How to protect your domain from getting hijacked

Home / Everything About / Everything About Domains / How to protect your domain from getting hijacked

The consequences of losing a domain are immediate and serious. Your website goes down, your email stops working, and any visitor who types your address lands somewhere you do not control. For a brand that has built its reputation around a specific name, the damage extends well beyond the technical disruption. Recovering a hijacked domain is possible, but it is slow, uncertain, and sometimes unsuccessful. The far better approach is to make hijacking difficult in the first place.

What is domain hijacking?

Domain hijacking is when someone takes control of a domain you own without your permission. The attacker either transfers the domain to a different registrar, changes the domain's ownership to a different account, or takes both steps in sequence. Once the transfer is complete, you lose the ability to manage the domain, renew it, or point it to your server.

It is different from domain squatting, where someone registers a name similar to yours. Hijacking targets a domain you already own and have built your brand around. The attacker's goal is usually to sell the domain back to you at an inflated price, hold it for ransom, redirect your traffic, or take over your email to access other accounts linked to that address.

To understand why this is possible, it helps to understand how a domain transfer works normally. When you move a domain from one registrar to another, you provide an authorization code and confirm the request. The transfer takes several days to complete and can be cancelled during that window. Hijackers exploit this process by getting into your registrar account or your email address, authorizing the transfer themselves, and completing it before you notice anything is wrong. You can read more about how the transfer process works in the chapter on what is a domain transfer.

How does domain hijacking happen?

Hijacking almost always starts with one of four entry points. Closing all four is how you protect yourself.

Phishing attacks targeting your registrar login

The most common method is a phishing email that mimics a message from your domain registrar. The message might warn you that your domain is about to expire, that a suspicious login was detected, or that you need to verify your account. The link in the email leads to a fake login page that captures your username and password. With those credentials, the attacker logs into your real account and initiates a transfer.

Phishing emails targeting domain owners have become highly convincing. They copy the exact branding and language of real registrar communications. The only reliable defense is to never click links in emails that ask you to log in. Instead, open your registrar's website directly from your browser and check your account from there.

Compromised email accounts

Your registrar account is only as secure as the email address tied to it. If an attacker gains access to your email, they can use the "forgot password" function on your registrar to reset your login and take over your account. This is why your registrar contact email is one of the most sensitive assets you own. A weak or reused password on that email account creates a direct path to your domain.

Weak or reused passwords

A weak password on your registrar account is an open invitation. Attackers use automated tools that take username and password combinations leaked from other data breaches and try them across registrar login pages automatically. If you reuse a password from any other service that has ever been compromised, your domain is at risk.

Social engineering attacks

Some hijackers bypass technical methods entirely and contact your registrar's customer support team directly, pretending to be you. They claim to have lost access to their account and ask support to reset the credentials. If your WHOIS contact information is publicly visible, they already have your name, email, and address to support their claim. This is one of the reasons that WHOIS privacy matters for domain security, a topic covered in the previous chapter on what is WHOIS privacy.

What are the consequences of domain hijacking?

The effects of a successful hijack spread further than the domain itself. Your website goes offline the moment the attacker changes the DNS settings. Visitors get errors or land on a page you did not create. Email sent to your domain either bounces or goes to the attacker's inbox, including password reset emails from any service you have tied to that address. Every account that uses your domain email becomes exposed.

The brand damage compounds quickly. Customers who try to reach you cannot. Partners who send emails get no response. If the attacker puts up a fraudulent page at your domain, visitors may be deceived or have their data stolen, and your brand's name will be associated with that experience.

Getting the domain back through ICANN's dispute process or a court order can take weeks to months. There is no guarantee of recovery. Some domains are transferred to registrars in countries where disputes are difficult to pursue, and some attackers sell domains on quickly enough that the trail becomes complicated. The longer recovery takes, the more a brand's search rankings and email reputation degrade.

How do you prevent domain hijacking?

Prevention is straightforward. Each of the measures below addresses one of the entry points attackers use. Together, they make hijacking your domain significantly harder than targeting someone who has not taken these steps.

Keep registrar lock (transfer lock) enabled

Registrar lock, also called transfer lock or domain lock, is a status setting that prevents your domain from being transferred to another registrar until you explicitly disable it. When the lock is on, any transfer request is automatically rejected. Most registrars provide this feature and leave it off by default, which is the opposite of what you want.

Log into your registrar account right now and check whether your domain's lock status is enabled. If it is off, turn it on. The only time you should turn it off is when you are actively in the process of transferring the domain yourself, and you should turn it back on the moment the transfer is complete.

Use a strong, unique password for your registrar account

Your registrar account password should be long, random, and used nowhere else. A password manager makes this easy. Generate a password of at least 16 characters and store it in a password manager rather than writing it down or trying to remember it. Never reuse a password from any other service for your registrar login.

Enable two-factor authentication on your registrar account

Two-factor authentication (2FA) requires a second piece of verification, typically a code from an authentication app, in addition to your password when logging in. Even if an attacker obtains your password through a phishing attack or a data breach, they cannot access your account without also controlling your second factor. Most major registrars support 2FA. If your registrar does not, that is a reason to consider switching to one that does.

Use an authentication app rather than SMS-based verification where possible. SMS codes can be intercepted through attacks where someone tricks your mobile carrier into moving your phone number to a device they control. An app-based authenticator is more resistant to this.

Keep your WHOIS contact email secure and accessible

The email address on your domain's WHOIS record is the address your registrar uses to send transfer confirmation requests. If an attacker initiates a transfer, a confirmation email goes to that address. If you no longer have access to that address, or if the attacker controls it, the transfer can go through without your knowledge.

Use a dedicated email address for your domain registration, not a personal email you might abandon or a shared inbox that others can access. Make sure the account has a strong password and 2FA enabled. Check it regularly enough that you would notice a transfer confirmation email before the transfer window closes.

Enable WHOIS privacy to reduce social engineering risk

When WHOIS privacy is disabled, your name, email address, phone number, and mailing address are publicly searchable in the global WHOIS database. That information gives a social engineer everything they need to impersonate you when contacting your registrar's support team. WHOIS privacy replaces your personal contact details with generic registrar contact information, removing the raw material for this type of attack.

The full details of how WHOIS privacy works and what it protects are covered in the previous chapter on WHOIS privacy. If it is not already enabled on your domain, enabling it now removes one more risk.

Register your domain with a reputable registrar

Not all registrars have the same security standards or customer support practices. A registrar with rigorous identity verification, clear escalation procedures for account disputes, and strong 2FA support is less likely to hand your domain over to someone impersonating you than one that relies on minimal verification. Registering a domain through a budget provider to save a few dollars creates a security trade-off that is not worth making. The chapter on how to register a domain covers what to look for when choosing a registrar.

Keep your domain registration renewed before it expires

An expired domain is a vulnerable domain. When your registration lapses, the domain enters a grace period and then becomes available for anyone to register. Attackers monitor expiring domains, especially those with established brands and backlinks, and register them the moment they drop. At that point, recovering the domain requires negotiating with whoever registered it, which may be expensive or impossible.

Enable auto-renewal on every domain you own. Set a calendar reminder at least 60 days before expiry as a backup. Make sure your payment method on file is current so auto-renewal does not fail silently. If you want to understand the full expiry timeline and what happens at each stage, the chapter on what is domain expiry and how to check it covers each phase in detail. The chapter on how to buy a domain name permanently covers long-term registration strategies that reduce expiry risk further.

What should you do if your domain has been hijacked?

Speed matters. The sooner you act, the better the chance of recovery. Here is the order of actions to take.

Contact your registrar's support team immediately and report the unauthorized transfer. Provide as much documentation as you can, including original registration receipts, payment history, and any correspondence showing you as the rightful owner. Registrars have procedures for handling hijacking reports, and they can sometimes freeze or reverse a transfer if it was initiated recently and has not fully completed.

If the domain has already been transferred to another registrar, file a complaint with ICANN through its transfer dispute process. This process is specifically designed to handle unauthorized transfers and can require a registrar to reverse one. This process typically takes 30 to 60 days and requires documentation of ownership.

In parallel, document everything. Screenshot your registrar account, any emails you received, and any changes visible in WHOIS. This documentation supports both the ICANN complaint and any legal action you may need to take.

Change the password and enable 2FA on your registrar account and your WHOIS contact email immediately, even if the domain has already moved. If an attacker compromised those accounts, leaving them open exposes other domains you own and allows the attacker to interfere with any recovery attempt.

How long does recovery take?

Recovery time varies significantly depending on how quickly you act, how cooperative the receiving registrar is, and whether the domain has changed hands more than once. ICANN's formal dispute process takes weeks to months. Voluntary cooperation from the receiving registrar can accelerate this, but it is not guaranteed. Legal proceedings through a court order take longer still and carry no certainty of success.

Domain hijacking is harder to recover from than most security incidents because there is no "undo" button. A compromised password can be reset. A hacked email account can be recovered. A transferred domain is under the control of someone else, in a different account, possibly at a different registrar in a different country. The original registration documents help, but they are not always sufficient on their own.

This is why the prevention steps above matter more than the recovery steps. The goal is to make hijacking your domain so difficult that an attacker moves on to an easier target. If you want to avoid the most common mistakes that leave domains exposed in the first place, the chapter on domain name mistakes to avoid covers the broader patterns that put domain owners at risk.

How WEMASY handles domain security

When you register a domain through WEMASY, transfer lock is enabled by default on all domains. WHOIS privacy is included with every registration at no additional cost. Your domain registration is tied directly to your WEMASY account, which supports two-factor authentication, so access to your domain management requires both your password and your second factor.

Auto-renewal is on by default for all domains registered through WEMASY, and renewal reminders are sent 90, 60, and 30 days before expiry so there is no risk of a missed renewal. See what is included with each plan at WEMASY pricing.

Frequently asked questions about domain hijacking

Can a domain be hijacked even if I have not done anything wrong?

Does registrar lock prevent all types of domain hijacking?

What is the difference between domain hijacking and DNS hijacking?

If my domain is hijacked, will Google deindex my site?

Should I register my domain at the same place I host my website?

The next chapter covers SSL certificates and domains, including what an SSL certificate does, how it connects to your domain, and why it affects how visitors and browsers perceive your site.