Technical

Domain Security Best Practices: Preventing Theft and Hijacking

By Corg Published · Updated

Domain Security Best Practices: Preventing Theft and Hijacking

Domain theft is not theoretical. In 2020, attackers used social engineering against GoDaddy support staff to gain unauthorized access to accounts holding premium domains worth hundreds of thousands of dollars. In 2022, Squarespace migrated domains from Google Domains, and the transition process exposed some high-profile names to temporary vulnerability. Every domain portfolio represents a target, and protection requires layered security that accounts for both technical attacks and human-factor exploits.

How We Selected: We evaluated options using market data, platform testing, and industry analysis. Our criteria covered platform reliability, transaction security, market reach. All picks reflect editorial judgment; no brand paid for inclusion.

Registrar Account Security

Your registrar account is the single point of failure for your entire portfolio. If someone gains access to your registrar account, they can transfer, redirect, or delete every domain you own. Account security is not optional — it is the foundation everything else rests on.

Two-factor authentication (2FA) is mandatory. Enable it immediately on every registrar account. The strongest option is a hardware security key (FIDO2/U2F) like YubiKey, which is physically resistant to phishing because it validates the domain you are authenticating against. Namecheap, Dynadot, and GoDaddy all support hardware security keys. If hardware keys are not available, TOTP authenticator apps (Google Authenticator, Authy, 1Password) are the next best option. Avoid SMS-based 2FA, which is vulnerable to SIM-swapping attacks where an attacker convinces your mobile carrier to transfer your phone number to their device.

Dedicated email address. Use a separate email address exclusively for registrar accounts. This email should not be used for any other purpose — no newsletters, no social media, no public-facing communication. Protect it with its own hardware key 2FA and disable SMS recovery options. If an attacker compromises your personal or business email, your registrar accounts remain isolated.

Strong, unique passwords. Use a password manager to generate and store unique passwords of 20-plus characters for each registrar. Never reuse passwords across registrars or other services. A password breach on an unrelated service should never give attackers a path to your domain portfolio.

Domain-Level Locks

Beyond account security, individual domains need their own protection layers.

Client Transfer Prohibition (registrar lock) is a status code that prevents your domain from being transferred to another registrar without explicitly removing the lock first. This is your first line of defense against unauthorized transfers. Enable clientTransferProhibited on every domain in your portfolio. Most registrars enable this by default, but verify it is active rather than assuming.

Registry lock (server lock) adds a second layer of transfer protection at the registry level rather than the registrar level. When registry lock is active, transferring or modifying the domain requires manual authorization from the registry operator (Verisign for .com and .net), typically involving a phone call and identity verification. The cost is approximately $75 per year per domain at most registrars. For domains worth $10,000 or more, registry lock is essential. The cost is trivial compared to the value it protects.

ClientDeleteProhibited and ClientUpdateProhibited are additional EPP status codes that prevent the domain from being deleted or its WHOIS records from being modified without removing the lock first. Not all registrars expose these controls, but those that do provide an extra safety layer.

Monitoring for Unauthorized Changes

Security is not just about prevention — it is about detection. Even with strong locks in place, you should monitor your domains for unexpected changes.

Check RDAP records (the successor to WHOIS, available at lookup.icann.org) weekly for premium domains. Verify that the status codes you expect (clientTransferProhibited, and registry lock if enabled) are still present. If any status code disappears without your action, investigate immediately — this could indicate unauthorized account access.

Set up DNS monitoring to alert you when nameserver records change. Services like SecurityTrails, DomainTools, and even simple scripts using DNS lookup APIs can notify you within minutes when a nameserver delegation changes. An unexpected nameserver change could mean someone is redirecting your domain traffic.

Monitor registrant and administrative contact fields for unauthorized modifications. Under ICANN’s 2025 transfer policy update, a change of registrant triggers a 60-day transfer lock unless both the old and new registrant agree to waive it. Attackers who modify your registrant information may be staging a transfer.

Distributing Risk Across Registrars

Do not keep your entire portfolio at a single registrar. If that one registrar suffers a breach, account lockout, or policy dispute, your entire business is at risk. Distribute your domains across two or three reputable registrars. Keep your highest-value names at the registrar with the strongest security features (hardware key support, registry lock availability), and distribute the rest based on pricing and management features.

This distribution also protects against registrar-specific risks like business closure, ICANN accreditation issues, or acquisition by a company with different policies. When Tucows acquired Hover, when GoDaddy acquired Afternic, and when Squarespace absorbed Google Domains, some investors found their domains subject to new terms and interfaces they did not choose.

Social Engineering Defense

The GoDaddy incidents demonstrated that technical security can be bypassed through human manipulation. Registrar support staff, despite training, can be deceived by convincing pretexters who gather enough personal information to pass identity verification.

Minimize the information available to social engineers. Use WHOIS privacy on every domain. Keep your registrar account details (username, associated email) private. Do not publicly associate specific domains with your registrar accounts on forums or social media.

Some registrars offer account notes or verbal PINs that support staff must verify before making account changes. If your registrar offers this feature, enable it with a unique passphrase that would be difficult for a social engineer to guess or obtain.

Incident Response Plan

Despite best efforts, domain theft can happen. Having a response plan reduces recovery time from weeks to days.

Know your registrar’s emergency contact process. Namecheap, GoDaddy, and Dynadot all have abuse reporting channels and emergency support lines. Keep these contacts documented and accessible outside of your registrar account.

If you detect unauthorized changes, immediately contact your registrar’s security team. File a complaint with ICANN through their Transfer Dispute Resolution process. If the domain has already been transferred to another registrar, contact that registrar as well with evidence of your ownership. Document everything: screenshots, WHOIS history, account access logs, and correspondence.

For domains worth significant amounts, consider keeping physical records (printed WHOIS history, purchase receipts, registration confirmation emails) in a secure location separate from your digital files.

For technical details on how domain transfers work and where vulnerabilities exist, see how domain transfers work technically. For monitoring tools that help detect unauthorized changes, check out domain monitoring automation.

More in Technical

Domain Portfolio Backup Strategy: Disaster Recovery for Investors Domain Load Testing and Scalability: Preparing for Traffic Spikes Domain Redemption Period Explained: Recovering Accidentally Expired Domains Domain Migration and Redesign Planning: Moving Content Without Losing Value

View all Technical articles →