Securing your domain name
How to protect your domain name from hijacking, unauthorized transfers, and DNS tampering — and what to do if something goes wrong.
Your domain name is one of the most valuable digital assets your business owns. If an attacker gains control of it, they can redirect your website, intercept your email, and impersonate your business. Domain hijacking can be devastating — and harder to recover from than most other security incidents.
Quick summary
Protect your domain by locking it at your registrar (prevents unauthorized transfers), enabling two-factor authentication on your registrar account, keeping your registrar account's email address current and secure, and enabling WHOIS privacy. Check your domain expiry dates and set to auto-renew.
Why domain security matters so much
Your domain is the foundation of your web presence. If someone gains control of it:
- Your website can be pointed anywhere — including a phishing site
- Your email can be redirected, intercepted, or blocked
- Your business's online identity can be impersonated
- DNS records can be changed to serve malware to your visitors
- Recovery can take days or weeks, during which your business is severely impacted
Unlike a hacked website, a hijacked domain can affect everything: your site, your email, and any service that relies on your domain name.
Step 1: Enable domain lock (Registrar Lock)
Domain lock — also called Registrar Lock or Transfer Lock — prevents anyone from transferring your domain to another registrar without your explicit authorization. This is the single most important domain security step.
Most registrars enable this by default, but check yours:
- GoDaddy: Manage Domain → Additional Settings → Domain Lock
- Namecheap: Domain List → Manage → Domain Lock
- Cloudflare: Registrar → your domain → Domain Lock
The domain should show as "locked." If it shows "unlocked," lock it now.
Unlock only when transferring
Only unlock your domain when you are actively transferring it to a different registrar. Lock it again immediately after. You should receive an email confirmation whenever the lock status changes — that is your early warning if something is wrong.
Step 2: Turn on two-factor authentication on your registrar account
Your registrar account is the key to your domain. Protect it with 2FA.
All major registrars support 2FA:
- GoDaddy: Account menu → Login & PIN → 2-step verification
- Namecheap: Profile → Security → Two-Factor Authentication
- Cloudflare: My Profile → Authentication → Two-factor authentication
Use an authenticator app rather than SMS if both options are available. See How to set up two-factor authentication.
Step 3: Protect the email address on your registrar account
Your registrar account's email address is how you receive transfer authorization emails. If an attacker controls that email, they can authorize a domain transfer.
Ensure that email account:
- Has a strong, unique password
- Has two-factor authentication enabled
- Is not a free personal email that might be abandoned (use your business email)
- Is regularly monitored
Step 4: Enable WHOIS privacy
WHOIS is a public database that lists who owns every domain name. By default, your name, address, and email are publicly visible. This exposes you to targeted phishing and spam.
Most registrars offer WHOIS privacy protection (also called Domain Privacy or Privacy Protection) — it replaces your personal details with the registrar's generic details in the public record.
WHOIS privacy is typically free or low-cost. Enable it in your registrar's domain settings.
Step 5: Keep your domain from expiring
An expired domain goes up for public sale. Cybersquatters monitor for expired business domains and register them immediately, then charge large sums to sell them back.
Protect against this:
- Enable auto-renew on your domain
- Keep your billing information current with your registrar
- Set calendar reminders 60 and 30 days before expiry
Check your domain expiry date now: log into your registrar and look for the expiration date on your domain's management page.
Step 6: Know where your domain is registered
Many businesses lose track of which registrar holds their domain — especially after website rebuilds or ownership changes. If you're not sure:
- Check the confirmation emails from when the domain was registered
- Use a WHOIS lookup tool (search "WHOIS lookup" and enter your domain)
- Ask us — we often know or can find out
See How to find where your domain is registered.
DNSSEC: an additional layer
DNSSEC (Domain Name System Security Extensions) adds cryptographic authentication to DNS lookups — it ensures that when someone looks up your domain, they get your real DNS records and not a manipulated version. It protects against a specific attack called DNS cache poisoning.
DNSSEC is supported by most major registrars and is worth enabling for high-value domains. It is configured at both your registrar and your DNS provider. Ask us if you want this set up.
What to do if your domain has been hijacked
If you believe your domain has been taken over:
Contact your registrar immediately — call their emergency support line if available. Time matters in domain recovery.
File a complaint with ICANN (the international body that oversees domain names) via their complaint portal if your registrar is unresponsive.
Gather evidence — screenshots, email records, domain history — to support your case.
Contact us. We can help coordinate and advise on next steps.
Common questions
Related guides
- What is a domain name?
- How to find where your domain is registered
- Who owns your domain
- Domain renewal — don't let it expire
- Two-factor authentication, explained
Need a hand?
Learn more
Why backups are your safety net
How website and data backups protect your business when everything else fails — and what a good backup strategy looks like.
Security steps when someone leaves
The security checklist to run every time a team member, contractor, or employee moves on — to protect your business and remove unnecessary access.