Registrar Lock vs Transfer Lock: What's the Difference?

Domain locking features are named inconsistently across registrars, which causes genuine confusion about what's being protected and when to enable or disable each one. Here's what the terms actually mean.

Transfer Lock (Also Called Registrar Lock)

What it is: A flag that prevents your domain from being transferred to a different registrar without your explicit authorisation.

What it protects against: Unauthorised domain transfers. If an attacker gains access to your registrar account and tries to transfer your domain to a registrar they control, a transfer lock requires additional verification steps before the transfer can proceed.

ICANN's role: The transfer lock is enforced by ICANN's transfer policy. Under this policy, a registrar must place a 60-day lock on newly registered or recently transferred domains, and the domain owner must explicitly authorise any transfer.

When transfer lock is enabled, your domain shows status clientTransferProhibited in WHOIS:

whois yourdomain.com | grep "Domain Status"
# Should include: clientTransferProhibited

When to disable it: Only when you're actively initiating a legitimate domain transfer to a new registrar. Re-enable it immediately after the transfer completes.

Registrar Lock (Also Called Domain Lock, Status Lock, or Update Lock)

What it is: A broader lock that prevents changes to the domain's registration data — including nameserver changes, WHOIS contact updates, and sometimes DNS record changes — without additional verification.

What it protects against: Unauthorised nameserver changes and WHOIS data modifications. This is the more critical security feature for preventing domain hijacking.

When this lock is active, your domain shows additional status codes:

whois yourdomain.com | grep "Domain Status"
# May include:
# clientUpdateProhibited
# clientDeleteProhibited
# clientTransferProhibited

The clientUpdateProhibited status is what prevents nameserver changes. Without it, an attacker with access to your registrar account can change your nameservers — taking control of your entire DNS — without any additional verification.

The Naming Confusion

Different registrars use these terms differently:

The safest approach: check the WHOIS status codes rather than relying on the toggle label. You want to see clientTransferProhibited and clientUpdateProhibited for maximum protection.

Registrar-Level Lock vs Registry Lock

There's a third, stronger type of lock available for high-value domains:

Registry Lock (sometimes called Premium Lock or Super Lock) — This lock is applied at the TLD registry level (Verisign for .com, etc.) rather than at your registrar. Changes require a manual verification process that takes days and involves the registry directly — making it extremely difficult for even a compromised registrar account to make changes.

Registry locks are typically available for .com, .net, .org, and other major TLDs. They're most common for high-value or brand-critical domains. Contact your registrar to enquire about registry lock availability.

How to Check Your Domain Lock Status

# Check WHOIS for domain status codes
whois yourdomain.com | grep -i "domain status"

# What you want to see:
# clientTransferProhibited
# clientUpdateProhibited
# clientDeleteProhibited (optional — prevents accidental deletion)

# What a vulnerable domain looks like:
# clientTransferProhibited (only — still vulnerable to nameserver changes)
# or no lock at all

When You Need to Disable a Lock

Transferring to a new registrar: Disable clientTransferProhibited (transfer lock). Re-enable at the new registrar after transfer completes.

Changing nameservers: If clientUpdateProhibited is set, you'll need to temporarily disable it to make DNS changes. Re-enable it immediately after making the change. This is the correct workflow for changing nameservers without downtime.

Domain migration: If moving between hosting providers and DNS providers simultaneously, both locks may need to be temporarily disabled. Do this during a planned maintenance window and re-enable immediately.

Recommended Lock Configuration

For most domains:

1. Enable transfer lock (clientTransferProhibited) — always on
2. Enable update lock (clientUpdateProhibited) — always on, disable briefly only for planned changes
3. Consider delete lock (clientDeleteProhibited) — prevents accidental or malicious deletion
4. Consider registry lock — for business-critical or brand domains

Monitoring for Lock Status Changes

An unexpected change in domain lock status — locks being removed without your knowledge — is a warning sign of account compromise. Domain Monitor monitors your domain's registration status and alerts when DNS records or nameservers change unexpectedly, giving you visibility into changes that could indicate an account breach. Create a free account.

Also in This Series

• Nameservers vs DNS Records: What's the Difference?
• How to Change Nameservers Without Downtime
• DNSSEC Explained for Website Owners
• CAA Records Explained and Why They Matter for SSL
• How to Monitor Nameserver Changes Across Client Domains
• How to Prevent Domain Hijacking With Registrar Security
• Why DNS Works in One Location but Fails in Another