Running your Joomla site through SSL
Early august, Google announced that it would take HTTPS as a ranking signal. It's a technical way of saying that your site's SEO benefits from the usage of HTTPS. So how can you tune Joomla to benefit from this? Do you need to run your site through SSL all of a sudden?
Is SSL really needed?
Before we focus on implementing SSL (HTTPS) with Joomla, let's deal first with the question whether implementing SSL makes sense. Google says it does. But Google says many things. If you have a small Joomla site with just a couple of pages, while the site itself is acting as an online business card or informational page, not having SSL is no big issue. Your site does not handle any sensitive data at all and therefore, security in general is not something to worry about. (Of course, your Joomla site should be up to date at all times.) For now, it is a safe bet that Google will not lower your ranking simply because you have no SSL. Don't sweat.
However, if your site offers features like e-commerce or user logins, sensitive data is being handled and therefore, security is more important. Not having SSL enabled in a shop is simply wrong: Your customers will not be able to trust transactions being made and neither will Google. The whole purpose of SSL is to protect sensitive data from being seen by unwanted others. A shop without SSL is simply incomplete. It is exactly this aspect that Google wants to solve first. When SSL is actually needed, it should also be part of your SEO strategy.
What Google says on SSL and ranking
With earlier Google updates, it become clear that faster sites were likely to get a higher rating than slower sites. Speed matters. With this new announcement, Google says that more secure sites are likely to get a higher rating than insecure sites. Security matters. So, for any webshop owner who still got away with not implementing SSL, this can be seen as a last call before penalties are being given.
Google also has a broader way on SSL and how it helps reshape the web. As of yet, SSL has always been seen as a special thing. Hosting a website is simple. Hosting a website with SSL is more difficult and lot of people don't take this extra step. But in the end, security becomes more and more important. In the future the web should be fast and secure. The current technology to make the web secure is SSL, so implementing SSL is a step forward.
It does not stop with simply recommending SSL. Currently, the web is being driven by HTTP1. Work is on the way for HTTP2, which will perhaps one day replace HTTP1 and will offer encryption of traffic out of the box. HTTP2 will also be a lot faster. Google has already implemented its own version of such a new protocol - SPDY - which is supported on webservers and some browsers (Chrome, Firefox, Opera, not IE). In short, running SPDY on your webserver (Nginx, Apache) will make HTTP communication between SPDY-enabled browsers and your server lightning fast. We are running itself and believe us, it gives really a boost.
One of the requirements of SPDY is HTTPS: You need to run your pages through SSL for those pages to be served through SPDY. This is one of the reasons we decided to run the entire site through HTTPS, so we can run SPDY. This way, implementing HTTPS makes our site faster, not slower. And our visitors are using a SPDY-enabled browser most of the time anyway (Firefox, Chrome).
Implementing SSL in Joomla
So what do you need to implement SSL in Joomla? First of all, you need a SSL certificate for which you need to pay - costs ranging from about 20 USD to 300 USD or even higher. Second, you need a dedicated IP address for your site. Describing the setup of this is not something I'll put in this blog, but to make it simple: If you can't be root on your server, the hoster will need to setup the IP and SSL certificate and provide you with instructions what you should do. If you can be root, you will need to have the knowledge for setting up the IP and SSL, or hire somebody who can do this for you.
Assuming the SSL certificate is enabled on your webserver, you can now type in your Joomla URL, change the prefix into https:// and it should work. The next step is to make sure all your Joomla visitors are using SSL as well. Within the Joomla Global Configuration, you can configure the setting Force SSL to work for the Entire Site. This will enforce SSL upon all your visitors.
If you wish to implement SSL only partially on your site, for instance all your e-commerce pages but not your blogs, you can as well. Our free SSLRedirect plugin is designed to redirect SSL to non-SSL and non-SSL to SSL, depending on your plugin configuration. You can configure SSL to be used for components, Menu-Items, articles and custom URLs.
As you can see, once you have your SSL certificate up and running, setting up things in Joomla is very easy. Having a shop or community site, where user credentials or other sensitive data are being transmitted, SSL is a must-have.
Written by Jisse Reitsma op 2 September 2014