Best practices to secure your domains
Your domain names are valuable. Losing access to — or ownership of — a domain name you use for your website and email could be catastrophic to your business.
With thieves regularly trying to crack into email accounts and domain name registrars, it’s essential to take steps to protect your domain names.
Here are some things you can do to protect your domain names.
Turn on registrar lock
By default, make sure all of your domain names have registrar lock turned on. As long as registrar lock is activated, thieves can’t request that a domain name be transferred. The thief will have to get access to your registrar account and turn off the registrar lock before transferring a domain.
A domain with registrar lock on works just like all other domains; it just prevents it from being transferred to another registrar.
Use a safe and secure email account
Your domain name registrar account, and each domain name, are tied to your email address. It’s important to practice good email security practices to protect your domains.
In fact, many domain name thefts start with the hacker gaining access to an email account and then using this to get access to the domain registrar.
Historically, domain name owners were encouraged to use a different email address for their contact information than what they use to log into their domain registrar account. Whois disclosed the contact’s email address, so people who wanted to steal a domain would first try using the email address listed in Whois.
Now, Whois privacy makes it harder to figure out who owns a domain and their credentials to get into the registrar.
It still makes sense to use a different email account for logging into your registrar than one associated with your domain name. This makes it harder for thieves to guess the credentials of your account or which email account they need to hack to steal a domain name. And if your domain is stolen, you won’t necessarily lose access to your email at the same time.
Some people suggest that you shouldn’t use a free email account for your domain names. However, free email services like Gmail can be more secure than other email services. Gmail offers various types of two-factor authentication so you can lock down access to your email account.
However, you need to make sure your email address remains active. Some free email services cancel your email address after a long period of non-use. Make sure that the email you use for domain names is one you check regularly. This will prevent the account from being canceled and ensures that you see any notifications about your domains.
Speaking of email addresses being canceled, if you choose to use an email address tied to one of your domains, make sure that domain doesn’t expire. This would allow an attacker to register the domain, re-create your email, and log into your account.
Use two-factor authentication
Yes, two-factor authentication means more work for you. But it also means a lot more work for thieves.
Consider what could happen if a thief breaks into the email account you use to log into a site like Namecheap. They can do a password reset to get access to your account. Two-factor authentication will foil them unless they also have access to your two-factor device.
Namecheap offers three levels of two-factor authentication:
- Text message – Namecheap sends a text message with a one-time code when you access your account.
- App authentication – You look up a rotating code in an authenticator app on your phone
- U2F – This requires a physical key that you insert into your computer
Text message authentication is the least secure of the methods. Someone with access to your phone or who can cloak your phone number can intercept the text message that contains your one-time code. App authentication is better, and U2F is the gold standard for security. You can buy a U2F key for about $25.
Here are instructions for setting up two-factor authentication with a U2F key in your Namecheap account.
Manage your domains yourself
There are many things you need to do to manage your business, so it’s natural to delegate domain management to an employee. But this is one task you shouldn’t delegate. If at all possible, manage your company’s domains yourself.
A disgruntled employee who has access to your domain registrar account can easily steal your domains. Even a happy employee who leaves your company on good terms can cause a hassle if your domains are registered in their name.
If you must let employees manage your domain names, make sure the domains are registered in the company’s name instead of the employee’s name. If they are registered in the employee’s name, then your employee “owns” the domains, not your business.
Be vigilant if you outsource your IT management or website to another company. There are many stories of web design companies holding domains hostage and asking their client to pay more money to get control of them. Or, the owner of the outsourced firm might die or become incapacitated, leaving you without access to your domain.
So, at a minimum, make sure that your domains are registered and accessible only to people at your company. Ideally, you (the business owner) are the only one with access to the domains.
Use a domain monitoring service
Domain monitoring services keep an eye on your domains and alert you if anything changes. These services can alert you if registrar lock is turned off, the nameservers change, the domain is pending transfer to another registrar, the registrar changes, or if any information in Whois changes. (Namecheap offers free Whois privacy, so you should not expect there to be any changes to owner information in Whois.)
Domain monitoring services typically charge a monthly fee. It might seem expensive to pay $25 or so a month to monitor a domain name or two. The services are more valuable if you have lots of domains to monitor.
DomainIQ is a service that offers affordable domain monitoring.
Log into your registrar account
Many people don’t realize their domains have been stolen until months (and sometimes years!) after the theft occurs. Like thefts of physical items, the longer the time before you notice it, the harder it is to recover the property.
In the case of domain names, a thief might transfer the domain to one registrar and then another, making it harder to claw the domain back.
The solution is to make sure you log into your domain registrar account from time to time. Perhaps set a monthly check-in reminder on your calendar. During this check-in, make sure all of your domains are still in your account and none of your registration information has changed.
Practice good password hygiene
It might seem like this goes without saying, but it’s one of the most overlooked parts of securing your domain names.
First, start with a good password. It shouldn’t be easy to guess. It shouldn’t include your name, part of your email address, or any of the keywords from your domains.
Second, make sure the password is unique to your registrar account. Don’t re-use passwords. If a hacker gets access to your email address and password through a breach at another website, they will try to re-use these same combinations at other services.
Renew in advance
Even if you practice good security, it’s important to stay on top of your domain name renewals. Your domain can expire if you don’t have a valid credit card on file. This often happens when you cancel a card or it expires.
Renew your important domains for up to ten years in advance to limit the chances of expiration, and periodically check that your card on file is still valid.
Be safe online
It would be nice if we didn’t have to think about security when online. But it’s a fact of life. People who don’t practice good online security are more susceptible to being hacked, losing their domain names, and being identity theft victims.
While practicing good online safety can be inconvenient, it’s a lot less convenient than having the domain name you depend on for web sales and email stop working.
Get started securing your domains today. Log into your account and make sure registrar lock is on. Then consider taking some of the other steps in this post.