How to Force SSL in Joomla 3

How to Force SSL in Joomla 3

Force SSL is an important built-in security feature of Joomla. It gives you the option to enable or disable SSL at any time. When the feature is turned on, your website uses secure HTTPS protocol, and the private data, like credit card information and passwords, is transferred over your site in an encrypted format.

Before enabling SSL, you must determine whether you really need an SSL certificate. If you run an eCommerce site with Joomla, a private SSL certificate is a must because your customers want to see your domain when making payments.

But in the case that you operate a blog or community only, you can try the affordable shared SSL to secure some of your pages only. Shared SSL usually uses a temporary URL provided by your hosting provider instead of your domain.

If you have decided to force SSL on your own domain name, you will need to prepare two things at first:

  • A private SSL certificate which has been installed on your server successfully.
  • A dedicated IP.

When the SSL certificate and IP address have been well prepared, follow the tutorial below to manage the “Force SSL” feature.

Force SSL in Joomla 3

Enabling the “Force SSL” feature is quite easy. Firstly, log into Joomla control panel and navigate to System > Global Configuration. Secondly, click to open the “Server” tab.

Server Settings

Under the “Server Settings”, you can see the line of “Force SSL”. There are three options in the corresponding drop-down:

  • None: The feature is turned off.
  • Administrator Only: SSL is enabled for administrator connections only.
  • Entire Site: SSL is enabled for the whole site.

Now you can select an option according to your own need. Do not forget to hit the “Save” button on the upper left.

Force SSL in Joomla 3

As long as SSL certificate has been installed and you have chosen to force SSL for “Entire Site”, you can go back to the frontend of your site to see that your domain has been transformed from http://yourdomain.com/ to https://yourdomain.com/.

Redirect Visitors After Forcing SSL

You now have your URLs working as HTTPS, but if a visitor visits your page using the old URL which starts with HTTP, he/she will not be redirected to the new URL automatically. To resolve this problem, you need to make the following configurations.

Edit the configuration.php file. Open the file in a text editor, and find the following line.

public $live_site ='';

Replace the line with the code below.

public $live_site = 'https://yourdomain.com';

Edit the .htaccess file. Open the file in a text editor, and add the lines below at the end of the file.

RewriteEngine On
RewriteCond %{HTTPS} OFF
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

How to Disable Force SSL If You Are Locked out of Your Site?

There is a case that you are completely locked out of your site after enabling “Force SSL”, which is probably because SSL is not enabled on your domain properly. To regain the normal access to your website, edit your configuration.php file and find the following line.

public $force_ssl = '2';

As “2” refers to “Entire Site”, “1” refers to “Administrator Only” and “0” is “None”, you just need to change the number in the line to be “0” to get “Force SSL” disabled. With this setting, you should be able to access your website again.

public $force_ssl = '0';

Extra Tips for Forcing SSL in Joomla 3

There are two things you may need to pay attention to when you are considering using SSL to improve Joomla security.

  • Using HTTPS consumes more resources than the standard HTTP because of the encryption and decryption for the web browser and server. Therefore, you may consider encrypting parts of your website only if your website is not completely running eCommerce.
  • In the case that you want to protect certain pages with SSL, you will need to use an SSL redirection extension. Joomla control panel does not come with the options.