One of the first things you should do when you install a new website is install an SSL certificate, free or paid, to encrypt traffic. Then, you must force HTTPS on Joomla 4 traffic. Neither are difficult tasks to complete and both instantly secure Joomla for you and your visitors.
cPanel server hosting includes AutoSSL, the SSL that’s auto-enabled forever, for effortlessly adding SSLs to all websites on your server. Cloud server administrators can install Certbot for free Let’s Encrypt SSLs. Contact Live Support if you need further assistance adding an SSL certificate to your website.
Remember, you need to have a valid domain-validated (DV) SSL certificate installed for your Joomla domain beforehand, or you’ll receive security errors.
Force HTTPS on Joomla 4
- Log into your Joomla 4 administrator dashboard (e.g. https://example.com/administrator).
- Select System from the sidebar.
- Under Setup, select Global configuration.
- Under the Server tab, select the drop-down menu for Force HTTPS and select Entire Site.
- Save changes.
- If your Joomla site is behind a load balancer (e.g. HAProxy or Apache Load Balancer), toggle the Behind Load Balancer switch to “Yes.”
- Visit your website (without “https://”) in a private web browsing session. It should automatically redirect to an SSL connection. If not, clear caching for your Joomla site, server, and browser and try again.
After you force HTTPS on Joomla 4, you should consider adding the HTTPS Strict Transport Security (HSTS) HTTP header to your site as well. HSTS protects users by forcing the SSL redirect from within the browser before the request reaches your server. Server and website SSL redirects and HSTS work together to mitigate HTTP downgrade attacks. You can configure Joomla HSTS and other security HTTP headers with the preinstalled HTTP Headers plugin.
Learn more about how to manage your Joomla site with our Joomla 4 Education Channel.