A Complete Guide to Changing Your Joomla Website from HTTP to HTTPS

https

Why Change your Website to HTTPS?

Implementing HTTPS improves the security of your website and helps keep communication to and from the website secure.

Websites with HTTPS may rank higher in search engines.

HTTPS enabled websites show a padlock to website visitors so they are more likely to trust the website (especially if it is an e-commerce website) or a website that stores personal client data.

1. Enabling HTTPS

With the introduction of free SSL certificates (e.g. from Let's Encrypt), you may find that HTTPS is already enabled for your domain or it can be enabled in a few clicks in the control panel. Browsing to the https version of your website will tell you immediately if https is enabled or not.

SiteGround

  • Login to cPanel and click on "Let's Encrypt"
  • Check that the SSL certificate is already installed for the relevant domain
  • Let's Encrypt certificates are automatically renewed

VentraIP Legacy Economy and Business cPanel Accounts

  • Log in to https://vip.ventraip.com.au and go to Shared Hosting -> Manage -> [Domain Name] -> Let's Encrypt SSL
  • Click on "Install" to install the Let's Encrypt certificate for your domain, if it's not already installed
  • Let's Encrypt certificates are automatically renewed

VentraIP Newer cPanel Accounts

  • Log in to https://vip.ventraip.com.au and go to Shared Hosting -> Manage -> [Domain Name] -> AutoSSL
  • Click on "Start AutoSSL Check" to initiate the installation of the AutoSSL certificate for your domain and follow the prompts to complete the installation, if it's not already installed
  • AutoSSL certificates are automatically renewed

Zuver

  • Log in to https://my.zuver.net.au and go to Hosting Services -> Manage -> [Domain Name] -> Let's Encrypt
  • Click on "Install" to install the Let's Encrypt certificate for your domain, if it's not already installed
  • Let's Encrypt certificates are automatically renewed

Check that https is enabled by browsing to the https version of your website. You should see a green padlock or similar near the url in your web browser.

2. Joomla

Log in to the back-end of the Joomla website and set System -> Global Configuration -> Server -> Force HTTPS to "Entire Site".

3. htaccess

Redirect the HTTP version of the website to HTTPS by adding the following at the end of the .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

4. Fix Mixed Content

Update any remaining http links to https links so website visitors don't see mixed content warnings in their browsers. The following and similar tools can help identify remaining http links:

  • HTTPS Checker is a desktop application for Windows, Mac or Linux and the free version allows you to crawl up to 500 pages
  • SSL Error Checker is an online tool which checks a single URL
  • WhyNoPadlock is an online tool which checks a single URL

4.1 Akeeba Admin Tools

If the http links can't easily be changed to https (or there are too many to easily change manually), the links can be converted automatically to https using an option in the free or the paid version of Akeeba Admin Tools. This option can be found at Components -> Admin Tools -> SEO and Link Tools -> Convert all links to HTTPS when site is accessed over SSL.

4.2 Regular Labs ReReplacer

The free or paid version of Regular Labs ReReplacer can be used to change all https:// references in the source code to https:// although this is a fairly heavy handed approach and you'd need to check your website is still working as expected after implementing this change.

If using ReReplacer, you could use a link checker such as one of the following to check for broken links:

5. robots.txt

Update http:// references in your robots.txt file to https:// where appropriate.

6. Google Search Console (aka Webmaster Tools)

Add the https version of the website to Search Console and submit the https:// version of the sitemap. Remember to resubmit your site map for the https version of the website.

7. Google Analytics

Change the Property setting of the website from http:// to https://

8. Social Networks

Social Networks usually treat the https version of the website as a separate website so you may have to start from zero again with your "share" and "like" counts. This can sometimes be worked around by choosing an option in your social network extension (e.g. Fast Social Share) to continue to display the share and like counts from the http version of the website until you have collected sufficient shares and likes on the https version of the website.

9. Automatic SSL Certificate Renewal

Let's Encrypt SSL certificates seem to be valid for 90 days and should auto renew 30 days before expiry (at least this is the case on SiteGround). Unfortunately the renewal process sometimes fails. Let's Encrypt certificates are issued for the domain and also any subdomains associated with the main domain e.g. mail.domain-name.com at the time the certificate is created. If the subdomains change in any way during the life of the certificate, the original certificate must be manually cancelled in favour of a new certificate. Assuming your subdomains don't change, then the next renewal should go through as expected.

March 2018 Update:

SiteGround now offer free "wildcard" Let's Encrypt SSL certificates which probably fixes the automatic renewal failure problem.

Removing Unused Joomla Extensions

Benefits

Removing unused third party Joomla extensions has several benefits including:

  • performance improvement
  • reducing website maintenance
  • improving website security
  • reducing conflicts between extensions

There's usually no point removing unused core extensions as there may be dependencies that are not obvious and Joomla updates will likely reinstall these anyway.

Compiling a List of Third Party Extensions

Find which third party extensions are installed by logging in to the back-end of the website and going to Extensions -> Manage -> Manage. Once you have sorted the list by clicking on the "ID" column heading (see example below), the third party extensions can be found at the end of the list after the items with "Joomla! Project" as the Author. On later versions of Joomla 3, this is around item ID  = 10000. (Thanks to Tim Davis from www.cybersalt.com for this tip)

Managing Extensions

Ignore the following extensions which are installed by default as part of the Joomla 3.x core:

  • beez3 Template by Angie Radtke
  • Editor - CodeMirror Plugin by Marijn Haverbeke
  • Editor - TinyMCE Plugin by Ephox Corporation or Tiny Technologies, Inc
  • FOF by Nicholas K. Dionysopoulos / Akeeba Ltd
  • Hathor Template by Andrea Tarr
  • IDNA Convert Library by phlyLabs
  • Isis Template by Kyle Ledbetter
  • phpass Library by Solar Designer
  • phputf8 Library by Harry Fuecks
  • protostar Template by Kyle Ledbetter

How to Check if a Third Party Extension is Being Used

Components

Installed and enabled components are generally found under the Components menu. Some Components are used in the back-end only (e.g. Akeeba Backup) and you will generally know if you are using these types of Components or not.

Components that are used in the front-end are often associated with a menu item so open each Menu and scan the list of menu items to see which components are in use. (See below for an example). You can probably ignore menu items that are disabled.

Menu Administration

Modules

You can see which third party modules are being used at Extensions -> Modules. (See below for an example). You can probably ignore modules that are disabled.

Module Administration

Note that menu items with no module position assigned may or may not be in use as these can be inserted into content using "loadmodule" syntax or similar. Modules can also be inserted into pages using a page builder such as SP Page Builder so don't assume a module with no module position can be removed.

You can find out if loadposition or loadmodule are being used by searching the website for "{loadmodule" and "{loadposition". If there's no search option published on the website, you can usually browse to www.example-website-name.com/index.php?option=com_search&view=search to show the Joomla standard search. If third party extensions for displaying modules are installed you may need to do additional searches. For example, search for "{module" if Regular Labs Modules Anywhere is installed.

Plugins

You can see which third party plugins are being used at Extensions -> Plugins. (See below for an example). You can probably ignore plugins that are disabled.

Plugin Administration

Templates

You can see which templates are being used at Extensions -> Templates. Templates that are not being used will show "Not assigned". (See below for an example).

Template Administration

Removing Unused Third Party Extensions

Before doing any changes, be sure to run a full backup of the website using Akeeba Backup or similar and copy the backup file off-site as a precaution.

Before removing an extension that looks like it is not being used, I recommend disabling it first and testing the website thoroughly to be sure that everything is still working as expected.

Once you are confident that the extension is not needed, then remove it.

Website Health Check

To find out how well your website is configured, order a Website Health Check for $90.

The Health Check includes:

  • check CMS and third party extension/plugin versions
  • check Google is seeing the website as responsive
  • check website page load speed
  • check robots.txt
  • check free space
  • check backup is enabled and suitably configured
  • check web hosting configuration and suitability
  • recommendations on how best to address any discovered issues

Note that no changes are made to your website during the Website Health Check without consulting you first.

The cost of a Website Health Check is refundable if you purchase a 12 month Website Maintenance and Backup Subscription within 30 days of the check.

Website Maintenance and Backup Subscriptions

  Economy Business Enterprise
Monthly Cost $39 per month $69 per month $99 per month
Annual Cost $390 per year* $690 per year* $990 per year*
Third party extensions up to 10 extensions up to 20 extensions up to 30 extensions
Monthly Report Yes Yes Yes
Free initial security audit (valued at $220) Yes Yes Yes
Monitor new CMS and third party extension/plugin updates Yes Yes Yes
High priority CMS updates installed within 24 hours Yes Yes Yes
High priority third party extension/plugin updates installed within 24 hours Yes Yes Yes
Non-critical CMS and third party extension/plugin updates installed quarterly Yes Yes Yes
Monthly off-site backups Yes Yes Yes
Non-critical CMS and third party extension/plugin updates installed monthly No Yes Yes
Installation of web application firewall (e.g. Akeeba Admin Tools Pro) No Yes Yes
Weekly off-site backups No No Yes
Monthly malware scan No No Yes

* Pay 12 months in advance and get 2 months free.

The Best Shared Web Hosting for Australian Businesses and Organisations

As a web developer, I am wary when contacted by prospective clients who tell me that they have already arranged their web hosting. The selected web hosting company is often not the best choice for various reasons.

Web Hosting Tip:
My number one tip when choosing a web hosting company is to ask your web service provider before purchasing a web hosting plan so they can recommend a plan that is suitable for your particular requirements. Choosing the wrong plan can be a costly exercise!

With Google now including performance as a ranking factor, it is more important than ever to make good decisions about your web hosting provider.

Shared Hosting

Shared web hosting is an affordable web hosting option where your website is securely hosted on the same server as a number of other websites and usually located in a secure data centre.

Shared hosting suits most businesses and organisations with plans typically offering 5GB, 10GB, 25GB or similar storage space often with unlimited monthly bandwidth.

Choosing a Web Hosting Plan

Your choice of web hosting plan and server location depends on a number of factors such as cost, value for money, the geographic location of your target audience and the type of website.

The following plans are the ones I tend to recommend for WordPress, Joomla and similar websites. All of these service providers offer good uptime (reliability), security, performance, technical support and value for money. They also keep their servers up to date so you can always select a supported version of PHP.

DreamIT Host Logo

DreamIT Host has been around since 2016 and offer great value for money business and premium shared web hosting plans.

DreamIT Host offer 24/7 e-ticket support with phone support on some of the more advanced plans. The support team are based in Melbourne.

The choice of server location includes Sydney, Melbourne and Auckland.

With NVMe disk storage and LiteSpeed cache, websites hosted by DreamIT Host load very quickly.

DreamIT Host is an excellent choice for businesses targeting an Australian or New Zealand audience.

ROBTEC Logo

ROBTEC has been around since 2000 and offer great value for money business shared web hosting plans.

ROBTEC offer 24/7 e-ticket support and aim to respond within an hour.

Server infrastructure is primarily in Sydney and performance is excellent with LiteSpeed cache available.

ROBTEC is an excellent choice for businesses targeting a local Australian audience.

UpTime Web Hosting Logo

UpTime Web Hosting was founded in 2018 and offer excellent value for money shared web hosting plans including specialist WordPress hosting plans.

The local e-ticket support is also excellent.

Server infrastructure is in Sydney with very good performance and LiteSpeed cache is available.

UpTime Web Hosting is an affordable choice for businesses targeting a local Australian audience.

VentraIP Logo

VentraIP has been around since 2010 and offer good value for money shared web hosting plans including specialist WordPress hosting plans.

The 24/7 phone and e-ticket local support is excellent.

Server infrastructure is mostly in Sydney and performance is excellent with LiteSpeed cache available.

VentraIP is an excellent choice for businesses targeting a local Australian audience.

FastComet Logo

FastComet has been around since 2013 and offer great value for money shared web hosting plans.

Support is available 24/7.

The choice of server location includes USA, Europe, Singapore and Sydney.

FastComet is an excellent choice for businesses targeting an international audience.

Hawk Host Logo

Hawk Host has been around since 2004 and offer great value for money shared web hosting plans.

Support is available 24/7.

The choice of server location includes USA, Europe, Hong Kong and Singapore.

Hawk Host is an excellent choice for businesses targeting an international audience.

ICDSoft Logo

ICDSoft has been around since 2010 and offer great value for money shared web hosting plans including specialist WordPress, Magento and WooCommerce hosting plans.

Support is available 24/7.

The choice of server location includes USA, Europe and Hong Kong.

ICDSoft is an excellent choice for businesses targeting an international audience.

Other Recommended Web Hosting Companies

For up to date information on the best and worst local web hosting companies, see Web Hosting Down Under and the latest posts in the Web Hosting Forum on the Whirlpool forums.

Web Hosting Companies to Avoid

The following web hosting companies are best avoided as these companies will have your web developer tearing their hair out!

  • Crazy Domains and associated brands including Aust Domains and Cheap Domains.
  • GoDaddy, SiteGround and HostPapa.
  • Internet Service Providers. Some ISPs offer web hosting but this is not one usually of their strengths and the cost is usually overpriced.
  • Melbourne IT and associated brands including AussieHQ, Domainz, Ilisys, Jumba, NETantics, Netregistry, SmartyHost, TPP Wholesale, UberGlobal, WebCentral and Ziphosting.
  • Newfold Digital (includes EIG, Web.com, Dreamscape and Hostopia brands) including Anchor, Aust Domains, Bluehost, Cheap Domains, Crazy Domains, Crucial, Digital Pacific, Dreamscape Networks, Enetica, HostGator, Net Logistics, Panthur, Quadra Hosting, Vodien, Web24 and Webcity. For a full list of Newfold Digital and associated brands, see the article on the Research As A Hobby website.

With frequent mergers and acquisitions, the Australian web hosting landscape changes constantly. For up to date information, see the Web Hosting Companies to Avoid article on Web Hosting Down Under.

Web Hosting Tip:
It is often worth spending a little extra on a better quality web hosting provider to minimise downtime, improve the performance and security of the website, to ensure prompt support is available when it is needed and to ensure your chosen web hosting provider is still around to support you in future.

Website and Web Hosting Performance Check

The longer your website takes to load, the more likely visitors will browse elsewhere. Ideally, web pages should load in less than 4 seconds.

You can test your own website or competitors websites using GTMetrix, Pingdom or similar.

Create a free account on GTMetrix so you can choose which location to run the test from.

gtmetrix example

pingdom example

Move My Website to a Better Web Hosting Company

Moving a website to a new web host typically takes a couple of hours or around $176 and includes:

  • backing up the current website
  • finding the most suitable web hosting company for your particular website within your budget
  • purchasing a new web hosting plan on your behalf
  • restoring the website to the new web host
  • updating the domain name to point to the new host
  • testing
  • forwarding any orphaned emails on the old host to the new host
  • optionally moving your domain name to the new service provider

Note that you will be moving to a better web hosting company and for most of my clients this is often a cheaper web hosting company so that the cost of the move is soon recovered.

Contact me to enquire about moving web hosts.

Time to Upgrade to a Responsive Template in preparation for "Mobilegeddon" on 21st April

MobilegeddonApparently more than 50% of web searches now originate on mobile devices and Google recently announced that mobile-friendliness will be a ranking signal from April 21st 2015.

A Google Engineer suggests this change will affect as many websites as the Panda and Penguin algorithm updates and industry experts have christened this latest algorithm update, "mobilegeddon".

Responsive Templates

The best way to ensure your Joomla website search ranking is preserved is to implement a responsive template if you don't already have one.

Responsive templates are available for Joomla 2.5 and there were even a few for Joomla 1.5 but Joomla 1.5 and Joomla 2.5 are already "end-of-life" and you should ideally migrate to Joomla 3.x which ships with Bootstrap and already includes some responsive templates.

robots.txt Changes

If you installed Joomla prior to version 3.3, you will likely need to amend your robots.txt file to ensure that Google can access CSS, JavaScript and other files in your template folder to confirm your website is mobile friendly.

Mobile Friendly Testing and Official Instructions from Google

Google has provided a test tool at http://www.google.com/webmasters/tools/mobile-friendly/ so you can check that your website is ticking all the relevant check boxes.

Google has also provided instructions on how best to make your website mobile friendly including specific instructions for Joomla, WordPress and other popular platforms.

More Information

For more information see:

http://searchenginewatch.com/sew/how-to/2398591/-mobilegeddon-is-coming-on-april-21-are-you-ready
http://www.entrepreneur.com/article/244175
http://www.didit.com/mobilegeddon-tip-of-the-week-examine-your-robots-txt-file/
http://www.stemlegal.com/strategyblog/2015/mobilegeddon-the-countdown-is-on/