Has Someone Taken Your Domain Name Hostage?
I don’t love cleaning house. Maybe you feel the same way and just don’t want to deal with it, so you hire a housekeeper. Would you let her change the locks and put the deed to your house in her name?
That’s what a lot of businesses do with their web and IT managers. It’s easier to let someone else do the heavy lifting. But it’s a bad idea to give your tech support people total control over your domain unless you’re eager to pay whatever “transfer” fees they feel like charging you―or are prepared to buy a new domain, rebrand, and rebuild your search engine reputation. What a waste of time and money.
Minimally, there are two things you have to do to protect your domain name:
- maintain current login information with a robust password, and
- make sure you’re listed as the Registrant of your domain (dive in to learn more)
A lot of my clients trust me to not only manage their web presence but also to archive their logins. This is both burdensome and flattering. I enjoy feeling like I’m a person people can trust, especially since I get a good portion of projects through other client referrals. But as it turns out, people are willing to trust total strangers to avoid having to deal with “computer issues” they’ve decided are over their heads. Let me tell you a story and then I’ll break a few things down to help you avoid a similar sitch.
The Uh-Oh Scenario
A couple of weeks ago, a new client called me asking for help transferring his domain to a new registrar and web host because he could no longer afford his old web manager who was charging the equivalent of a monthly premium car payment. He also wanted a redesign of his website. I got busy on the redesign while he gathered some details, including his domain login information. Monday, he called in a panic to let me know that the contract had expired on his old web management, and he needed to transfer the domain today.
Unfortunately, domain transfers can take up to a week. But his request just didn’t make sense. Why would he need to transfer his domain which wasn’t due to expire for another two years? It was his web managing and web hosting arrangement that was expiring, not his domain registration. Why couldn’t we just point the domain to a new web host?
I discovered that his old web manager had changed my client’s domain registration so that the web manager was now listed as the owner of the domain. This manager had also just charged my client $100 to “transfer” the domain back to him. Except the domain was not transferred to a new registrar, nor had my client received new login information for the domain control panel, nor was the domain registration information updated to list my client as the rightful owner of the domain―which he registered at least two years before he ever heard of, let alone hired, his old web manager.
Basically, the $100 transfer fee was the web manager’s attempt to sell my client’s domain name back to him. At least, that’s the way it looked to me since his access to his own domain name was contingent on his payment of this fee.
Some tech folks modify the domain registration for expediency, or they don’t fully understand the implications of listing themselves as a domain Registrant or know that they never have to revise the domain registration information to actually manage domain records. These tech guys simply change the domain information back and send you the login without trying to charge you an extra fee for it. The ones who try to charge you to give you back your property are probably trying to cheat you. And I hate to say it, but you just need to go with it. It’s more cost and time effective to be polite and compliant, at least until you regain control of your own domain. If you’re still upset after that, you can complain to the web manager, demand your “transfer fee” back, write a review, or use social media to caution other potential clients. Just be sure you can back up whatever you say about a business that can negatively impact their reputation.
? Focus on regaining control and ownership of your domain name. Get current login information and an update to the Whois domain registry.
What is WhoIs?
WhoIs is a database that lists contact information for a domain’s Registrant (owner), its Administrator, and its Technical Contact. The Technical Contact is where you could expect to list an IT person or web manager but never under Registrant. And especially because WhoIs offers a place for your technical contact, a web manager never needs to change the WhoIs Registrant information to himself. In fact, all the web manager ever needs is access to your DNS records (which I explain in the next section) to point to your web server, to enter your mail server or MX records, or to manage other records your business needs to be able to use your domain for web, email, or remote connections.
? If you already have a domain, you can review your Whois records through your Registrar’s Whois section, or through several available Whois search domains. Here is what Amazon.com’s Whois information looks like on https://whois.icann.org/en:
What are DNS Records?
The Domain Name System (DNS) is a network of servers (DNS servers) that take a domain name, like Amazon.com, and associate it with the right IP address when someone types in the more memorable and brandable name. Email servers can similarly have assigned IP addresses associated with subdomains like, for example, mail.yourdomain.com, or Alt1.ASPMX.L.Google.com. Google support does a great job of explaining the different types of DNS records and provides an example if its own DNS records for the Google Cloud Service, shown here:
These are the records you enter through your Domain Registrar’s control panel.
The Difference between a Domain Registrar and a Web Host
A domain registrar is like the Division of Corporations. It registers your domain name so that you can have a web presence under a particular name, yourdomain.com, for example. Your web hosting company is like a landlord. It houses (hosts) your website. In some cases, you may have the same company acting as both your domain registrar and web host. That’s very common, but it’s important to understand the different functions and why you may need two logins if you registered your domain with NameCheap.com (our Registrar), but are hosting your website with another company, like CloudNovo.com (our web host).
So What Can You Do to Protect Your Domain?
Domain ownership laws vary across geographic jurisdictions. But, for the most part, courts agree that ? whoever is listed as the Registrant is the owner of the domain name. For this reason, you not only want to list your business as the Registrant, but you’ll also want to take a few simple steps to protect your claim to your domain name. Here’s what you need to know and do, in no particular order:
- Understand how much control your web or IT manager really needs. If you’re hiring someone just to maintain your website, update content and possibly make a few minor design changes, then that web manager needs login information for your FTP site, or your WordPress site, or whatever web building service you use, like Wix.
- Know how to use WhoIs and periodically check to make sure you’re still listed as the registered owner (Registrant) of your own domain name. Your domain registrar or web host will have a Whois link or you can use ICANN‘s Whois Domain Lookup like https://whois.icann.org/en.
- Always, always have login information for your domain registrar and web host. Even if you trust your web or IT manager, if they are not available and you have current login information, you’ll always have the necessary access to your digital property. If your domain registrar and web host are the same company (which again is fairly common), you’ll have only one login to manage. Just be sure you have a good password for that login.
- When necessary, use contract provisions to protect your ownership rights. If you’re asked to sign a service contract with a web manager, always include an acknowledgment that you and your business are the sole owners of your domain, that no change in the WhoIs record can be made without your express written permission, and that you are to be provided with current login information as it gets updated. Use whatever language you feel will adequately protect you. Consult an attorney if you’re not sure how to word the provision. And, of course, be sure your web manager has signed and provided you with your own original of the contract.
- Keep your domain locked to prevent unauthorized transfers. By default, domains are locked. They should be unlocked only when you are intentionally transferring the domain to another registrar. If your Whois information indicates “transfer prohibited,” then your domain is properly locked. If you do unlock it for a transfer, you’ll need to request that an EPP code be sent to you by email. When you request a transfer of your domain, the receiving registrar will require this code.
- Use an ICANN-accredited domain registrar that requires email authorization before making any substantive changes to your account. Most of my company’s domain registrations and all of our web hosting are handled by our white label, CloudNovo.com, through LiquidNet, Ltd., a U.K. web service provider. They are ICANN-accredited and follow all of ICANN’s Whois verification rules, including that all edits to the Whois domain registration information must be approved by email, which leads me to my next tip.
- Use a forever (public) email account for your domain registration. Because registration changes, renewal notices, and domain authorization codes will all come to you via email, it’s essential that you use a valid email account to which you have easy access in the long term, but preferably not the same email you use as your main business or personal account since there is always a spam risk. And, if you know you’re going to delete an old email account or let your email domain expire, update your Whois registration to your new email first.
- Publish your Whois information so that the world can see your claim to your domain name. Domain registrars offer to mask your Whois domain contact information for an annual fee. Although a little extra privacy sounds good, does a public business really need private domain registration? If you’re a business and already post contact information to the public, there are few reasons to use (or pay for) private domain registration that masks your ownership of your domain. Yes, you’ll be contacted by random people and may get more junk mail. This will likely happen regardless because spammers are more likely to scrape this information from a website than from domain registries. In any case, a legitimate business is expected to have a public face, which just makes it look more legitimate. While I don’t recommend using cell phone numbers, personal emails and home addresses, I do think posting contact information on your business website and business domain registry makes sense. It’s easy enough to get a street address by renting a UPS mailbox, or a phone number from Google Voice or any VoIP service. And, when you purchase a domain, you can set up an admin, webmaster, or firstname.lastname@example.org email that forwards to your primary email inbox.
- Don’t be afraid to learn how to manage your own domain and website. The learning curve may not be as steep as you think, especially if you have some computer skills. Every domain registrar and web hosting company has information online with instructions on registering a domain, editing your WhoIs domain registration, updating your own WordPress website, and even how to edit your DNS records. If you get in trouble, web hosting tech support can usually bail you out.
- Consider using our web host to ease you into the learning curve. CloudNovo’s tech support is provided by LiquidNet’s helpdesk and data center staffers who respond 24/7/365 to support tickets well within an hour, usually within a half hour. CloudNovo also uses LiquidNet’s Hepsia control panel and Domain Manager which are incredibly fast and easy to use, more so than even cPanel or Plesk (common domain and web hosting interfaces), and definitely better than Go-Daddy’s or Network Solutions’ control panels, which are not only difficult to navigate, but also full of annoying upsell pages. And unlike other web hosts that make it hard to find instructions, and then ask you survey questions about your experience, CloudNovo’s Hepsia panel provides instructions (and often accompanying video tutorials) in each section of the control panel that walk you through all the common web management functions. Just click the corresponding Help button on whatever section you’re in. We’ve been using this service for our own domains for years. I’m kind of an evangelist when it comes to this web host. Any control panel management I need to do for a client who uses CloudNovo happens more quickly, which means the client saves money. But, full disclosure, our domain registration is with NameCheap, and I haven’t yet tried their web hosting, which instinct tells me is probably pretty good. It’s certainly inexpensive. While CloudNovo has been reliable, NameCheap’s Premium DNS with 100% uptime is unbeatable for ensuring uninterrupted email flow.
Our client (the one who was making “monthly premium car payments” to his old web manager) finally got his domain EPP authorization code the morning of July 3rd. We initiated the transfer and entered his DNS records, and the domain went live by 10:00 p.m. the same night with his newly designed website. It took longer for the old web manager to unlock the domain and send the authorization than it did to complete the transfer on CloudNovo. To be honest, we were kind of surprised at how quickly the transfer went through. We’re happy and relieved that he’s now regained full ownership and control of the domain he built.
Your efforts and reputation build your brand, and your domain name is a part of that brand. If you’re an online store, then you’re even more dependent on your domain name. Always make sure you’re listed as the Registrant of your domain. Never let web managers or tech support companies enter their own names as the Registrant of your domain so that you’re never stuck paying a ransom to get it back.