A Valet for your Domain

Admin Access and Ownership Rights

A Valet for your Domain

You’ve got a shiny new website or a brand-new domain name, but what do you do with that page full of scrawled usernames, passwords and urls? I’m sure somewhere along the line you’ve heard a cautionary tale or horror story about a website held hostage or a hijacked domain name. Every month I get notifications from every internet security company on the planet, urging me to read about new vulnerabilities and protocols. Modern websites use human verification steps, forced password resets, multiple device access, and complex password requirements to protect your accounts. Before we know it, we’ll need to perform a retina scan and provide a blood sample before we can check our IG or snapchat accounts. Until then, are any of us doing enough to protect our websites and content?

Now, before you break out the 72 character encrypted hexadecimal passwords and the biometric scanners, let me just say that I am of the opinion that we’re all getting just a bit carried away. Sure, identity theft is at an all-time high (but so are box office sales). Internet security is a very real thing, so I don’t mean to make light of it, but we should all just take a deep breath, put our shoes back on and go about this realistically.

Your most precious commodity among business-related digital passwords and accesses is your domain registration. In a nutshell, your domain, or your url is the actual name of your website (hopefully its short, unique and accurate to your business name). Your domain by itself doesn’t do anything. You also have a hosting account somewhere, and there all your site content is kept and served to the public. It is possible that your domain is registered at the same place as your hosting account, but not mandatory. Some say it is best to keep them at separate locations, though I haven’t seen any convincing data that would make that a hard and fast rule. For me, unless I can’t stand the provider, I typically recommend leaving the domain registered with whichever entity already had it when I found it.

If your domain is registered with your host, a good security measure is simply to make certain that the admin access of your host doesn’t give access to the domain settings. In either case, once you have this super-secret and complex password to gain administrator controls over the DNS settings of your domain, you’ll probably want someone to set everything up for you. I mean, that’s how geeks get paid after all. But how do you know if you can trust someone with your precious domain name? What if they suddenly switch your settings to point your url to a website about unpopular political agendas? Or, worse: religion! They might hold it hostage, showing only a blank page or something nefarious to your painstakingly accrued audience.

You’ve got a shiny new website, what do you do with the usernames, passwords and urls?

Digital Best Practices in a Nutshell

A Valet for your Domain

Just think of it like a valet for your car. First, make sure he is wearing the same uniform as the hotel. Hold onto the receipt. Pay him. But most importantly, remember, you legally own the car. Insurance or no, if he takes it for a joy ride, you are entitled to legal assistance in getting it back. Sure, there is a risk, but it’s rare that a car thief will infiltrate the valet service and bluff his way into your driver seat. Also, keep in mind that access to your URL does not implicitly provide access to your customer’s details or even your site content. Access to site content doesn’t necessarily allow control over sensitive data like credit cards either, assuming your developer is using modern security practices – but that’s another article.

The simplest way to retain all of your passwords, accesses and details is to make a neat list in an email. Remember to be specific, give yourself the login address, security hints, everything. If you’re concerned about sending such sensitive info in an email, don’t send it. Just save it to your drafts, or make a folder and leave it there, unsent.

Allow your developer to access the domain settings and if you trust him at all, leave the control in his hands. Some registrars allow for different security levels of access – in that case, retain the highest level for yourself. If the developer cuts you out for any reason, remember that as the legal site owner (its documented under public record even if you can’t find the receipt), it isn’t just possible to force him to return control, you can press charges if necessary. He knows this so probably won’t mess around unless you back him into a corner.

What if that is your concern? You might be worried that your developer will hold your domain hostage the moment your payment is a day late. That’s just silly. If your developer wanted to hijack your site, and even if he had no access to your domain settings at all, he could simply take down or alter the site content which he is responsible for developing. The answer there is to avoid short changing your developer at least until you’re no longer dependent upon content he has access to. Just make sure you are the legal owner of the hosting account, or at least retain an official contract with the developer, naming you as the owner of the content and giving you complete legal control over your own site.

So, give him the keys – relinquish access. Change the password when he’s done if it makes you feel better. If you find yourself in a relationship with someone who has access to your site content or domain name and you are afraid he’ll do something unsavory (or he already has), reach out to another professional. If you are the registered owner of the domain, it won’t take long to recover. Potentially just minutes. A decent developer won’t want to tarnish his reputation with unprofessional behavior and a firm or agency won’t abide by their staff using such practices either. Plus, you can always give me a call and I’ll get on the phone with your registrar and work it out for you.

Rich Harris
Latest posts by Rich Harris (see all)