5 Tips to Prevent Domain Hijacking

It seems that domain name theft has been on the rise of late. Theo at DomainGang.com has done a good job of reporting on this, and I am sure there are many other cases that don’t get reported. Domain theft, also commonly known as domain name hijacking, can impact anyone who owns a domain name, and it has an especially negative impact on businesses whose domain names are used for commercial activity.

If a case of domain hijacking occurs, I recommend contacting the registrar immediately to see what they can do to help. You should also contact a lawyer with domain name expertise to help facilitate the expedient return of the domain name. The lawyer might be able to advise you one filing a report with the FBI and a local or state police report. There are other things that should be done, and a domain attorney is the best person to advise on these matters.

Listed below are 5 tips to better protect your domain names from having them stolen. If you can think of something else, you are welcome to add a comment.

Two factor authentication  – Many domain registrars allow customers to have 2 factor authentication on their accounts, which adds a layer of protection. Some companies send a text message with a code after login, and others require customers to answer security questions.

Transfer lock –  Some domain name registrars offer a free or premium service to add an additional lock to domain names in an account to prevent unauthorized transfers. The domain registrant needs to provide a special code or other type of confirmation in order to initiate outbound domain transfers.

Use different account names and passwords – If you have accounts at different domain registrars, it is important to ensure that your passwords are different at each registrar. You may also want to use different user names for your accounts. This may make it more difficult and time consuming for someone to access all domain names.

Change passwords – Change your passwords regularly. If someone steals a bundle of passwords and you happen to use the same email / password combination at your registrar, your domain names may be at risk. Changing your password regularly can help mitigate the risk.

Secure your Whois email account – Depending on the registrar, access to an email account might help a domain name thief take control over a domain registrar account. If the email account is compromised by a hacker, they could do a password reset and might gain access to the account.

Elliot Silver
Elliot Silver
About The Author: Elliot Silver is an Internet entrepreneur and publisher of DomainInvesting.com. Elliot is also the founder and President of Top Notch Domains, LLC, a company that has closed eight figures in deals. Please read the DomainInvesting.com Terms of Use page for additional information about the publisher, website comment policy, disclosures, and conflicts of interest. Reach out to Elliot: Twitter | Facebook | LinkedIn


  1. 6.) If your domain is domaininvesting.com do not name your account “domaininvesting”. That is half of your login credentials right there.

    7.) Do not allow your browser to store your password for you at your registrar. Doing so would enable anyone with access to your computer (friend or a virus) to get into your account.

    8.) Never allow a business partner access to your domain registrar. Too many domain thefts come from business partnerships gone bad.

  2. Basic protocol on security must be followed, even when one is not a company but an individual.

    For example: never click on email links that ask you to log in to an authority account, such as PayPal, gmail, hotmail, Registrar portals (GoDaddy is notoriously being used as a fake destination.)

    Phishing via emails is the #1 method to obtain account credentials. Social engineering is the #2 most used method.

    Don’t forget certain registrars offer lock down options exceeding the auth code and two factor authentication, e.g. at Fabulous you can define a ruleset that unless provided manually to an account manager, no action is taken on a domain’s DNS requests etc. Some registrars may charge for such full lock-down of a domain.

    Passwords should be 12-20 characters that include symbols, upper/lower case letters and numbers; a smart password checker would not allow letters to form words, or number sequences to be common.

    An alternative: a very long, memorable phrase, with modified symbols, such as “MyGrandmaW3nt2TheStore+BoughtARabb1t”

    Lastly, never ever answer security questions factually. Just make sure you remember the answers, of course 😀

      • I only learn from what I’ve been taught by the “experts”, For example Domain Security starts with your PC, once compromised, hack software can record your keystrokes rendering passwords like “MyGrandmaW3nt2TheStore+BoughtARabb1t”? completely useless, Its easy to warn again phishing and opening files you don’t trust, but what about files that you do trust? like a text cleaner program developed by a trusted industry professional?

      • That’s a good reminder and something we should all keep in mind… Thank you.

        You can install the best alarm and locks on your house but if you leave your garage door open, your home is vulnerable.

      • Welcome to the “Troll” club Jeff, You need to understand that when you disagree, question, quote or critique anything where the intolerant will take offense, that is “Trolling” as defined on page 1 of Acrapedia.

      • Re: Jeff – When the messenger is attacked vs. the message, that’s not so hard to understand one’s motives and agenda. I’m quite used to this though, and it always comes from those that don’t know me.

        At least, Raider, you acknowledged the validity of my points in that other comment you left. There is some hope left.

      • “it always comes from those that don’t know me”

        LOL, I think the problem is they know you all too well.

        “At least, Raider, you acknowledged the validity of my points in that other comment you left. There is some hope left.”

        I understood the motive or reasoning behind it, thats a far cry from agreeing where you advise domainers to lie to themselves, Horrible advice IMO, and you have a what? oh yeah a IT degree, I guess that makes it right…. You must have heard the term, “if you tell the truth you don’t need a good memory” the opposite is true when you lie.

        I would advise users to form their own security questions, that only they would know the answers to, its not like we share everything in our lives.

    • “Lastly, never ever answer security questions factually. Just make sure you remember the answers, of course”

      Brilliant, make up a lie and try to remember what we lied about, I think you should stick to satire, its more your speed.

    • Apparently you are trolling, but since you are challenging my background and IT degree in systems analysis, I’d like to hear yours. Provide a link so that the troll epithet can be removed.

      Correct, use your gray matter cells to devise, and remember, answers that aren’t true. This ensures no background check or social engineering can retrieve them.

  3. A security feature called DTVS (Domain Transfer Validation service) at godaddy is very useful. Once a transfer is started, an executive from godaddy will call your designated phone number which he/she cannot see (could be your Mobile, Home or Office #) and ask for your PIN. Once you give out the PIN and say that you authorize the transfer (it is being recorded) , it goes ahead.
    I am very satisfied with this feature. It delays the transfer by few hours but is worth the hassle.

  4. “Secure your Whois email account” Before the Moniker migration, I transferred my business email domain, LouiseMarketing to a trusted Registrar, because it seems like good housekeeping, to have an email which depends on a different host than the one that houses all your domain names . . .

  5. There is a lot of pros and cons to whois privacy, the one I think is most beneficial is having the email address private, If the crooks don’t where you live they cant break in.. And when replying to an inquiry, always use an address that differs from the administrative contact.

    “Brilliant, make up a lie and try to remember what we lied about”

    Kinda of thought the same thing after I read that, as idiotic as it sounds I know where he’s coming from, other people would know the answer or could find out, My response to that is; Write your own questions that ONLY YOU would know the answers too, OR choose a question nobody else could possibly know and one that you would not share.


Please enter your comment!
Please enter your name here

Recent Posts

Entrepreneurship Handbook Offers Domain Advice – Reveals a $385k Domain Name Purchase

Chad Folkening shared an excellent newsletter article from the Entrepreneurship Handbook that will be of interest to domain investors. Not only does Dave Schools...

Referring a (Bad) Prospect to a Broker

There are many times when the valuation of a domain name my company owns is far greater than what a prospective buyer thinks it...

Somewhere.com Reportedly Acquired for $400,000

The Somewhere.com domain name has reportedly been acquired for $400,000 USD. The acquisition was announced on X this morning by Nick Huber: Big news: We spent...

Can You Beat my Time on Pyramid.com?

Michael Cyger launched a fun solitaire game called Pyramid solitaire on the exceptional Pyramid.com domain name. I've played it many times and find it...

My Experience with Afternic / Dan Checkout Link

I recently sold a domain name I owned for several years after an email discussion with the buyer. During our negotiation, at least three...