Online security has become quite an issue these days. News outlets report security breaches, data leaks and various online crimes every week. If you own a website, this is definitely something you should not neglect. You probably generate backups of your content and update the site software as often as necessary, but have you thought about protecting your domain name?
Unfortunately, domain theft is not as uncommon as you may think. No number of backups can make it up for losing a domain and such a thing can have a detrimental effect on your business. Not only will you lose time and money to recover the name, but you can also lose the trust of your customers.
This is why we have compiled a few practical tips that will help you keep your domain names safe. As the vast majority of existing domains are created with generic top-level extensions, some of these tips apply only to them, and not to country-code extensions. Most tips will apply to a domain with any extension though, so you can check them out.
- Keep your contact information up-to-date and valid
- Enable WHOIS protection if available
- Use a unique email address for your domain account
- Use unique email addresses for the Registrant and the Admin contacts
- Set a strong password
- Use two-factor authentication (2FA)
- Keep your domain name active…
- … but beware of fraudulent domain renewal notices
- In conclusion
Keep your contact information up-to-date and valid
The above applies to both your account details and to the WHOIS information of your domain names. If anything happens and you lose access to the account where your domain is registered, the registrar company will have to validate your identity so as to reset the login credentials and give you access. This will not be possible if you initially provided fake information for whatever reason.
The same applies to the domain names you have – in the unfortunate event of one of them being stolen, it will be much harder to prove that the name was yours if its contact information was not yours. Even if you are worried about privacy, do not be tempted to use a temporary email address or fake details under any circumstances.
Enable WHOIS protection if available
If you do not want your personal details to be visible, you can add a WHOIS privacy service that will hide your contacts from the public eye. In terms of security, the advantage of keeping your information private is that you can prevent a third party from impersonating you. Identity theft has been a very serious issue lately. The more personal information someone can find about you online, the easier it will be for them to pretend they are you. In turn, this can help them get access to your domain account.
A lot of registrar companies offer WHOIS privacy for free. All generic top-level domains support this service, so you can hide your contact details easily. As mentioned above, you should not provide fake information as this may cause you more harm than good.
GDPR
If you are a citizen of a member state of the European Union, this is one thing less to worry about. Since the General Data Protection Regulation came into force in 2018, registrar companies started hiding the contact information of the domain names registered through them by citizens of the EU. If anybody prefers that their information be public, they can opt out of this protection.
Use a unique email address for your domain account
If you use emails in your daily communication and/or you have posted your email address on different websites, it is likely that some automatic bot may have picked it up. As a result, your email address may be on some spam list. If you receive some unwanted messages every now and then, this is the most probable reason. While some spam messages are annoying but harmless, others include links to fake websites that are designed to steal your personal information or your login credentials for different platforms.
This is the reason why having a unique email address that you use solely for your domain management account is a good idea. If it is not a public address and you do not use it for any other purpose, you will greatly reduce the chance of receiving any spam messages in that mailbox. You will also know that any domain-related emails you will receive there should be legitimate as the registrar company will be the only one that will have this specific email address. Of course, if you have any doubts whether a message you receive is legitimate, do not hesitate to contact the company before you take any action or click any link.
How to check if your email address has been compromised?
https://haveibeenpwned.com/ is a popular online service that allows you to check if your email address has been compromised in a data breach. You can also sign up for the service and receive a notification if your address is found in a future breach.
Use unique email addresses for the Registrant and the Admin contacts
If an unauthorized third party gets hold of your account, they will probably try to transfer your domains to a different registrar company. In order to do that, they will need a transfer key, which is also known as an EPP code or a domain password. Some registrars will display the code within the domain account, but in the general case, the code is sent to the Registrant email address for the domain. If that code is correct and the name not locked, a transfer to any other registrar company can be initiated. As an additional security measure, the new company will send a confirmation link to the Administrative email address for the domain name. If the transfer is not approved via that link, it will fail.
As you may notice, two different domain contacts are involved in a transfer. If they share the same email address, it will be much easier for a third-party to transfer your domain if they get access to this mailbox. Using different addresses will prevent such a scenario from happening. Of course, there are domain extensions that do not have a transfer code or can be transferred without an explicit approval via email. Even then, it is a good idea to use a unique email address for the domain contact instead of your everyday email address.
Set a strong password
As trivial as this piece of advice may sound, a lot of people still use short and simple passwords. If you still use something like “123456”, “password”, “qwerty” or “abc123”, you may as well make your login credentials public. You should always use a long and complex password – use lower- and upper-case letters, numbers and special characters. If the domain company allows it, you can also use longer phrases with blank spaces in them. Use a unique password that you do not use for any other website or service. If you use the same password on multiple websites, you risk getting all of your accounts hacked if only one of the websites suffers a security breach.
You can see the top ten most common passwords found in data leaks in 2019 below. The information is taken from https://nordpass.com.
Use two-factor authentication (2FA)
When it comes to online security, using two-factor authentication is a must. This method adds a second layer of protection to your domain account on top of your password. In the general case, when you enter your standard login credentials, you will have to enter an additional token. Without it, you will not be able to log in and manage your domains. This way, even if your password gets compromised, the hacker will not have access to your account. Depending on the company you use, you may come across different 2FA options:
- Enter a pre-defined answer to one of a handful of questions – your maiden name, the name of your first school, the name of your pet, etc. Any of these questions will appear randomly.
- Enter a permanent PIN code. This one acts as a second password as it stays the same until you decide to change it.
- Enter a time-based token. Known as TOTP, or time-based, one-time passcode, this is the most popular form of 2FA. An application on your phone or an extension in your favorite web browser generates a unique token that changes every 15-60 seconds. You have to enter the token when prompted. It is better that you use a phone app as this will make it extremely hard for anybody to hack your account. Not only will they have to know your login credentials, but they will also need access to your phone.
- SMS-based OTP (one-time passcode). Similar to the tokens mentioned above, but with this form of two-factor authentication, the provider sends you a unique token via SMS every time you want to log in to your account.
- Push notifications. With this type of authentication, an app or a website can send you a notification directly to your phone. You can approve the account login attempt with a finger touch. Since no actual information is sent and nothing can be intercepted by a third party, this is considered to be one of the safest forms of two-factor authentication. The only one that is more secure involves using biometric data (fingerprints, facial recognition) and it is not used by domain registrars.
If you would like to take the security of your domains a step further, you can use an email provider with two-factor authentication as well. This will make it much harder for anybody to get access to your account or domain contact email addresses.
Keep your domain name active…
You will be amazed how many people simply forget to renew their domain name. In the best-case scenario, if you let your domain to expire, it will stop opening your website. Instead, it will open a default page from the registrar’s system until you renew it. If you leave it like that for more than a couple of months though, the registrar will delete it or auction it. It is considered that you give up your ownership rights if you do not renew the domain for such a long time, so it will no longer be your domain. Getting such a domain back may be quite a lengthy process, or may not be possible at all. In the unfortunate event of somebody else registering the name, you can check our article on how to acquire an existing domain name.
In order to make sure that this does not happen, you should always keep an eye on your domain’s expiration date. You should renew it well in advance so as to have enough time to react if something unforeseen happens – if you are on a trip or if there is some problem with the payment, for example. If the domain is valuable, you can renew it for a few years in advance. Alternatively, if the registrar company supports recurring payments, you can activate this option for your domain name.
Noteworthy domain expirations
Passport.com - expired in 1999 (owned by Microsoft)
Hotmail.co.uk - expired in 2003 (owned by Microsoft)
Foursquare.com - expired in 2010 (owned by Foursquare)
Dallascowboys.com - expired in 2010 (owned by the US football club)
Yatra.com - expired in 2013 (one of the most popular travel sites in India)
… but beware of fraudulent domain renewal notices
While you should make sure that your domain does not expire, you should also beware of fake renewal notices. Every now and then, you may receive fake emails that will try to trick you into thinking your domain is about to expire. Such emails are sent by shady companies and often talk about domain-related services, not about the actual domain. The wording in these messages is confusing on purpose and unfortunately, some domain registrants fall for them and willingly transfer their domains to these companies. As we suggested in the very beginning of this article, you should always contact your registrar company if you have any doubts regarding any domain-related notification you receive.
In conclusion
Your domains are valuable assets to your online presence and securing them is definitely not something you should neglect. We hope that the above-mentioned tips will help you protect them from unauthorized access.
If you decide to become an ICDSoft partner, you will use our in-house built Account Panel to manage your domains. The Account Panel does not accept weak passwords, so it will not allow you to set easy-to-guess login credentials by accident. For additional security, you can easily enable two-factor authentication for the account. We also offer free WHOIS protection for all domains that support this feature, and you can activate it with a click. In this regard, we have helped thousands of domain owners keep their domains safe through the years.