By Aman Masjide
Imagine after months—even years—of building your website, fine-tuning its search engine ranking, and building up your base of users and customers, you wake up one morning to find your customers angry on social media and your search engine rankings plummeting because your website and its data was hijacked.
For a small business, this is a risk you may not want to take.
Putting off securing your domain leaves the door open for hackers to destroy your hard work. Here’s what could happen:
- Your customers’ data, including personally identifiable information (PII), could be stolen
- You may have to pay a non-compliance fine
- Your brand’s reputation can be tarnished
The truth is, websites are compromised all the time. Sometimes the reason is to steal your data, but often it’s to use your server to send spam emails, share files illegally, or set up a malicious, temporary web server. Any of these activities can hurt your brand’s reputation.
Here are five steps that you can take to ensure that you’re well protected:
1. Keep contact details up to date and don’t over-publish it
Keeping your registration information up to date helps keep your domain secure.
Make sure you are the owner of the domain
If your domain is hijacked, you can get it back quicker if you are the “registrant of record” for the domain. If you registered your domain through a web agency, for example, make sure that the owner’s contact details are yours, not the agency’s. Or if a member of your team registered your domain for you, it might have been in their name. In both cases, you should change the owner to your organization’s account.
Keep your contact details current
This will help your domain registrar notify you if they notice any discrepancies with your account. If your name and contact details are correct in the domain registration information, it makes it easier to restore access to your domain.
Hide your personal data in the WHOIS
The WHOIS lists your registration information, including your address and phone number. You may want to hide this information for two reasons. First, publishing your phone number in the WHOIS is a good way to get a lot of spam calls. But also, hackers can hijack your number and use it to try to access your accounts through recovery processes.
2. Don’t share your domain registration login details
As a rule, don’t share your log in credentials. Ever.
Your web designers, IT professionals and developers might ask for login details so that they can make changes to some DNS configuration.
These updates can be done without sharing your login details.
If your registrar lets you create sub-accounts, you can provision them limited rights to access only what they need. If your web developer needs to change DNS settings, only give them access to DNS settings. That way you can rest assured that no details will be modified beyond what’s necessary.
3. Watch out for emails requesting your login details
Phishing attacks usually come in the form of a simple email that looks like it’s from your domain registrar.
They’re often sent by forging a trusted sender’s email id, or from a domain name that looks identical to one you trust. For example, phishers might send emails from a domain such as “gandeeemailsupport.com”. These emails can be related to your domain management or renewal.
Never click a link in an email that asks for your username and password.
The best way to avoid phishing is to only connect to your account from your registrar’s official webpage. Be sure to share the email you received with them to verify whether it is a phishing attack.
4. Use two-factor authentication
Two-factor authentication (2FA) requires you to login with a second security factor besides your username and password. This might be a code sent to you by SMS message or generated by an app. If a hacker gets access to your account, having the second layer of authentication can protect you from losing your domain.
However, 2FA is still vulnerable to attack. When it uses SMS messages to send a code to you, if an attacker hijacks your phone (as mentioned above), they can access accounts that use 2FA.
To avoid this hijack issue, you can use TOTP or one-time passwords, but they don’t protect you or your users from phishing attacks, as the attacker can still relay these during a successful phish.
Universal two-factor (U2F) is a stronger 2FA, adding a layer of encryption to the process and providing further validation of both your identity and the website, preventing known phishing attack schemes.
5. Choose a good domain registrar
One of the most critical factors in keeping your domain safe is choosing a good domain registrar.
When picking a domain registrar, be sure to look at their security features.
Features like free WHOIS privacy, sub-accounts, two-factor authentication and even universal two-factor can make the difference.
Other security features that are important for your registrar to have are:
- DNSSEC management: DNSSEC is an extension to DNS that is used to verify that DNS information received is correct. Without DNSSEC, an attacker could provide a user looking for your website with information that points them to a malicious site and hijack your traffic.
- Quality technical support: having round-the-clock technical support is a must. You should always be able to reach a support representative in case of a problem. In the case of hijacked domains, immediate support is crucial to getting your domain back up and running.
Your domain name is one of the most important aspects of your business. If your domain name gets hijacked, your business can gain a negative reputation, your SEO rankings could drop, and months or years of hard work could be undone. By following the tips above and choosing the right registrar, you can reduce the chances of your domain name getting hijacked. Gandi is one example of a registrar that offers the features mentioned above, but it’s important to compare all the security features of a registrar to make sure your domain is safe.
Aman Masjide leads Compliance and Abuse Mitigation at Radix, one of the world’s largest domain portfolio registries. Radix offers new domains such as .online, .store, .fun, .website, .tech, .host, .site, .space & .press.