How to Prevent Domain Hijacking With Registrar Security

Domain hijacking is the unauthorised transfer or takeover of a domain name. When it happens, the attacker gains control over everything tied to that domain — your website, email, subdomains, and SSL certificates. Recovery is slow, expensive, and sometimes impossible.

The good news: most domain hijacking is preventable with a small number of well-configured security settings at your registrar.

How Domain Hijacking Happens

Understanding the attack vectors helps you prioritise defences:

Registrar account compromise — The most common vector. An attacker gains access to your registrar account (via phishing, password reuse, or weak credentials) and makes direct changes. Once inside, they can change nameservers, initiate a transfer, or modify WHOIS contact details.

Social engineering the registrar — The attacker contacts the registrar's support team, impersonates the domain owner, and convinces support to make account changes or initiate a transfer. Weak identity verification processes at some registrars make this possible.

WHOIS contact takeover — The attacker first takes over the email address listed in your WHOIS record. Transfer authorisation emails go to that address. Domain transfer proceeds without the real owner knowing.

Domain expiry — Expired domains are available for anyone to register. If your renewal fails and you miss the grace period, an attacker can register your domain. This isn't traditional hijacking but has the same outcome. See why domain auto-renew fails for the renewal failure scenarios.

The Security Checklist

1. Enable Two-Factor Authentication at Your Registrar

This is the single most impactful action. Even if an attacker has your password, 2FA prevents them from logging in.

Most major registrars support authenticator apps (Google Authenticator, Authy) or hardware keys (YubiKey). SMS-based 2FA is better than nothing but is vulnerable to SIM swapping. Use an authenticator app or hardware key.

Check your registrar's security settings and enable 2FA if it isn't already active.

2. Enable Domain Lock

Enable both clientTransferProhibited and clientUpdateProhibited in your registrar's domain settings. This prevents transfers and nameserver changes without explicit unlocking.

For high-value domains, ask your registrar about registry lock — a stronger lock applied at the TLD registry level that requires manual verification to remove. See registrar lock vs transfer lock for the full explanation.

# Verify lock status
whois yourdomain.com | grep "Domain Status"
# You want to see: clientTransferProhibited, clientUpdateProhibited

3. Use a Dedicated Registrar Account Email

The email address on your registrar account is the key to that account. If an attacker compromises that email, they can reset your registrar password.

Use a dedicated email address for your domain registrar that's:

• Not used for anything else (no newsletters, no sign-ups)
• Protected by its own strong password and 2FA
• Not displayed publicly in WHOIS (use WHOIS privacy)

4. Enable WHOIS Privacy Protection

WHOIS privacy (also called Domain Privacy or Registrant Privacy) replaces your personal or company contact details in the public WHOIS record with the registrar's proxy contact information. This prevents attackers from:

• Harvesting your contact email for targeted phishing
• Seeing which email address receives transfer authorisation emails
• Identifying the registrar for social engineering attacks

Most registrars offer WHOIS privacy for free or as a low-cost add-on. ICANN's WHOIS information page covers data accuracy requirements.

5. Use a Strong, Unique Password

Registrar accounts are a high-value target. Use a password manager and generate a unique, strong password specifically for your registrar account. Don't reuse passwords from other services.

6. Keep WHOIS Contact Details Current

If the email address in your WHOIS record is outdated (former employee, closed mailbox), transfer authorisation emails go undelivered — and attackers can potentially use the abandoned email. Keep your WHOIS contacts current.

7. Monitor for Unexpected Changes

Even with all the above in place, monitoring gives you early warning if something changes. An unexpected nameserver change is the clearest signal of a hijacking attempt in progress.

What to Do If Your Domain Has Been Hijacked

Act immediately — time matters.

1. Contact your registrar's abuse or security team — not standard support. Most registrars have emergency procedures for hijacking cases.
2. File a complaint with ICANN via their complaint portal — ICANN can intervene in transfer disputes.
3. Contact the receiving registrar — if the domain was transferred, the new registrar may have procedures to hold the transfer while a dispute is investigated.
4. Document everything — timestamps, screenshots, correspondence. You'll need this for the registrar, ICANN, and potentially legal proceedings.
5. Secure all related accounts — the attacker who compromised your registrar may also have access to your email or hosting accounts.

Recovery isn't guaranteed, and can take weeks. Prevention is far cheaper.

Monitoring Your Domain Security

Domain Monitor continuously monitors your domain's DNS records and nameservers. An unauthorised nameserver change — the first step in most hijacking attempts — triggers an immediate alert. Create a free account and add DNS monitoring for every domain you own or manage.

See what is domain hijacking for background on the threat, and how to monitor nameserver changes across client domains for the monitoring approach.

Also in This Series

• Nameservers vs DNS Records: What's the Difference?
• How to Change Nameservers Without Downtime
• DNSSEC Explained for Website Owners
• CAA Records Explained and Why They Matter for SSL
• How to Monitor Nameserver Changes Across Client Domains
• Registrar Lock vs Transfer Lock: What's the Difference?
• Why DNS Works in One Location but Fails in Another