Skip to content
Intro
7 min

How to Secure Your Domain Registrar

Domain hijacking is real. Most hijacks happen because the registrar account wasn't protected.

Last updated: March 20, 2026

Your domain name is your business identity on the internet. yourcompany.com points to your website, your email, your online presence. Lose control of it, and someone else controls all of that.

Domain registrar hijacking happens. It's not a theoretical risk. Here's what it looks like and how to stop it.

What Domain Hijacking Looks Like

The Compromise Attacker obtains your registrar account credentials (phishing, data breach, password reuse). Logs in. Changes your nameservers to point your domain to their servers. Now they receive all your email. Your website shows their content. Your customers are redirected to a phishing page or a competitor's site.

The Transfer Scam Attacker calls your registrar pretending to be you. "I lost access to my account, please help." Provides enough information to convince support (often obtained from LinkedIn, company websites, or WHOIS records). Registrar transfers the domain to another registrar. You lose it.

The Expiration Grab You forget to renew. Domain expires. Automated systems or domain tasters pick it up within the grace period. Now someone else owns yourcompany.com. They demand money to return it—or they use it for phishing, competitive domains, or resale to your biggest competitor.

The BGP Hijack (Advanced) More sophisticated: attackers reroute network traffic for your IP address at the internet routing level. This is rare but has happened to healthcare systems, telecom providers, and major websites. It requires BGP security (RPKI, ROA) to prevent.

Why SMBs Are Targets

Weak security posture Small businesses often use simple passwords, share account credentials, and don't enable MFA on registrar accounts. Registrars are not considered "critical" by most SMB owners.

High value A domain for a recognizable business is worth money. Domainers (people who buy and sell domains) monitor expiring domains. Attackers register recently-expired domains of small businesses that didn't renew.

Low visibility Many SMB owners don't check their domain status regularly. Hijacks can go unnoticed for weeks, especially if the attacker sets up email forwarding rather than a full redirect.

What Can Go Wrong

"We didn't know until customers called" Your website's been redirected for 3 days. Customers trying to find you see a blank page or competitor's site. You've lost business you don't even know about.

"The attacker set up email forwarding" They changed your nameservers to receive email. For two weeks, all emails to your company go to their address. Customer inquiries. Vendor invoices. Password resets. They have everything.

"Domain recovery cost $8,000" You hired a lawyer and a domain recovery service. ICANN dispute resolution takes weeks. Meanwhile, your email is in limbo. You might not get it back at all.

"We paid the ransom" Attacker demanded $5,000 to return the domain. You paid it. Now you're on their radar for future targeting.

What It Costs

Registrar lock: $0 (most registrars include this free) MFA on registrar account: $0 (included by most registrars) WHOIS privacy: $0-$10/year (some registrars include free privacy) Domain monitoring: $0-$10/month (services like DomainTools, Crowdstrike) DNSSEC: $0 (supported by most registrars)

Recovery costs (if you're hacked):

  • Domain recovery service: $1,000-$10,000+
  • Legal fees: $2,000-$20,000+
  • Lost business during downtime: Varies widely
  • Brand damage: Hard to quantify
  • ICANN dispute resolution: $1,500-$5,000 filing fee (no guarantee of success)

Minimum Viable Implementation

Today (15 minutes)

  1. Find your registrar. Check your email for domain registration receipts. Search "whois" for your domain. You need this information before you can secure anything.

  2. Log into your registrar account. If you can't log in, recover the password now. If you don't receive the password reset email, you have a bigger problem—your contact email may be wrong.

  3. Enable MFA. Every registrar worth using supports MFA. If yours doesn't, transfer your domain to one that does (Cloudflare, Namecheap, Google Domains).

  4. Enable registrar lock. Also called "transfer lock" or "domain lock." This prevents unauthorized transfers to another registrar.

This Week

  1. Check your contact information. WHOIS shows your public contact info. Make sure the email address is correct and monitored. Use a dedicated email address for registrar communications, not your main business email (in case that domain gets hijacked).

  2. Review your nameservers. These control where your domain points. If you don't recognize them, investigate immediately.

  3. Enable DNSSEC. This prevents DNS spoofing attacks. Most registrars have a checkbox for this in domain settings.

This Month

  1. Set renewal reminders. Calendar reminders 60 days, 30 days, and 7 days before expiration. Or enable auto-renewal—but keep the reminders.

  2. Document your DNS. Screenshot your DNS records. Store them somewhere safe. If someone changes your DNS, you'll want to know what it should be.

  3. Consider WHOIS privacy. This hides your personal information from public WHOIS lookups. Most registrars charge $0-$10/year. Some include it free.

Vendor Questions (Copy/Paste)

  1. "What MFA options do you support? Can we require it for all users on the account?"

  2. "What's your process for preventing unauthorized transfers? Do you require verification beyond account credentials?"

  3. "If someone calls claiming to be me and asks to transfer my domain, what verification do you require?"

  4. "What's your response time if we report unauthorized changes to our domain?"

  5. "Do you offer DNSSEC? If so, how do we enable it?"

  6. "What's your grace period for expired domains? When does the domain become available for others to register?"

When to Hire Help

DIY-friendly if:

  • Single domain
  • Using a reputable registrar (Cloudflare, Namecheap, Google Domains)
  • Comfortable enabling MFA and registrar lock yourself
  • No previous security incidents

Get professional help if:

  • You've already had a security incident
  • Complex DNS setup (multiple domains, custom records)
  • No one on staff knows what nameservers are
  • Using a registrar with poor security features
  • You've received suspicious calls or emails about your domain

Warning signs you need help now:

  • You received an unexpected domain transfer notification
  • Your website or email stopped working with no explanation
  • Customers report seeing different content when they visit your site
  • You've received calls from your registrar about changes you didn't make
  • You can't log into your registrar account and password recovery isn't working

Related Reading

8 min · Intro

Business Email Compromise: How $50K-$250K Walks Out Your Door

BEC scams bypass firewalls and antivirus—your employee just thinks they're helping the CEO.

7 min · Intro

How Email Impersonation Actually Works

Email impersonation is cheap, easy, and almost impossible to stop without authentication.

8 min · Intermediate

How to Move from Free Gmail to Your Domain Email

Free email makes you look small and makes phishing easy. Here's how to fix both.

6 min · Intro

Why a Branded Email Address Matters

Free email makes you look small and makes impersonation easy. Here's why to fix it.

7 min · Intro

BEC and Invoice Fraud: How Money Actually Walks Out

Your bookkeeper gets an email from your CEO asking for an urgent wire transfer. It is not your CEO.

Need Help Implementing This?

If you'd like guidance tailored to your specific infrastructure, we offer focused consultations. No sales pressure, just practical next steps.

Get in Touch