I don't use it. Joomla Global Configuration > Server > Force SSL = 'None'.

Instead I'm

  • using Virtuemart 'Enable SSL for sensitive areas' under VirtueMart Configuration > Shop tab
  • set 'Secure' to "On" in Joomla Menu Manager: Edit Menu items > Metadata Options for links to sensitive pages like 'View Cart, Your Order History, Your Account', etc.
  • enabled 'Encrypt Login Form' for the Login Form in Module Manager > Module Login (If enabled, you can see the 'https' link in the source code of the page where the module is published).

SSL certificates

SSL only works if you have an SSL certificate installed and bounded to your domain on your server (usually the hoster takes care of that).

SSL certificate should be configured for the domain or subdomain on the server.

Personally I'm using the free StartSSL, which works fine with Joomla/VirtueMart.

But the majority of people are buying their SSL certificate from providers like Verisign, Comodo, Thawte, GoDaddy (the latter might be on the cheaper side, but somewhat more tricky to set up).

In order to use it, your hoster must be willing to configure it for your domain on the server.

How do you enable https in Virtuemart

In 'Configuration' - 'Shop' tab: Enable SSL for sensible areas (recommended)


SSL is only used for the sensible pages.

When you are returning to the shop, SSL is off.

Insecure contents

Some of web page contents could be insecure, for more detailed, all contents including links, files, images, etc must be starting with https.

Better use relative url for content such as /shop/logo.png

You can use this service http://www.whynopadlock.com to check which elements are insecure and try to fix them out.

This is what worked for me

Adding to you main Joomla template just after the <head> tag before and css or js loads

<?php if ((JRequest::getVar('option') == 'com_virtuemart' and JRequest::getVar('view') == 'user' || JRequest::getVar('view') == 'orders'  || JRequest::getVar('view') == 'cart'  )): ?>
<?php if($_SERVER['SERVER_PORT'] != '443') { header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); exit(); } ?>
<?php endif; ?>


<?php if ((JRequest::getVar('view') !== 'cart' )): ?>
<?php if ((JRequest::getVar('view') !== 'user' )): ?>
<?php if ((JRequest::getVar('view') !== 'orders'  )): ?>
<?php if($_SERVER['SERVER_PORT'] != '80') { header('Location: http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); exit(); } ?>
<?php endif; ?>
<?php endif; ?>
<?php endif; ?>

A quick and dirty way

to get it done until someone creates a plugin that adjusts for this.

Otherwise try 

System - SSL Redirect Plugin on JED

This worked in some instances and not in others, but see what works for your server configuration.

Unfortunately, this plugin also STAYS in SSL mode when going from ssl to other unrequired ssl pages.

So try my above code if this plugin is not working the way it should.

Also, for my template code changes, I've turned off "Enable SSL for sensitive areas (recommended) " in the Virtuemart config and let the above do the work.

Redirect back to http Plugin from Kaizenmediaworks

The logic of the way to only do category and product details is because you do NOT want extra code running on every single page on your website.

Its a performance issue.

JS has only stopped working when I enabled SSL

I may have a bunch of CSS and JS which aren't secure.

How do I fix this?

Test what items are not secure

Go to the page that's not secure.

Turn on httpfox.

Then, refresh the page, and scroll looking for items with http only

  • https://addons.mozilla.org/En-us/firefox/addon/httpfox/

will help you find non secure items.

htaccess issue

Could be an htaccess issue.

Add a .htaccess file and change the server configurations to rewrite the URL's.

Stopping Google crawling https

Google sees https and http pages as separate "sites" and therefore re-crawls everything on a site as https and http regardless of the links you have "restricted" https to in Virtuemart or Joomla

This has negative consequences:

  • Creating main link as https for a product url
  • Creating dual product urls

Somebody surfs your website with https and then goes to Google, it will recognize the referring page and try to crawl it.

However, I assume the http/https duplicates are not a big issue with Google.

You can see how many of each Google has indexed if you search Google with this:

site:yourdomain inurl:http
site:yourdomain inurl:https

I guess that most shop holders would not want to serve up product and category pages via https and have Google index pages as such.

I guess owners could use the robots.txt "fix"

Disallow the bots from crawling the https version of your website by using .htaccess to serve two different robots.txt files. One for the secure https site, and one for the regular non-secure http site.

RewriteEngine on
RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^robots\.txt$ robots_ssl.txt [L]

Then set a disallow in the robots_ssl.txt

Hmm - things to consider...

Matt Cutts provides an insight

  • http://www.youtube.com/watch?v=Cm9onOGTgeM

I have used .htaccess and a spefcific robots_ssl.txt to prevent https page indexing.

In .htaccess:
RewriteEngine on
RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^robots\.txt$ robots_ssl.txt [L]

robots_ssl.txt would be:
User-agent: *
Disallow: /

Allows for https to be used for sensitive areas and stops google wandering!

I use this code for product, category, and article pages

/* Back to http */
if (JRequest::getVar('search')!='true'){
$uri = & JFactory::getURI();
         $comparethis = str_replace( 'https:', 'http:', $currentcheck );
      if ($comparethis !== $currentcheck){
       $app = JFactory::getApplication();
 $app->redirect($comparethis, null, null, true, true);

It redirects back to http

I use this code for cart, user pages etc.

$uri = & JFactory::getURI();
         $comparethis = str_replace( 'http:', 'https:', $currentcheck );
      if ($comparethis !== $currentcheck){
       $app = JFactory::getApplication();
 $app->redirect($comparethis, null, null, true, true);

It forces https

I will may adopt both approaches as the .htaccess and robots.txt method also prevents duplication of the index.php and all other joomla pages.


Some payment processors don't work with DV type SSL certificates such as Let's Encrypt if you are using one of these.