Domain Hijacking and How to Protect Yourself

Domain Hijacking and How to Protect Yourself


A website’s domain name is the web address that people type into their browsers to visit the site.

For example, Amazon’s domain name is www.amazon.com.

A domain name is usually some form of the business name and a huge part of a business’ identity. People type it in when they access your website, and they see it at the top of their browser on every visit.

That’s why your domain name is one of the most valuable assets you own—if it didn’t exist, people wouldn’t be able to access your website.

Being such a big part of your business’ identity, your domain name requires careful protection. If someone else takes control of your domain, that can cripple your online presence in a way that’s hard to recover from.

What Is Domain Hijacking?

When you buy a house or a car, you buy it in your name. You become the rightful owner. And because of that, you can live in your house and drive your car.

Similarly, your domain is also purchased in your name. That’s what makes you its owner and gives you the right to use that domain for your website.

But just because you legally purchase a domain name, doesn’t mean it’s safe from hackers. By using a variety of unethical or illegal tactics, a hacker can transfer the ownership of your domain from your name to someone else’s, and effectively gain control of your domain.

That’s called domain hijacking and it’s something you should be aware of and take preventive measures against.

Beware of domain hijacking and follow these tips to protect your domain
Image credit: domain.me

How Does a Domain Get Hijacked?

To understand how a domain gets hijacked, you first need to understand how domains work. 

A domain name is purchased from a domain registrar or a hosting provider that will give the buyer access to settings that control the domain. The buyer can specify all the domain details, ensuring that it’s clearly defined who the owner of record is, and identifying the website that the domain should direct to.

No one, aside from the domain owner, can access those settings.

At least that’s how it’s supposed to work.

To access domain settings through your hosting provider or domain registrar, you need to enter two things: the username and password you set up when purchasing the domain. 

The username is very often the buyer’s email address. Nothing could be easier to find! All a hacker needs to do is look up your website in the WHOIS directory.

A hacker could easily find your site using Whois

Then, they will need to get a hold of the password that you set up for your domain account. There are many ways a hacker can get your password, or at least gather personal information that will help them break into your domain account. Here are two common tactics:

If a hacker can get into your email account, for example, they can simply bring up your domain account login page, click on the “‘Forgot your Password?” link, and impersonate you by responding to the confirmation emails.

  • Phishing Emails: Hackers may send a phishing email to trick you into revealing your domain account credentials. The email might look like an important communication from your registrar or hosting provider, one in which they ask for information related to your domain account. Hackers do this because a percentage of people fall for it and give up crucial information.

These are just a couple of ways your domain can get hijacked. In the next section, we’ll go over some things you can do to protect it.

Keep reading to keep your domain safe from hijacking
Image credit: r1Blog

6 Ways to Safeguard Your Domain

Fortunately, there are many ways you can prevent your domain from being hijacked. In this article, we will show you six protective measures to keep hackers locked out.

  1. Choose a Reputable Domain or Hosting Provider

The worst thing you can do is go for a domain provider that gives you a domain for free or charges extremely low rates. 

There’s a good chance that in order to give you a free or nearly-free domain, a provider will have to skimp on crucial security safeguards and use cheap hardware to store your website and domain information. Because of that, there’s a greater possibility that your sensitive information could leak out or your domain could be hijacked.

A better option would be to use a nationally renowned domain provider. You can be sure they will protect your domain and will keep it safe from hijackers.

If you deal with a reputable hosting provider to get your domain, it won’t be that expensive, and you’ll know that your domain is managed by a company that takes security seriously.

2. Always Register for a Domain in Your Own Name

One of the biggest mistakes you can make is asking someone else to buy a domain name for you. If you’ve done that, contact the person who is listed as the owner of your domain and ask them to transfer the ownership to you immediately.

Not owning your domain under your name can easily lead to the domain being hijacked, because you won’t be able to prove that you own the domain.

Even if you know and trust the person who owns your domain, that person may be the target of hackers. If that happens, by not being the domain owner, you’ll be left powerless to do anything about it. 

Take the wiser path and always use a domain that’s registered under your name. 

Not having your domain registered under your own name is the easiest way to get it hacked

3. Don’t Keep Sensitive Domain Information in Emails

A few years ago, 25 million Yahoo! and Gmail hacked accounts were being sold on the dark web.

So, can your email be hacked? Yes, there is a chance, however slight. 

Your email is not a safe place to keep domain account login credentials or any other details. If you receive emails from your provider that contain that type of information, move it to a secure location, preferably in a physical diary or an isolated phone app.

4. Use a Strong Password and Two-Factor Authentication

One of the easiest ways to lose your domain is to use weak passwords to safeguard your domain and email account. Always make sure you’re using a strong password that has a mix of lowercase and capital letters, numbers, and symbols.

Additionally, since your domain and email accounts are especially sensitive, make sure the passwords you’re setting for those accounts are different from the ones you use elsewhere on the internet.

Last but not least, you should enable two-factor authentication on your domain and email accounts. 

Even if someone knows the password to your account, they won’t be able to access it unless they also have the security code that gets sent to you via email or text message.

Taking these two password precautions can make it much harder for anyone to hijack your domain. 

Keep your information safe and never give any important detail to anyone

5. Don’t Share Domain Details with Anyone

You might think it’s easier to hand over your domain details to your web designer or developer so they can set it to redirect to your new website.

That’s not safe to do. 

In those types of engagements, issues over payment and work agreements may come up between you and your web developer. If things get ugly, the person may hold your domain hostage until you agree to their terms.

It’s best to take a proactive approach, handling all the high-level domain administration tasks yourself.

With a bit of research into how you can get your domain name to redirect to your website, you’ll find that it’s not that complicated. And, when you do it yourself, you’ll have the peace of mind that comes from knowing your domain can’t get hijacked by an unscrupulous web designer or developer.

6. Enable Domain Privacy Protection

The easiest way a hacker can obtain information about your domain and who owns it is through the WHOIS directory. This is a public directory where domain ownership information is available to anyone. 

Its original purpose was to make it easier for people to seek out domain owners so they could legally buy a domain or put advertisements on them.

Unfortunately, hackers use the WHOIS database to target domain owners by finding out their names and email addresses.

The good news is, by paying a small amount to your domain provider, you can keep your details from appearing in the WHOIS directory. The feature is called Domain Privacy Protection and it’s offered to everyone who buys a domain.

Check your domain account. If you aren’t taking advantage of this service, you should buy it and enable it. It’s a vital step in ensuring that your information doesn’t get revealed when someone searches for your domain in the WHOIS database.

This is what you need to do if you have been hijacked
Image credit: domain.me

What to Do If Your Domain Has Been Hijacked

If your domain account has already been hijacked, the protective steps we’ve covered will still come in handy, but only after you’ve regained control of your domain. Before we wrap things up, we’ll cover two strategies to help you do that. 

When a domain is transferred from one person to another, it takes 60 days for the ownership change to become final. This means you have ample time to present your case to:

  • Your domain registrar—Your registrar is the company from which you bought the domain. Contact them as soon as your domain gets hijacked and tell them you didn’t initiate the ownership transfer request. Then follow whatever instructions they give you.
  • ICANN―You can submit a complaint to ICANN regarding your domain name hijacking. But be warned, their experts might ask you for documentation, i.e., proof that you are the rightful owner of the domain.

If these two strategies don’t work, you can get in touch with a lawyer and present your case in court. Hopefully, it won’t get to this.

Have you ever had to deal with someone trying to steal your domain?

María is an enthusiast of cinema, literature and digital communication. As Content Coordinator at HostPapa, she focuses on the publication of content for the blog and social networks, organizing the translations, as well as writing and editing articles for the KB.

decorative squiggle

Skyrocket your online business with our powerful Shared Hosting

Shared Hosting from HostPapa is suited for all your business needs! No‑risk 30‑day money‑back guarantee. 99.9% uptime guarantee. 24/7 support. Free setup & domain name.†

Related Posts

HostPapa Mustache