Domain security best practices

Protect your digital assets

This post was originally published on May 6, 2016, and was updated on September 5, 2019.

Why is domain security something you should care about?

In today’s world, your virtual property is sometimes more important than your physical real estate. Don’t believe me? Imagine for a minute that someone stole your main domain — the domain name that’s the online address for your business website or the anchor of your business email address.

What will happen to your livelihood if you have to put the brakes on doing business online while you rebrand and market your new domain?

Even if your domain name is not an investment-grade name such as computer.com, its loss would likely have a significant impact on your business.

For example, you will lose access to your domain-based email account (e.g. info@yourbusiness.com) if your domain name is stolen or otherwise inaccessible. What happens if your email is set up to receive the password reset for your bank, or brokerage, or something equally important?

That’s why domain security is critical.

5 domain security best practices

Follow these guidelines to safeguard one of your business’s most valuable assets, your domain:

  1. Register your domain name in your own account.
  2. Use a strong password.
  3. Enable two-factor authentication.
  4. Protect your email address.
  5. Beware of phishing attempts.

Ready to strengthen your domain security? Let’s go!

1. Register your domain name in your own account

I cannot overstate the importance of registering the domain name in your own account and with your own identity.

You can give a trusted employee or webmaster access to the domain without giving them access to your actual account.

That way, for example, your technical people can access your domain (or hosting) to work on your website without having the ability to remove those products from your account.

This is by far the most common issue we see when people lose access to their domain.

Many people turn to others — like employees, webmasters and more tech-savvy friends or family members — to register the domain for them and set up their website or email. Years pass and life happens. Friends move away, employees move on to other jobs … the circumstances of life wind up distancing you and the other party when the domain comes up for renewal.

It is not uncommon to register a domain for five to 10 years. When it comes time to renew the domain, your credit card on file with the domain registrar is no longer valid and you cannot contact the person who set up the account for you to gain access to your domain.

Most people do not think about the ownership piece of domain registration.

 

Just because you pay someone to register the domain for you does not mean that the domain is yours.

Keep Whois records updated

Whois Search GoDaddyThe domain registrant (e.g. you) is the person or entity registering a specific domain name from the domain registrar (e.g. GoDaddy).

All registrars certified by the Internet Corporation for Assigned Names and Numbers (ICANN), including GoDaddy, list public domain name registration information on the Whois database. The Whois listing includes registrant and other domain name contact information.

It’s vital to keep the Whois record updated and accurately reflecting you or your company as the owner in the Registrant field.

That way if you ever have an issue getting into your account, or getting to your domain, you can prove you own the domain by providing the correct documents to show you are indeed the registrant.

If you need to update your Whois information, it is easy to do.

If you’re a GoDaddy customer, here’s how you can share access to your products but not to your main account.

2. Use a strong password

The next domain security best practice is a big one: protect your account by using a strong password — one that’s nearly impossible to guess or hack to gain access to your account. And make your life easier by using a password manager.

You should also use different passwords for each account you have.

 

Do not, for instance, use the same password for your domain account as you do for your email account. If you use the same password in multiple places, it makes it easier for someone to gain access to your other accounts.

Use this free online tool to check if you have an account that has been compromised in a data breach.

Related: 10 best practices for creating and securing stronger passwords

3. Enable two-factor authentication

Sometimes, even with a strong password, bad people can hack into your account through a tricky technique like malware or phishing.

Enable two-factor authentication for an added layer of security.

 

Also known as two-step verification, two-factor authentication works like this:

When you enter your password, a separate, unique code will be sent to your smartphone. You’ll enter the new code, in addition to your password, each time you log into your account.

This means a bad action would need both your password and access to your phone at the same time in order to access your account.

You can use your phone number to get a text message, but thieves have been able to trick phone companies into porting your phone number to their phone. The current best practice is to use an app such as Google Authenticator, which means the thieves would have to have physical access to your device in order to get the code delivered to them.

Pairing a strong password with two-factor authentication greatly increases your protection online.

Here’s how to enable two-step verification on your GoDaddy account.

Use a hardware security key

Domain Security YubiKey
YubiKey 5Ci, courtesy of Yubico

Two-factor is a great solution for most people, but if you really want to kick your security up a notch, a hardware device for two-factor login is currently the safest account access method you can use.

A device like a YubiKey or Google Titan is your best bet.

 

These are small physical devices that you need to have with you to gain access to your account after entering the correct password. If you do not have this device, you are not getting into the account.

You cannot easily copy or fake your way into an account via malware, or a hack, or social engineering. You need the device to get in.

This can be problematic if you ever lose the device or do not have it with you when you need to access an account. In that case, you must contact each company you have an account with and go through a typically cumbersome process that involves proving to them beyond a shadow of a doubt that you are the person you say you are.

Here’s how to add a hardware security key for two-step verification on your GoDaddy account.

4. Protect your email address

Take the extra step to safeguard the email address tied to your account.

If someone is able to get into your email, many times they have carte blanche to all your valuable accounts, including your domain name.

It only takes a few clicks to get a password reset … and your account is compromised. This is why enabling two-factor on your accounts — including your email accounts — is so important.

It is also critical to update the password on your email accounts regularly in case one of the email providers is compromised or if you are reusing your passwords in multiple places.

Related: How to spot a fake email and what to do if your email is hacked

5. Beware of phishing attempts

If you use email (and who doesn’t?), you could get targeted by an email phishing attempt.

Beware of any email you receive that asks you to click a link that brings you to a screen to enter your username and password.

 

It is always better to go directly to the website in question, verify its authenticity, and log in that way.

It used to be relatively easy to spot phishing emails, but they have become more sophisticated. Here’s what you need to know to protect against today’s phishing scams.

Pro tip: Use one email for your important accounts and another for anything that is public, such as the Whois record on your domain. Use a separate email account or purchase domain privacy, which hides your real information on the Whois so it is harder for people to trick you with a phishing attempt.

Conclusion

Unfortunately, many people do not think about protecting their domain until it is too late.

While domain theft is rare, it is always better to be safe than sorry.

 

It’s more common to have access to your domain name removed through less nefarious means, which have nonetheless the same impact on your bottom line. A common scenario? An employee sets up your domain and email, then leaves the company — without leaving you access to your domain account when it comes time to renew it or make a change to the website.

As scary as these scenarios are, there is good news: By following these domain security best practices, you can protect your digital assets like a pro.

Joe Styler
Joe Styler serves as product manager for the aftermarket at GoDaddy. He’s responsible for marketplace products including any purchase, sale, or monetization of a domain name. During his nine-year tenure at GoDaddy Joe has served in a variety of directorial and supervisory roles. His passion is seeing his customers become successful in their business goals when using the aftermarket. He has been interested helping people with transactions on the Internet for more than 20 years. Joe received his B.A. from Moody Bible Institute in Chicago, and his Masters in Divinity from Gordon Conwell in Massachusetts.