Eco Domain (.eco) author avatar

Securing your .eco domain

Cyber-security threats have increased dramatically over the last few years. Organizations think about how to best secure their website. However, securing their domain name is often an afterthought, despite being one of the simpler and more common ways that a site can be attacked.

Collection of lime green bike share bikes

If an attacker can gain control of your domain name they can route all traffic to a website of their choice. This is commonly known as domain hijacking. An attacker might use this alternate site to send malware to your customers, steal credentials, publish defamatory information or simply hold your domain name for ransom.

At .eco we take security seriously and we want to help ensure that this type of threat doesn’t affect you and the .eco community. Here are a few simple steps that you can take to keep your .eco domain secure:

1. Enable domain auto renew

One of the most common ways that people lose control of their domain name is that they forget to renew their domain on time. Attackers will monitor newly expired domains to see if there are valuable expired names to be exploited. If your domain name has expired, anyone can go and register it and then set up a new website. Your customers won’t know that the domain name has changed hands and may be fooled into disclosing information to the new owner. Regaining control of your domain once it has been purchased by another party can be time consuming and difficult - and in the meantime the damage will have been done.

Domain auto renew ensures that your domain name will renew automatically at the end of the term without you needing to explicitly renew it.

The best thing to do is to make sure that your domain name doesn’t expire, unless you are entirely done with it. Verify that domain auto renew is enabled for the domain names in your registrar account. You can always tell your registrar to explicitly delete your domain name if you are done with it.

2. Ensure that your registrar can reach you

Your domain registrar will send you notifications regarding upcoming domain renewals or any payment issues with your account. If you don’t receive these email notifications, you may not realize that your credit card has expired. If the registrar cannot collect payment when your domain name is due for renewal, they will be forced to delete it. Use a generic email address (eg. billing@example.com) as the billing contact with your registrar. If you tie it to an personal email address then you may miss these emails if that individual leaves your organization.

3. Use multi-factor authentication (MFA) to access your registrar account

Multi-factor authentication means using a device, such as your phone - in addition to your email address and password - to log into an account. These days, most registrars support MFA. If your registrar supports it, use it! And ensure that everyone with access to your registrar account has MFA enabled.

If an attacker was to gain access to your email and password, they would still be unable to access your account. Enabling MFA is one of the simplest and most effective ways to strengthen security.

For registrars that support it, an alternative is to log into your registrar account using another authentication provider such as Google or Microsoft or use single-sign on (SSO). This means that you can rely on the MFA and other security measures of those services while also reducing the number of distinct accounts that you need to manage. This also makes it easier to control access if people leave your organization, as there are fewer places to remove access.

4. Make sure that you control your registrar account

If you are using a third party to build your website, such as an independent web developer or a design agency, they may offer to register and manage your domain name for you. While this is a convenient service, make sure that you have administrator rights for the registrar account and that you can remove their access if you decide you no longer need their services.

We have seen instances where .eco community members are no longer able to manage their domain or website because they didn't have access to their registrar account. The same also applies to your .eco profile - ensure that you have access to manage your .eco profile yourself.

5. Consider using a third party email address for your registrar account

We encourage you to use your .eco email address wherever you need it. However, you may want to use a different email address for your registrar account. The reason is that if you lose control of your domain name, you may no longer be able to receive emails to that address. If you need to do a password reset or prove ownership of your domain this could be problematic if your email address is also tied to it.

6. Domain privacy is a double-edged sword

Most registrars offer domain privacy, often for free. With domain privacy, your email address and contact information won’t be published into the public domain name record. Instead the registrar will generate an email address for you, like abcdefg@superprivacy.com, and will publish this email address along with a generic address into the record.

This is helpful for privacy as it means that your contact information is not made public. However, this also obscures the fact that you are the owner of this domain name. Only the registrar is able to demonstrate proof that you indeed own the domain in question. If there is ever a dispute over the ownership of your domain, you will need to rely on the registrar to support your claim. If your domain is hijacked, this can be even more complicated.

At .eco, we believe that transparency is an important part of being good global citizens. We believe that providing accurate information counters greenwashing and keeps people accountable to their environmental commitments. This is why .eco profiles are a core part of the .eco community. Your .eco profile can serve as additional evidence demonstrating the ownership of your domain.

In summary

Your .eco domain name is very valuable asset for your organization. So, when it comes to keeping your online presence secure, don’t neglect taking steps to also consider the security of your domain name. Following the steps above will help protect your .eco domain from attack.

And as one bonus tip, don’t forget to include the measures that you are taking into your organization’s digital security policy. That way, you have a perpetual record of the steps that you are taking to keep everything secure.

If you have any thoughts or questions about these tips, feel free to send us a quick note using the chat icon in the corner.