The short guide to domain security
- Keep all of your web accounts secure with hard-to-guess passwords. Add 2-step authentication where possible and never give out your domain account information to anyone.
- Employ anti-virus and spyware measures to prevent keylogging software capturing your login details and secure your domain and data from malware.
- Keep your domain contact information up-to-date with your registrar; it’s the best way to ensure you can be contacted if any suspicious activity occurs on your account.
- Keep track of when your domains need to be renewed and make yourself aware of the renewal process. Set a reminder to avoid your registration expiring and being snapped up by someone else.
- Add domain privacy to keep your contact information out of the public domain. Thieves can use this information to impersonate you or fool you into accessing your domain.
- Provide an extra level of security to your domain with a registry lock service. This prevents anyone transferring your domain without your permission.
- Be vigilant with your emails to avoid a phishing attack. Hackers can email claiming to be your registrar and such an email could contain a link to a replicate site where you enter your information for them to capture.
- Secure your site with SSL certification, enable DNSSEC for extra protection and add a firewall to prevent unauthorized access. Choose a reliable host, practice good server security, such as regular updates, and use a VPS to be extra safe.
Imagine the scenario, it’s midday, and the volume of visitors to your successful e-commerce site has dropped to zero. Typically, you’re making sales, but since business has come to a standstill, you’re losing hundreds, if not thousands of dollars an hour.
Admittedly, domain name security isn’t the most exciting consideration for website owners. However, given the rise in web-based attacks, domain security is more important now than ever before. Cyber crimes occur in increasingly clever forms because people don’t make basic security provisions to protect their domains. The internet is an attractive place for individuals who know how to exploit easily avoidable security gaps.
Although securing your website might sound difficult, a step-by step approach can shore up your defenses and deter hackers. If you’re wondering how to keep your domain secure and how to deter hackers, stick with us. We’ll guide you through tactics that your site visitors will recognize and improve your site’s standing with the search engines. Take proactive action by following our nine steps to keep your domain protected and appeal to your site’s visitors.
Security for Domains
Domain security is as important for your own protection as well as that of your site’s visitors. Internet users are increasingly aware of the pitfalls of cyber theft. They are concerned for their safety and privacy, and want to know how to spot an unsafe website. In the current climate, terms like “identity theft”, “hack”, and “spam” get thrown about routinely. There is nothing worse for a website’s reputation than a security breach which leaves not only the domain owner, but all related logins vulnerable.
Many domain owners overlook the security of their domain name when they are developing their general website security policies. But consider the aftermath of losing your domain, either through poor domain management or via hijacking. Aside from the damage to your business and reputation, the process of recovery can be painfully slow and expensive. Fortunately, there are several measures you, as the domain name holder can take to protect your domain name against theft and loss.
Know Your Enemy
Before learning prevention methods, it’s important to be familiar with the sort of threats your domain name is susceptible to. Anyone who successfully accesses the account you hold with your domain name registrar has the power to hijack your domain name. They may use it to divert your website visitors to their own site, or to access your email. There are a few methods that can be used to hijack a domain.
Domain hijacking, also referred to as pharming, is a form of online fraud similar to phishing, where a fraudster seeks to obtain information by redirecting a website’s traffic to another site. The alternative site was developed to steal information from users without knowing it. Hijacking in this way is a serious problem because it puts sensitive private information at risk.
Phishing tricks domain owners into thinking an email is from their legitimate domain registrar. They click on a link in the email which opens a replica site of their registrar, and they are asked to log in. Users enter their username and password into what looks like a legitimate website. This information is captured by the attacker.
9 Steps to Keep a Secure Domain
Securing your domain name is crucial to safeguarding your domain name’s settings and control panel. Anyone with bad intentions who accesses this area can change your email and website accessibility settings.
It’s not only illegal access you need to be vigilant of; you don’t have to be the latest victim of cybercrime to lose control of your website. It could be snapped up and in the hands of a new owner perfectly legally if you simply forget to renew it.
Follow these nine steps to shield your domain from unauthorized changes to your domain name settings or from unintentionally slipping out of your hands.
Step 1. Keep Your Accounts Secure
- Use strong passwords – A strong password isn’t necessarily a complex series of numbers, letters and symbols as we were lead to believe. This advice has been deprecated by the guy who came up with it. Instead, consider using a password manager such as Dashlane or Lastpass to create a random password that is harder to predict. Avoid using common names, birthdays, anniversaries, etc,. and, when you hire someone to work on your domain account, make sure to change the password when they leave.
- Be your own firewall – Anyone with access to your domain can potentially hijack it. Never give your account information to anyone, including your webmaster. If someone needs access to your hosting account login details, use the Account Administrator feature to grant access levels to anyone who needs to manage domain names in your account.
- 2 step authentication – Using two-factor authentication on your account involves a two-step login process. It adds another layer of security when you need to access your account, using a password as well as another step, such as SMS authentication. Yes, it might be irritating for yourself and your domain users, but without this type of safeguard, a hacker can easily transfer your domain into their control.
- Log in to your registrar account regularly – Check your account details are correct, or save yourself the hassle by purchasing Domain Monitoring. This service alerts your administrative email if any changes are made to your domain name’s settings.
- Secure Email – Keeping the email linked to your domain safe is key to keeping your domain secure. Ensure your password is complex and change it frequently. Make sure to use a secure email solution and not free services that come from your broadband or telecoms provider, that might expire with lack of use or when you change provider.
If your email expires, someone else could snap it up. This leaves this person free to impersonate you in correspondence with your registrar. They might even use the forgotten password feature to have the password emailed to them.
Step 2. Employ Anti Virus/ Spyware Measures
- Prevent key-logging – Install good antivirus/spyware software on your home computer, such as Bitdefender, to prevent key-logging software from capturing your usernames and passwords. Keep this software updated periodically to ensure your information isn’t handed to unauthorized persons.
- Keep applications up to date – To secure yourself from hackers you have to keep up to date with security updates. This will deter viruses and malware. Out-of-date security is the most targeted way to break your security and steal data. Bitdefender or Cybersmart will help with this also, as they scan your system for vulnerabilities and out of date software.
Keep all the applications on your web account — for example, your domain account and your CMS, such as WordPress, etc —up-to-date with the latest security patches so hackers can’t exploit it. Any MySQL database used by those applications must also be kept updated to the latest version.
Step 3. Keep Your Registration Records Up-to-date
Keep your domain contact information accurate with your registrar. If you move, update your information immediately. It’s not only a legal requirement from ICANN, but keeping up-to-date records is also the best way to ensure your registrar has a way of contacting you if any suspicious activity occurs.
Make sure you are available to receive notifications so that your registrar will be able to immediately alert you if there are any changes made to your account. This forewarning gives you the chance to halt a pending transfer.
- Whenever there are any changes to the contact details that you have been using for domain name transfer communications, let your registrar know.
- Keep your emergency and business contact information up to date.
Step 4. Keep Track of Domain Renewals
The easiest way to lose a domain is by failing to renew it. After going through the process of buying a domain and creating a website, you will want to avoid your registration expiring. This is why you must make yourself fully aware of the renewal process for your domain. The most common arrangement is yearly renewal conducted automatically; however, it can vary from one registrar to another.
A simple way to avoid your domain being snapped up by someone else is by setting up a reminder. Many registrars allow you to renew domains for up to ten years in advance. The problem with anything you don’t regularly do is it is more likely to slip your mind. Consider setting a recurring reminder on your desktop annually. Another helpful tip is to synchronize domains, so they expire on the same date. Many domain registrars allow this, which makes things easier when you manage more than one.
Step 5. Add Domain Privacy
WHOIS is a public database the supplies its users with information regarding domain name ownership. All website owners are obliged to provide correct contact information to their registrar. The information provided with your domain registration is associated with the domain name, and a WHOIS record is created.
Anyone using the WHOIS search used to be able to access your contact information by searching the WHOIS database, however this is no longer legally allowed since the implementation of GDPR, but not all registrars follow the rules.
Thieves are after this information in particular because they can use your contact details to impersonate you and attempt to transfer your domain to a new owner. Alternatively, they might contact you to try fool you into revealing your account password.
If you don’t want this contact information available, opt for private domain registration. Domain privacy is a valuable add-on service most domain registrars provide for site owners who don’t want their contact information available publicly. The domain registrar will simply swap their contact details with yours. For example, if you are using Namecheap’s WhoisGuard, anyone wanting to contact you will have to talk to Namecheap first.
Step 6. Lock Up Your Domain
- Permission to make changes – Most registrars offer a registry lock service to provide an extra level of security for domain name holders and their customers. Setting up a registrar lock (also known as domain lock and transfer lock) prevents anyone transferring your domain without your permission.Consider the worse case scenario: someone with bad intentions accesses the control panel used to activate your domain.
This area includes information about your domain’s nameservers, information which helps the DNS located your domain. If someone was to edit this information, they could drive traffic trying to reach your site somewhere else.For a small fee, your registrar can apply a registry lock. Using a registry lock is similar to identity theft protections that block anyone using your credit card, without the special authorization of the card owner.
Similarly, registrars are unable to make changes to your site’s DNS information without manual authorization from the registry.
- Use a domain authorization code – An Extensible Provisioning Protocol, known as EPP, provides an extra layer of security at the time of domain name registration.
A unique Authorization Information Code (AIC) is assigned by the registrar to the new domain owner. This code is needed to transfer the domain from one registrar to another. Keep your AICs secure and confidential for effective protection from unwanted domain transfers.
Step 7. Be Vigilant with Emails
People will use creative tactics to get your to disclose your domain account details. A popular method adopted by hackers is to send an email which looks just like one you would get from your domain registrar. The e-mail will ask your to click on a link that takes you to a close replica of your registrar’s website. Once you enter your information, it can be captured. If you log in through a phishing link, you might lose access to your account.
Avoid this by being vigilant about the following:
- Be suspicious of emails claiming to be from your registrar
- Don’t access your domain account directly from your email
- Always enter the registrar’s address manually in your browser before logging in.
Step 8. Secure Your Site
- SSL certification – SSL protection is one of the best-known security features you can get. Protect your customers against identity theft with an SSL Certificate. A customer’s sensitive information, such as their name, bank account information and billing address is encrypted during transmission from their computer to your domain web server.
This process ensures that their information can’t be stolen. TLS, the less well-known acronym, is a similar security protocol which succeeded SSL.Customers will see they have accessed a secure website as they will see https:// at the beginning of its URL. If you’re conducting ane-commerce business or have access to any sensitive customer information, SSL technology is a must.
Even casual internet users recognize it. You don’t need advanced computer knowledge to set this up, your host will likely provide shopping cart functionality to conduct secure transactions, for example. Another perk of SSL or TLS certificates installed on your computer is that it is a positive factor in how your site is viewed by Google.
- Enable DNSSEC – DNSSEC is a complicated topic that relates to the domain name system used to translate domain names into numeric internet addresses.
When the DNS was first implemented, it wasn’t secure, and several vulnerabilities were discovered. The threat of name spoofing is an example. Name spoofing is when someone can intercept communication between you and a customer, and comes between the two parties hoping to victimize the customer.Domain name system security extensions (DNSSEC) were created to tackle this problem.
They are a set of protocols that add an extra layer of protection to the domain name system to prevent against unauthorized DNS hosts.
- Reliable hosting – Hosting should be at the forefront of your battle against cyber crime. Check that your host is doing enough to ensure your site is secure from their side of things.
- VPS – To be extra safe, use a VPS. Your domain exists on a slice of a much more powerful server in a secure data center. Unlike shared hosting, your domain is allotted a guaranteed amount of system resources.
- Practice good server security habits – Performs regular updates on your CMS, disable unused services, plugins, widgets, etc., and control remote access.
- Firewalls – Firewall the server so you can only access it from known safe locations/networks.
Step 9. Choose the Right Registrar
Don’t register your domain with the first registrar you come across. Be sure the registrar is authorized to sell domains, has a good reputation, and is trustworthy. When choosing a registrar, look beyond the price point alone; you need a quality service with good support.
Make sure your registrar provides additional security measures such as:
- 2-factor authorization.
- Notification of account changes, such as a pending domain transfer, which gives you time to respond before a domain is moved.
- Readily available, knowledgeable technical support to assist implementing your domain name security.
- Trained customer service agents who screen callers so no one can impersonate anyone in order to access an account.