Last updated:
Securing your .eco domain
Cybersecurity threats have increased dramatically over the last few years. Many organizations think about how to keep their website secure but forget about securing their domain name, despite it being one of the more common ways that a site can be attacked.
If an attacker can gain control of your domain name they can route all traffic to a website of their choice. This is commonly known as domain hijacking. An attacker might use this alternate site to send malware to your customers, steal credentials, publish defamatory information or simply hold your domain name for ransom.
At .eco we take security seriously and we want to ensure that this type of threat doesn’t affect you and others in the .eco community. Here are a few simple steps that you can take to keep your .eco domain secure:
1. Enable domain auto renew
One of the most common ways that people lose control of their domain name is that they forget to renew their domain on time. Attackers will monitor newly expired domains to see if there are valuable expired names to be exploited. If your domain name has expired, anyone can go and register it and then set up a new website. Your customers won’t know that the domain name has changed hands and may be fooled into disclosing information to the new owner. Regaining control of your domain once it has been purchased by another party can be time consuming and difficult — and in the meantime the damage will have been done.
Domain auto renew ensures that your domain name will renew automatically at the end of the term without you needing to explicitly renew it.
The best thing to do is to make sure that your domain name doesn’t expire, unless you are entirely done with it. Verify that domain auto renew is enabled for the domain names in your registrar account. You can always tell your registrar to explicitly delete your domain name if you are done with it.
2. Ensure that your registrar can reach you
Your domain registrar will send you notifications regarding upcoming domain renewals or payment issues with your account.
If you don’t receive these email notifications, you may not realize that the credit card they have on file has expired.
If the registrar cannot collect payment when your domain name is due for renewal, they will be forced to delete it.
Use a generic email address (eg. billing@example.com) as the billing contact with your registrar.
If you tie it to a personal email address then you may miss these emails if that person leaves your organization.
3. Use multi-factor authentication (MFA) to access your registrar account
Multi-factor authentication means using a device, such as your phone — in addition to your email address and password — to log into an account. These days, most registrars support MFA. If your registrar supports it, use it! And ensure that everyone with access to your registrar account has MFA enabled.
Even if an attacker was to steal your password, they would still be unable to access your account when MFA is enabled. Enabling MFA is one of the simplest and most effective ways to strengthen security.
For registrars that support it, an alternative is to log into your registrar account using another authentication provider such as Google or Microsoft or use single-sign on (SSO). This means that you can rely on the MFA and other security measures of those providers while also reducing the number of distinct accounts that you need to manage. This also makes it easier to control access if people leave your organization, as there are fewer accounts to clean up.
4. Make sure that you control your registrar account
If you are using a third party to build your website, such as an independent web developer or a design agency, they may offer to register and manage your domain name for you. While this is a convenient service, make sure that you have administrator rights for the registrar account and that you can remove their access if you decide you no longer need their services.
We have seen instances where .eco community members are no longer able to manage their domain or website because they didn't have access to their registrar account. The same also applies to your .eco profile — ensure that you have access to manage your .eco profile yourself.
5. Consider using a third party email address for your registrar account
We encourage you to use your .eco email address wherever you need it. However, you may want to use a different email address for your registrar account. The reason is that if you lose control of your .eco domain name, you may no longer be able to receive emails to that .eco email address. If you need to do a password reset or prove ownership of your domain this could be problematic if your email address is also tied to it.
6. Domain privacy is a double-edged sword
Most registrars offer domain privacy, often for free. With domain privacy, your email address and contact information won’t be published into the
public domain name record (whois). Instead the registrar will generate an email address for you, like abcdefg@privacyservice.com, and will publish this
email address along with a generic address into the record.
This is helpful for privacy as it means that your contact information is not made public. However, this also obscures the fact that you are the owner of this domain name. Only the registrar is able to provide proof that you indeed own the domain in question. If there is ever a dispute over the ownership of your domain, you will need to rely on the registrar to support your claim. If your domain is hijacked, this can be even more complicated.
At .eco, we believe that transparency is an important part of being good global citizens. We believe that providing accurate information counters greenwashing and keeps people accountable to their environmental commitments. This is why .eco profiles are a core part of the .eco community. Your .eco profile can serve as additional evidence demonstrating the ownership of your domain.
In summary
Your .eco domain name is a very valuable asset for your organization. When it comes to keeping your online presence secure, don’t neglect taking steps to secure your domain name. Following the steps above will help protect your .eco domain from attack.
And as one bonus tip, don’t forget to include the measures that you are taking into your organization’s digital security policy. That way, you have a perpetual record of the steps that you are taking to keep everything secure.
If you have any thoughts or questions about these tips, feel free to send us a quick note using the chat icon in the corner.