TL;DR:
- Your domain name is the single most critical digital asset your business owns – more than your website, your hosting, or your social profiles.
- If your developer registered your domain, or if it lives inside their account, you do not control your business’s online identity.
- A developer can list your domain for auction, let it expire, or hold it hostage – and you may not find out until your site goes dark.
- This isn’t just one story. I’ve seen it happen more than once, in more than one way. The outcome is always the same.
- This post tells you what to check, what registrar lock means, and why control of your domain should never leave your hands.
In 2022, I started working with an eCommerce client and five months on his website mysteriously disappeared. No warning. No SSL error. No “coming soon” page. Just – gone.
It took both of us a while to figure out what happened. The domain wasn’t showing up in his GoDaddy account under “My Products” the way it always had. Eventually, he found an email he hadn’t opened. His domain had been sold. At auction. By the previous developer who had originally set it up. We discovered the listing had been up a year before the sale happened.
The client owned the domain – it was in his GoDaddy account. But he had given the developer full login access to that account, not GoDaddy’s Delegated Access feature (which limits what a collaborator can actually do). Full account access means the developer could act as the account owner in every way. List a domain for auction. Transfer it out. Delete it. GoDaddy can do nothing about it. Their hands were tied. The client had no idea the distinction mattered.
Here is the part that makes this worse: GoDaddy Auctions didn’t show listed for auction domains in the main dashboard. There’s no banner. No alert. No obvious indication. Unless you go looking specifically for an auction listing – which nobody does for a domain they believe they own – you have no idea it’s happening.
The domain sold. The new owner paid roughly a hundred dollars for it. Then he turned around and wanted thousands to give it back. The client said no.
I had been in this business for 21 years at that point. I had never seen anything like it.
It Doesn’t Always Look Like an Ambush
Sometimes it starts slowly. And that’s almost harder to recognize until it’s too late.
Earlier in my career, I took on a senior living community as a client. They had worked with a solo web designer who built their original website and registered the domain – in her own GoDaddy account, charged them for the registration, but owned by her. In GoDaddy’s eyes, she was the account holder. That made her the owner.
At first, things were fine. She was happy to collaborate with me taking over as the new developer. She managed the hosting; I handled the redesign. It started to break down gradually – communication got sporadic. Every task took longer than it needed to. Every request hit a wall. Eventually, access to the hosting account got deliberately blocked.
When it became clear the working relationship wasn’t sustainable, I recommended moving the hosting to remove the barrier. The client liked her – but they agreed the situation wasn’t workable. That decision was the turning point.
She started contacting board members and residents directly. Calling. Campaigning. Trying to get them to stay with her. It was deeply unprofessional, and it had the opposite effect she intended – it pushed every board member to agree to move forward with the change.
Then she said they had to pay her to transfer the domain out. They agreed. Then she disappeared, even before they could pay. No transfer. No response. Just gone.
We bought a new domain and started over. Fortunately, this client had done very little marketing with the original domain – no major backlink profile to lose, no search rankings built up over years. The only real casualty was the name itself. The original had a hyphen in it. The new one didn’t. We joked that they had gone from being a co-op to a coop. It became one of those project stories you tell for years.
It was funny by the time we could laugh about it. It wasn’t funny in the middle of it. That is what is called, “Domain Hijack.”
Your Domain Is Not Just an Address
Most business owners think of their domain the way they think of a street address – just a place to point people to. It’s more than that.
Your domain is what ties everything together. It’s connected to your hosting, your email, your SSL certificate (the technology that puts the “S” in HTTPS and tells browsers your site is secure), your Google Business Profile, and every backlink and citation your business has ever earned. When a domain disappears, all of that goes with it.
In the client’s case above, that meant a three-year-old site, all its search engine rankings, every product page that had ever been indexed by Google, and every backlink that had ever pointed to his business – gone. Not recoverable. Not redirect-able. Just gone. Bought by a guy who’s posting pointless articles on the topic with hidden affiliate links.
We got him a new domain. We scrambled to move the site. We reached out to every local media outlet that had ever covered him and asked them to update links in their articles. He lost December – the peak of holiday selling season. He lost rankings he had spent years building. He lost the brand equity that had accumulated in that original domain name.
Neither of these developers “made a mistake”. They both knew what they were doing. One was aggressive about it from the start. The other turned bad slowly. The result for the clients was the same either way – lost domain names.
Domain security is part of what falls under our Digital Oversight Partnership – the kind of thing that should be on someone’s radar at all times, not just when something breaks.
What Registrar Lock Means (and Why It Matters)
A domain registrar is the company where a domain name is registered – GoDaddy, Namecheap, Google Domains, and others all serve this function. When you register a domain, that domain lives in an account at that registrar.
If the account belongs to your developer, not you – your developer controls the domain. They can transfer it. Let it expire. Or, as we saw here, list it for auction or hold it until you pay.
Registrar lock is a setting that prevents a domain from being transferred away from an account without an explicit unlock. When it’s turned on, no one can move the domain without going through a verification process. It’s a basic layer of protection – but it only helps if the account holding the domain is yours.
The lock on someone else’s account doesn’t protect you. It just means they have to take one more step before they can hurt you. This wouldn’t have helped in the two experiences shared. It’s just a must for all domains.
How to Check Who Actually Controls Your Domain
You don’t need to be technical to do this. You need to be thorough.
Step 1: Run a WHOIS lookup.
Go to lookup.icann.org and type in your domain name. WHOIS is a public database that shows registration information for any domain. Look at the “Registrant” section. If your company name isn’t there – or if you see your developer’s name or company – that’s a problem. Note: some registrars use privacy protection that masks this data. If you see “Domain Privacy” or “Redacted for Privacy” instead of a name, that’s not unusual – but it means you’ll need to verify through your registrar account directly.
Step 2: Log into your registrar account.
You should be able to log into GoDaddy, Namecheap, or wherever your domain is registered and see it listed under your products. If you don’t have login credentials for a registrar account, or if you’ve never seen this account, that’s worth resolving now – not after the problem happens.
Step 3: Confirm registrar lock is enabled.
Once you’re in the account, look for a setting called “domain lock,” “transfer lock,” or similar. It should be turned on. If it’s not, turn it on.
Step 4: Confirm your contact information is current.
The registrar will send renewal notices and important alerts to the email address on the account. If that email address belongs to a developer who no longer works with you – or an address you don’t monitor – you’ll miss those notices.
What to Do If Your Domain Is in Someone Else’s Account
Ask for a transfer, in writing – now.
A domain transfer moves the registration from one account to another. The registrar will send an authorization code – called an EPP code or auth code – to the current account holder. They enter it, you enter it, and the domain moves to your account.
If the developer refuses to transfer the domain, you have options – but they get harder and slower from here. ICANN (the organization that oversees domain registration globally) has a dispute resolution process. Your registrar may also be able to help if you can prove ownership of the underlying business. But these processes take time, and in the interim, you’re at the developer’s mercy.
The easiest answer is to handle this before there’s a conflict. Transfer the domain while the relationship is still functional.
The Three Things That Should Always Be in Your Name
Not your developer’s name. Not your agency’s name. Not “the person who set this up back in 2019.”
- Your domain registration. In your account. At a registrar you have access to.
- Your hosting account. Where the website’s files actually live. You should be able to log in, see your plan, and know what you’re paying.
- Your DNS records. DNS (Domain Name System) is what tells the internet where to send people when they type in your domain. These records live at either your registrar or a separate DNS provider. They should be in an account you control.
If any of these three things are sitting in a vendor’s account, you have a dependency that could become a crisis. It may never become one. But it only takes once.
How We Handle Domains at Webmaster For Hire
Every client who works with us registers their domain through a domain portal – in their own name, on their own account. We never hold a client’s domain for them. Once it’s registered, we give steps on how to delegate access, which gives us the technical access we need to do our work without ever having the ability to act as the account owner. The domain stays yours. The access stays appropriate. That’s how it should work.
Where This Fits in the Bigger Picture
Domain control is one of those things that feels small until it isn’t. Most business owners don’t think about it at all – until the site goes dark or a vendor stops responding.
If you’re building or rebuilding a website, this gets set up correctly from day one – your name, your account, proper access structure in place before anyone touches a file. If your site is already live, domain and hosting access become part of ongoing webmaster responsibility – making sure nothing drifts as vendors change and time passes. And if your business has grown to the point where you have multiple tools, platforms, and people touching your digital infrastructure, that’s when domain oversight becomes part of a broader digital oversight conversation – where someone is actively watching what you own, who has access, and what’s due for renewal or review.
Most problems don’t come from one bad setup. They come from years of small decisions nobody is actively reviewing.
Not Sure Where You Stand?
If you’re not completely sure where your domain is registered, who controls the account, or who has access – that’s worth sorting out before it becomes a problem. I’ve helped business owners untangle access issues before they turned into disasters, and a few times after. It’s always easier before. Schedule a consultation and let’s find out exactly what’s in your control and what isn’t.
