Domain hijacking cost UK businesses £42 million in 2024. Average recovery time: 14 days (complete business shutdown). Prevention costs £0-50/year. Recovery costs £2,000-20,000.
Enable Registrar Lock
Also called "transfer lock". Prevents domain transfer to another registrar without explicit unlock. Enable on every domain. Only unlock when you initiate legitimate transfer.
Two-Factor Authentication (2FA)
Enable 2FA on registrar account. Requires phone code or authenticator app to log in. Even if password stolen, attacker can't access account without your phone.
2FA Methods
Authenticator app (Google Authenticator, Authy) more secure than SMS. SIM swapping attacks bypass SMS 2FA. Use authenticator app if registrar supports it.
Strong Unique Password
16+ characters, random, unique to registrar account. Use password manager (1Password, Bitwarden). Never reuse passwords across sites. Credential stuffing attacks exploit password reuse.
Common attack: Hacker breaches random forum, steals email/password combos, tries same credentials on GoDaddy/Namecheap. 23% of users reuse passwords - easy hijacking target.
Account Email Security
Registrar account email must have: Strong password, 2FA enabled, no forwarding rules, recovery email you control. Compromised email = compromised domain account.
DNSSEC
DNS Security Extensions. Cryptographically signs DNS records. Prevents DNS spoofing/cache poisoning. Supported by most TLDs. Enable in registrar control panel (one click).
How DNSSEC Works
Adds digital signature to DNS records. Resolvers verify signature before accepting record. Fake DNS records rejected. Stops man-in-middle attacks redirecting your traffic.
Registry Lock (Premium)
Additional lock at registry level (above registrar lock). Costs £50-150/year. Requires phone call + fax + 24-hour waiting period to unlock. For mission-critical domains only.
Registry lock extreme security: Bank.com, Google.com, Amazon.com all use registry lock. Prevents even registrar employee from unauthorized changes. Overkill for most businesses.
Monitor Domain Changes
Set alerts: Email notification for DNS changes, WHOIS updates, domain expiration, login from new IP. Early detection = quick response before damage done.
Backup DNS Records
Export DNS zone file quarterly. If DNS hijacked (records changed to attacker's servers), you can restore correct settings immediately. Without backup, reconstructing DNS settings takes hours.
Registrar Reputation
Choose secure registrar. Namecheap, Cloudflare, Google Domains (before sunset), Hover have strong security records. Avoid registrars with history of hacks or poor security practices.
Separate Registrar and Hosting
Don't host website at same company as registrar. If hosting account compromised, attacker gains both website and domain control. Separate registrar = attacker needs two breaches.
Defense in Depth
Layer security: Registrar lock + 2FA + separate hosting + DNSSEC + registry lock (premium). Multiple layers mean single security failure doesn't lose domain.
Phishing Awareness
Fake "verify your domain" emails from spoofed registrar address. Link goes to fake login page. You enter credentials. Attacker steals them. Always navigate to registrar directly, never click email links.
Red flag: Email claims "domain expires tomorrow" when you know it's not. Urgency tactic. Check registrar dashboard directly. Ignore suspicious emails.
Recovery Process
If hijacked: 1) Contact registrar immediately (hijacking department), 2) Prove ownership (billing records, trademark), 3) Initiate dispute, 4) Expect 7-21 days recovery. Document everything.
Trademark Lens checks domain availability before registration - secure domain immediately after checking to prevent hijacking of unclaimed valuable names.