 – Add .htaccess Redirect Rules

Even with Joomla’s internal setting, some visitors may still reach the HTTP version directly (e.g., via an old bookmark). Adding a redirect in .htaccess guarantees that every request is sent to HTTPS.

1. Locate the .htaccess file in the Joomla root. If you only see htaccess.txt, rename it to .htaccess.
2. Open the file for editing.
3. Insert the following block near the top, after the RewriteEngine On line:

# BEGIN Joomla SSL Redirect
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# END Joomla SSL Redirect

Explanation:

• RewriteCond %{HTTPS} !=on checks whether the request is not already using HTTPS.
• RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] redirects the request to the same host and URI, but with the https:// scheme. The 301 status tells browsers and search engines that the change is permanent.

Save the file and close the editor.

Step 5 – Test Your SSL Setup

After completing the configuration, verify that the site loads securely.

1. Open a private browsing window and navigate to http://example.com. The address bar should automatically change to https://example.com and display a padlock.
2. Use an online checker such as Qualys SSL Labs to scan the domain. Look for an “A” rating and ensure that the certificate chain is complete.
3. Check for mixed‑content warnings in the browser console (press F12 → Console). If you see messages about “blocked insecure content”, move to the troubleshooting section.

Troubleshooting Common Issues

Symptom	Possible Cause	Fix
Browser shows “Your connection is not private”	Certificate not installed correctly or domain mismatch	Re‑install the certificate, ensure the ServerName matches the domain, and verify the certificate chain with SSL Labs.
Mixed‑content warnings appear	Resources (images, scripts, CSS) are loaded via http://	Search the site for “http://” URLs and replace them with protocol‑relative (//example.com) or absolute HTTPS URLs. Joomla extensions may need updates.
Redirect loop (too many redirects)	Both Joomla and .htaccess are forcing HTTPS, causing a loop when the server already redirects	Disable one of the mechanisms. If your host already forces HTTPS at the server level, set $force_ssl = 0 in configuration.php and keep the .htaccess rule.
404 errors after redirect	RewriteBase is set incorrectly in .htaccess	Open .htaccess and adjust the RewriteBase line to match the Joomla sub‑folder (e.g., RewriteBase /joomla/).
Admin login fails after enabling SSL	Session cookie path still points to HTTP	In Global Configuration → System → Cookie Settings, ensure the cookie domain is blank and the cookie path is /. Clear browser cache and try again.

Additional Tips for a Smooth SSL Transition

• Update internal links – Use Joomla’s built‑in “Search & Replace” plugin or a database query to change hard‑coded http:// URLs to https://.
• Check third‑party extensions – Some extensions generate URLs based on the current protocol. Review their settings or contact the developer if you encounter issues.
• Enable HSTS (optional) – Add Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" to your .htaccess after confirming everything works. This tells browsers to always use HTTPS for your domain.
• Monitor performance – SSL adds a small overhead, but modern servers handle it efficiently. If you notice a slowdown, review our guide on How to Speed Up Your Joomla Site.
• Keep a backup – If you need to revert, restore the backup you created before starting the SSL setup.

FAQ – Joomla SSL Setup

Next Steps

With HTTPS active, your Joomla site is now more secure, trusted, and search‑engine friendly. Consider reviewing our other security resources, such as Joomla Security: 15 Proven Tips to Protect Your Site, and keep your site up to date.

Step 1

Updating Database URLs from HTTP to HTTPS

After enabling SSL, you may find that some internal links, images, and module content still reference http:// URLs. These are stored in the Joomla database and need to be updated to prevent mixed-content warnings.

SQL Queries to Update URLs

Connect to your database through phpMyAdmin, Adminer, or the MySQL command line. Run these queries (replace example.com with your domain and jos_ with your table prefix):

-- Update article content
UPDATE jos_content SET introtext = REPLACE(introtext, 'http://example.com', 'https://example.com');
UPDATE jos_content SET fulltext = REPLACE(fulltext, 'http://example.com', 'https://example.com');

-- Update custom module content
UPDATE jos_modules SET content = REPLACE(content, 'http://example.com', 'https://example.com');

-- Update menu item links
UPDATE jos_menu SET link = REPLACE(link, 'http://example.com', 'https://example.com');

-- Update category descriptions
UPDATE jos_categories SET description = REPLACE(description, 'http://example.com', 'https://example.com');

Important: Always back up your database before running SQL queries directly. A single typo can break your site.

After running these queries, clear the Joomla cache from System → Clear Cache and verify that the pages load without mixed-content warnings.

SSL and Joomla SEO Considerations

Switching from HTTP to HTTPS is essentially a site migration in the eyes of search engines. If you skip a few steps, you may lose rankings temporarily. Here is what to do:

Update Canonical URLs

Joomla generates canonical tags automatically based on the site URL. Once you set $live_site = 'https://example.com' in configuration.php, all canonical tags should point to HTTPS. Verify this by viewing the page source and looking for <link rel="canonical" href="https://...">. If you use an SEO extension, double-check its settings as well. For more details, see our Joomla SEO-Friendly URLs: Configuration Guide.

Regenerate Your Sitemap

If you use an XML sitemap extension (such as OSMap or JSitemap), regenerate the sitemap after the migration. All URLs in the sitemap must use https://. Submit the updated sitemap in Google Search Console.

Verify the HTTPS Property in Google Search Console

Google treats http://example.com and https://example.com as separate properties. Add the HTTPS version in Search Console (or use Domain-level verification to cover both). You can also set the preferred version using the Settings → Change of Address tool.

Check for Redirect Chains

After enabling both Joomla’s Force HTTPS and the .htaccess redirect, test a few URLs to confirm there is only one redirect (HTTP → HTTPS), not two or three. Redirect chains slow down crawling and dilute link equity. Use a tool like Screaming Frog or the browser’s Network tab (F12) to inspect redirect hops.

Troubleshooting Common Issues

Symptom	Possible Cause	Fix
Browser shows “Your connection is not private”	Certificate not installed correctly or domain mismatch	Re‑install the certificate, ensure the ServerName matches the domain, and verify the certificate chain with SSL Labs.
Mixed‑content warnings appear	Resources (images, scripts, CSS) are loaded via http://. See MDN’s mixed content guide for details	Search the site for “http://” URLs and replace them with protocol‑relative (//example.com) or absolute HTTPS URLs. Joomla extensions may need updates.
Redirect loop (too many redirects)	Both Joomla and .htaccess are forcing HTTPS, causing a loop when the server already redirects	Disable one of the mechanisms. If your host already forces HTTPS at the server level, set $force_ssl = 0 in configuration.php and keep the .htaccess rule.
404 errors after redirect	RewriteBase is set incorrectly in .htaccess	Open .htaccess and adjust the RewriteBase line to match the Joomla sub‑folder (e.g., RewriteBase /joomla/).
Admin login fails after enabling SSL	Session cookie path still points to HTTP	In Global Configuration → System → Cookie Settings, ensure the cookie domain is blank and the cookie path is /. Clear browser cache and try again.
SSL certificate expired	Let’s Encrypt certificates expire every 90 days	Enable auto-renewal in your hosting panel or set up a cron job: certbot renew --quiet
ERR_SSL_VERSION_OR_CIPHER_MISMATCH	Server is using outdated SSL/TLS protocols	Update your Apache or Nginx configuration to disable SSL 3.0, TLS 1.0, and TLS 1.1. Use only TLS 1.2 and 1.3.

Security Headers Beyond SSL

An SSL certificate encrypts the connection, but it does not protect against all attacks. We recommend adding these HTTP security headers to your .htaccess file once HTTPS is working correctly:

# HSTS - Tell browsers to always use HTTPS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

# Prevent clickjacking
Header always set X-Frame-Options "SAMEORIGIN"

# Block MIME-type sniffing
Header always set X-Content-Type-Options "nosniff"

# Basic Content Security Policy
Header always set Content-Security-Policy "upgrade-insecure-requests"

# Referrer Policy
Header always set Referrer-Policy "strict-origin-when-cross-origin"

The upgrade-insecure-requests directive in the Content Security Policy is especially useful during an SSL migration. It tells browsers to automatically request HTTPS versions of any HTTP resources on the page, which reduces mixed-content warnings without requiring you to find and replace every URL manually.

For a deeper look at Joomla security practices, read our guide on Joomla Security: 15 Proven Tips to Protect Your Site.

Additional Tips for a Smooth SSL Transition

• Update internal links – Use Joomla’s built‑in “Search & Replace” plugin or a database query to change hard‑coded http:// URLs to https://.
• Check third‑party extensions – Some extensions generate URLs based on the current protocol. Review their settings or contact the developer if you encounter issues.
• Enable HSTS (optional) – Add Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" to your .htaccess after confirming everything works. This tells browsers to always use HTTPS for your domain.
• Monitor performance – SSL adds a small overhead, but modern servers handle it efficiently. If you notice a slowdown, review our guide on How to Speed Up Your Joomla Site: The Complete Optimization Guide.
• Keep a backup – If you need to revert, restore the backup you created before starting the SSL setup.

FAQ – Joomla SSL Setup

Next Steps

With HTTPS active, your Joomla site is now more secure, trusted, and search‑engine friendly. Consider reviewing our other security resources, such as Joomla Security: 15 Proven Tips to Protect Your Site, and keep your site up to date.