If your WordPress site is at www.yourdomain.com and nowhere else, you do not need a wildcard certificate. A single-domain certificate covers you. Move on with your day.
If you run blog.yourdomain.com, shop.yourdomain.com, members.yourdomain.com, and a handful of customer-specific subdomains, a wildcard becomes genuinely useful. This post covers where that line is, what a wildcard costs, and the free alternative most small sites can use instead.
What a wildcard covers, exactly
A wildcard certificate is issued for *.yourdomain.com. The asterisk matches any one level of subdomain. So blog.yourdomain.com, shop.yourdomain.com, and members.yourdomain.com are all covered by the same certificate.
What is not covered: yourdomain.com itself (that is the root, not a subdomain), and anything two levels deep like api.v2.yourdomain.com. If you need those, you pair the wildcard with a root certificate, or you buy a multi-level wildcard.
When a wildcard is worth the money
The practical answer is: when you have more than three or four subdomains you want to secure, and those subdomains come and go.
Typical cases: a SaaS product where each customer gets customer1.yoursaas.com, a WordPress multisite running sub-sites at subdomains, or an agency hosting several brand subdomains on one infrastructure. In those cases you issue one wildcard and stop thinking about SSL for that domain.
When you do not need one
Single WordPress site at www.yourdomain.com? No wildcard needed. A basic single-domain certificate (or the free one from Let’s Encrypt) covers you and costs nothing.
Even if you run two or three subdomains, you can issue a separate Let’s Encrypt certificate for each at zero cost. Management adds a bit of noise, but on a modern host it is all automated.
The free wildcard option
Let’s Encrypt does issue free wildcards, but with a catch: you must validate via DNS rather than via a file on the server. That means you or your host needs API access to your DNS provider to add a verification record.
Most modern control panels (and managed hosts) handle this for you. If your host does not, you will need a plugin or script to renew the wildcard every 90 days. Paid wildcards skip that hassle in exchange for the annual fee.
Paid wildcard prices, roughly
Typical paid wildcards sit between £50 and £200 per year, depending on the issuer and the warranty. DigiCert, Sectigo, and GeoTrust are the big names.
That price buys you longer validity (12-13 months vs 90 days for Let’s Encrypt), a warranty if the certificate is compromised, and a recognised brand on the issuer line. For a public-facing SaaS, that is often worth it. For a small business site, it usually is not.
How it fits into WordPress hosting
If you are on shared hosting, wildcards are usually an add-on costing extra per year. If you are on managed WordPress hosting, check whether the plan you are buying includes wildcards, and at which tier.
HostPoco’s hosting tiers include free SSL on every plan, and wildcards are handled for you on the Business and Commerce tiers without an extra bill.
Common wildcard gotchas
Three issues trip people up:
- Wildcards only cover one level. If you have api.v2.yourdomain.com, one wildcard will not cover both api and v2.
- Wildcards do not usually cover the root domain. You need a SAN (subject alternative name) entry for yourdomain.com alongside the *.yourdomain.com wildcard.
- Email on the same domain often needs a separate configuration, even if the wildcard technically covers mail.yourdomain.com.
Security and SSL work by the HostPoco team
Super competent and talented.
Moving a WordPress copy to a new subdomain
Josh is fantastic and I would absolutely reach out to him again for any future work. He communicates clearly, works fast and walked me through what he completed to make sure I was satisfied.
Jetpack Scan security clean-up
Josh was extremely knowledgable and very quick to answer all of my questions and work with me to better understand the situation. His work exceeded my expectations.
WordPress site in serious need of optimization
Frequently asked questions
What does a wildcard SSL certificate cover?
A wildcard certificate issued for *.yourdomain.com covers any direct subdomain of yourdomain.com. It does not cover the root domain itself (yourdomain.com without a prefix) or subdomains two levels deep like api.v2.yourdomain.com.
Is a wildcard certificate more secure than a regular one?
No. The encryption is identical. A wildcard is a convenience feature, not a security upgrade. If anything, a compromised wildcard key affects more subdomains at once.
Can I get a free wildcard SSL certificate?
Yes, Let’s Encrypt issues wildcards for free, but they require DNS-based validation and renew every 90 days. Most modern managed hosts automate this.
How much does a paid wildcard SSL certificate cost?
Typically £50 to £200 per year, depending on the certificate authority and the warranty. DigiCert, Sectigo, and GeoTrust are the most common issuers.
Do I need a wildcard for WordPress multisite?
If your multisite uses subdomains, yes, a wildcard is the cleanest option. If it uses subdirectories (yourdomain.com/site1), a single standard certificate is enough.
