Domains have been used in cyber attacks for ages, whether it’s hacking the webserver (or shared hosting panel) and hosting phishing campaigns or malicious C2 servers from it or being hijacked to mislead visitors to perform unauthorized actions (e.g. false news stories). While some of the advice in this blog will be specific to Namecheap Security, we will also cover general domain security best practices and tips to protect yourself from cyber-attacks.

1. Configure Multi Factor Authentication (MFA)

MFA is a crucial security control that most people neglect but can protect against most domain hijacking attacks or account compromises. We recommend using an Authentication App (TOTP) or Device Authentication (e.g. YubiKey) for maximum security, as attacks like SIM Swapping can circumvent SMS-based MFA. By enabling MFA on Namecheap, you can protect your domains if your credentials are stolen or found in a database compromise online.

• How can I enable/disable Two-Factor Authentication?

2. Limit Password Reset Options

By default, you can request a password reset based on your domain name or primary email—information that is publicly accessible and can be guessed by attackers. Instead, opt for a unique username (without any identifiers to yourself or your company) and uncheck Primary Email and Domain Name before clicking Save Changes. This will help limit password resets on your account and limit the attack surface.

• Changing password reset settings

3. Enable Security Alerts

Namecheap can send you emails when alerts are triggered on your accounts, such as account access requests (e.g. changing passwords), change of account contacts (which may indicate a domain compromise), and hostname record updates. These are all useful events which should be enabled and monitored by a designated individual on the team. It is vital to investigate each alert and ensure an authorized user performs it; if not, you can assume account compromise and reset your credentials for Namecheap and other platforms where you reuse your passwords.

• How can I adjust security settings for my account?

4. Enable Auto-Renewal for Domains

Auto-renewal is a feature that automatically renews your domain registration before it expires, preventing accidental lapses in ownership. It’s a convenient solution, as there have been documented cases where businesses may forget to renew their domain and then be extorted for large sums of money to get them back, or worse and more nefarious, they piggyback off your brand and domain reputation to perform malicious actions (e.g. if you were operating an e-commerce store, creating their own meant to steal credit cards) or use your domain to send our phishing emails which are less likely to go to spam given your domains assumed trust in this situation.

• Video: Turning the “Auto Renewal” feature ON/OFF

5. Enable Domain Lock

Domain lock is a security feature that prevents unauthorized domain transfers. When a domain is locked, it cannot be moved to another registrar without your explicit permission, protecting it from being stolen if your Namecheap account is compromised. By default, this is enabled for all domains purchased on Namecheap.

• What is Registrar Lock?

6. Protect against Subdomain Hijacking

Subdomain hijacking happens when an attacker takes control of an unclaimed or misconfigured subdomain, often due to DNS misconfigurations or discontinued services. Attackers can use hijacked subdomains for phishing, malware, or redirecting traffic to harmful sites, damaging your brand and exposing users to risks. If you manage domains with Namecheap, especially when using external services, monitoring and correctly configuring subdomains is essential. Continually update or remove DNS records for decommissioned services to prevent unauthorized access and protect your domain from exploitation.

• Beware of Active Subdomain Hijacking Operation (New Jersey Cybersecurity & Communications Integration Cell)
• Subdomain takeovers (Mozilla Web Docs)