How to secure your website domain name

In this article, you’ll discover why domain security matters and how you can ensure you are doing everything you can to secure your domain name.

Why my domain is not secure

Cybercrime is always on the rise. According to Cybersecurity Ventures, global cybercrime costs are expected to reach $10.5 trillion annually by 2025. As technologies evolve, hackers and criminals also update their methods which is why domain security is so important.

Online security threats include:

  • Phishing attacks — you receive an email from a hacker posing as your registrar, clicking on a link where you proceed to enter personal data.
  • Pharming attacks — also known as domain hijacking, pharming is where your website traffic is redirected to somewhere else, with the aim of stealing your sensitive data.

So to combat the threats we find at every turn of the way, domain ownership protection is necessary. You can learn more about how domain names are hijacked in our article, Domain phishing, and other security attacks.

What is full domain protection?

To make your domain secure, it’s important to introduce the right practices that will reduce risk. The dangers of railing to sufficiently protect your domain include hackers redirecting your traffic, dodgy emails, a nasty virus, or human error.

If your site momentarily goes down for any length of time, you and your customers could suffer financial loss, and your reputation may be damaged in the process. Understandably, when customers feel they can’t trust your website, their data is at risk, they’re unlikely to return, and they will most likely warn others.

Aside from a damaged reputation and temporary financial loss, here are some worrying scenarios that may occur should your domain be accessed without your authorization:

  • DNS changes (nameservers or host records) — instead of landing on your website as intended, your customer may see an error page or malicious content.
  • Domain deletion — your customer will see an error page instead of your website. Once a domain is deleted, it will cost you money to recover it.
  • Whois contact information change — while this is not something that will impact your website performance, it may be the first stage of someone hijacking your domain. If someone else’s contact information is listed for your domain, it’s harder to prove that you are the actual owner — and may be a sign that someone is trying to transfer your domain out.
  • Domain transfer out — not only will your website not load, but you’ll lose access to your domain, meaning that you can’t change any settings. It can take some time to file a dispute to try recovering your domain, and you could end up paying huge legal fees.
  • Accidental domain expiration — whether your domain has expired due to issues with payments or the auto-renew feature has been disabled, your website won’t load, and if the domain is not reactivated in time, it will cost money to recover it.
  • Failing to use domain privacy — hackers may use your personal data listed in Whois to impersonate you. They might try stealing your domain or using it for malicious purposes. Plus, without domain privacy, your personal details, such as your phone number and email address, are openly available for marketers to contact you.

So if you were wondering, “do I need domain protection”, then you only need to look at the difficulties that could be caused when a domain is not secure.

Our research on domain security

We surveyed WashaHost customers on their awareness of domain-related security features such as two-factor authentication (2FA), virtual private networks (VPNs), and more. Throughout this article, you’ll find out what we learned.

Domain protection strategy

If you have a website and a domain, then the value of domain protection should be a high priority. We all know that the abovementioned risks could cause costly disruptions to any web project.

The next step is to consider how to develop a strategy and best practices for domain protection. We will look at this on three separate levels: the customer account level, the domain level, and the domain name system (DNS) level.

Customer account level

If you want to use any service or product on the Internet, you will almost always have to create an account. The same goes for customers looking for their domain.

When securing a domain account, it’s painstakingly vital to consider password creation and rotation. Other features that may help keep your domain secure are two-factor authentication and limiting the IP addresses that can access your account.

Password creation and rotation

Our survey showed that 73% of our responders are not required to update their registrar account regularly. This was not limited to WashaHost, but other registrars were also included. 10.8% said they didn’t know that this requirement was needed, and 6.5% were required to do this for some of their domains. Only 9.7% rotate their password on a regular basis.

You need to take password security seriously — we suggest that if you haven’t changed your password in a while, do so now, and consider enabling two-factor authentication (2FA).

It is recommended that passwords be rotated at least every three to six months when a security breach occurs, if you believe your device may have been compromised, and if there is evidence of unauthorized access to your account. Try How secure is my password? to find out how strong your password is. It tells you how long it would take a computer to crack your password!

Two-factor authentication (2FA)

Enabling two-factor authentication (2FA) is a simple way to help keep your account safe. It requires two authentication factors to verify who you are before account access is granted. As well as your usual password, you may also need a mobile app, SMS verification, or a physical authentication key to prove who you are.

70% of our survey responders said they used 2FA for account access and domain modifications. It’s one of the most basic and accessible features, and the benefits are that it’s free to set up and provides a solid level of protection.

If you haven’t yet heard of this feature, it’s worth checking out, and if you’re a WashaHost customer, read our guide on enabling and disabling 2FA.

Limiting specific IP address access

Another way to protect your domain name is only to grant account access to specific IP addresses. This clever security measure allows you to allow specific locations, such as your home or work IP addresses, to be marked as safe. If an unauthorized IP address is seen to be attempting to gain access, it will not be granted.

This feature is currently only used by 4.8% of our responders, perhaps because it isn’t widely available from registrar services and is considered advanced.

Domain level

Now that we’ve covered how you can protect your account, it’s time to learn how to secure a website domain. This includes keeping on top of your domain status, understanding privacy services, registry, and registrar locks, preventing malicious actors, preventing accidental domain expiration, and enabling 2FA for domain modifications.

Domain status notifications

Did you know that you can set up alerts to notify you if any changes are made to your account or domain? This is a basic feature that is commonly used by 70.2% of our survey responders.

At WashaHost, our security alerts keep our customers posted on activities such as login attempts or changes in domain settings such as address or Host Records updates. You can find out more in our security settings article.

Privacy service

Many registrars offer a free or paid domain privacy service that hides your contact information in Whois. This is a basic and essential feature that can prevent marketing companies and online fraudsters from knowing details like your email address, postal address, and phone number.

50.3% of our survey responders have privacy enabled for all their domains, whereas 6.3% don’t use a privacy service. 22.2% use a privacy service for some of their domains.

For most users, it makes sense to use a privacy service. However, there are some exceptions.

Some domain registries (registries are the organizations that create and own domain extensions, as well as decide the requirements for registering them), stipulate that the registrant must reveal their contact information in Whois. Or, if you’re a domain seller, you want your contact information visible so that potential buyers can contact you.

At some registrars, domain privacy is a paid-for service and comes with a high price tag. When a registrant chooses to register a domain through WashaHost, private domain registration is offered with every eligible domain — that’s free lifetime protection for our customers.

Registrar lock

Another essential feature is a registrar lock. This feature prevents a domain name from being transferred to another registrar and can be managed in your registrar account.

Of the people we surveyed, 48.6% have registrar lock enabled for all their domains and 14.5% for some of their domains. 8.9% of users don’t use it at all.

If you plan to transfer your domain name to a different registrar, you will need to switch off your registrar lock. If you’re not planning to transfer out, it’s good to have your registrar lock enabled.

Registry lock

Often a paid feature, a registry lock prevents transfers to other registrars, domain deletion, and nameserver changes. It can’t be managed in your registrar account, but only on the registry side. If you have a valuable and precious domain, it’s a necessary feature that will ensure that critical changes don’t happen to your domain without your explicit authorization.

40.8% of our responders have registry lock enabled for all their domains, 10.9% have it for some domains, and 8.8% do not use this domain security feature. The rest indicated that they were not aware of the existence of a registry lock.

It may be that less than half of our survey takers use it due to it being a paid feature, it might be too expensive, and not all registries may support it. Currently, at WashaHost, we don’t offer it, but it will be offered by our Domain Vault, which you’ll read about later on in this article.

If you’re running a highly successful business that is your main source of income, it’s wise to invest in this extra level of protection.

Trademarks and typo-blocking

Another way to protect your domain is to block the registration of your trademark across multiple top-level domains (TLDs). This includes blocking your trademark from being registered with adult TLDs such as .xxx. You can also block the registration of misspelled domain names which can help combat typosquatters.

Typosquatting is where fraudulent website owners target users that accidentally type in the wrong website address into the URL browser with the aim of selling competitive products or stealing personal information.

Take amazon.com. They predict that someone will miss out on the vowels and have registered amzon.com and amazn.com, which they use to redirect customers to the rightful website, rather than a competing site.

Another example is landsend.com, which sells clothes and home goods. Typosquatters registered domain names such as landsende.com and lndsend.com and redirected the traffic via affiliate links to take a cut of the sales revenue. You can read more about the case at the Internet Library of Law.

65% of our survey responders don’t use this service, 9.4% use it for some of their domains, and 1.9% use it for all their domains. The rest aren’t aware that this service exists. These numbers are expected, as this advanced feature is only relevant for customers who hold trademarks.

Web threat lists

Google Safe Browsing looks at billions of URLs every day to determine if websites are unsafe for users. If a website is considered dangerous to visit, it may be de-indexed by Google. Using the site status checker, you can determine if your website has been flagged as unsafe.

Only 11.6% of our survey responders regularly keep track of blocklists, while the rest don’t know about this or complete regular checks.

If your domain name is listed as harmful, a warning message will appear when a user attempts to land on your site and may prevent your users from clicking through. It’s worth monitoring web threat lists to make sure that your domain name is not incorrectly shown as harmful.

Extended grace period

Typically, if a domain is not renewed on time, it will stop working on the day of expiration. Also, no changes can be made, and all connected services will stop.

An extended grace period is an extra protection mechanism that grants you more time to renew your domain while keeping your services running. This may be useful in cases such as if your chosen payment option fails.

50.5% of our survey responders have an extended grace period in place. This suggests that it’s a suitable measure for customers running small businesses or big companies wishing to know that their online services will stay up and running.

Domain modifications 2FA

Two-factor authentication (2FA) is useful on account and domain levels. Once again, you can use a trusted device to generate an access code to approve any domain changes. This is an extra layer of validation vital for online businesses and is useful if you work in a shared space or use a public computer to manage your domains.

Domain name system (DNS) level

First, a technical lesson. When you type a domain name in the search bar, a website is located by the domain name and IP address. An IP address is like a telephone number. It’s a long string of numbers, which is why we use domain names instead — while a computer can easily deal with IP addresses, they are too complicated for our human brains! The domain name system (DNS) is often described as the Internet telephone book. It’s also a hierarchical system that is used to sift through millions of IP addresses to find the website you want to reach. It translates domain names into IP addresses.

Domain name system security extensions (DNSSEC)

DNSSEC authenticates the resolution of IP addresses. When you enter your domain name, DNSSEC adds cryptographic signatures to DNS data, which confirms the authentication of the website you intend to visit.

4.9% of our survey takers use DNSSEC for all of their domains and 11.2% for some of their domains. 30.7% don’t use it for any, and 53.2% of our survey takers didn’t know that DNSSEC existed.

It may be that many users consider this security feature as technologically advanced, but it can easily be set up with the help of registrars and hosting providers.

If you’re a WashaHost customer, you may find the following two articles useful:

  • Managing DNSSEC for domains pointed to Custom DNS
  • Managing DNSSEC for domains pointed to Premium or BasicDNS

PremiumDNS

At WashaHost, we offer PremiumDNS, which can be used with any domain, ensuring that your domain runs smoothly and remains free of issues. The service offers customers 100% DNS uptime, secures look-ups, and prevents fake site re-directs.

What can be included in domain security

There are also other security practices that you can maintain to help keep your domain secure and safe. Let’s take a look at them now.

Set up auto-renewal

Make domain management simple with auto-renewal, and never let your domain expire! At WashaHost, this means your account balance will be charged first, if there are insufficient funds, your payment cards will be tried next. This is the easiest way to make sure that your website and any connected services stay running for as long as you have your domain.

Avoid delegating domain management

Although it may be tempting to delegate domain management to an employee, or an external IT company, it may not be wise, considering how valuable it is to you and your business.

In an ideal world, you (the business owner) would be the only person that has access to your domain. However, if you’re just too busy, then make sure the domain is registered in your company name, and not in the name of an employee, or an external company. Alternatively, you may be able to delegate partial control, which limits access based on needs, such as giving DNS management access to your IT team leader.

Use antivirus and anti-spyware

Antivirus software protects you from viruses that may modify your programs. These viruses are designed to spread from one computer to another, just like a flu virus, stealing passwords, logging keystrokes, and corrupting files.

Anti-spyware aims to detect and remove malicious spyware programs that are used to track online activity and steal valuable information.

Both spyware and viruses can be very damaging, and it’s worth looking into both antivirus and anti-spyware software to help keep your computer safe. Keep your software updated, as the updates contain the latest files to combat new viruses.

Email vigilance

Cybercriminals often use emails to gather personal information, steal bank details, or attach viruses that a user may unwittingly download. Sometimes it’s effortless to identify suspicious emails, but sometimes it can be more tricky.

Look carefully at the email address of the sender. If it’s an unusual email address or you can see a spelling mistake, it may be suspicious. Pay attention to the greeting and look out for any grammar or spelling errors. Don’t click any links that you see in suspicious-looking emails.

Use a Virtual private network (VPN)

Virtual private networks create encrypted connections that mask your IP address, allowing you to safely and securely browse the Internet. It’s sensible to use a VPN when using any public WiFi, and it protects you from hackers, looking to get hold of your personal data.

At WashaHost, we offer FastVPN, which you can set up in seconds. Plus, there’s a 30-day free trial, so why not give it a go?

Domain Vault

Now’s the time to let you into a little secret! Given that domains are your most valuable asset, coming soon to WashaHost is Domain Vault, a specialist security suite designed to lock your domains safely away from scammers, hijackers, and hackers.

Domain Vault will offer customers:

  • Registry lock — prevent your domain from being transferred out, nameserver changes, and domain deletion.
  • Specialist customer support — any changes will need to be approved by a specially trained customer support team.
  • Extra identity check — this makes sure you’re really who you say you are before any business-critical domain settings can be changed.

Our new service means you can rest easy knowing that you have total control over your domain and that one of your most valuable assets is protected from external threats. Register your interest, and we’ll contact you with details of the official launch.

Is full domain protection worth it?

In this article, we’ve covered some of the best security features to use to ensure your domain is kept safe. It’s not just your information that is at risk. It’s also your customer’s information that could be in danger, as well as your reputation as a brand. By now, you will have realized just how important it is to get full domain protection and picked up some great tips on how to continue protecting it. So if you’re still asking “should I buy domain protection?”, the answer should be a resounding “yes.”