Best practices for keeping your domain names secure?

I recently acquired a valuable domain name and want to make sure it stays secure and isn’t accidentally transferred away through hacking, social engineering, etc.

Here’s what I’ve come up with so far:

  • Ensure the domain name’s status is locked
  • Enable 2FA on your CloudFlare account
  • Enable 2FA on the email account associated with your CloudFlare account
  • Ensure you’re using a unique password for your CloudFlare account
  • Ensure you’re using a unique password for your email account

Any other tips?

I noticed CloudFlare allows you to unlock the domain and receive the EPP code without confirmation. It does not ask you to put in your password again. That would be a nice feature to have, so if someone were to get access to your CloudFlare session, they cannot simply unlock the domain and get the EPP code.

1 Like

Three more tips:

  • Ensure whois data is up-to-date
  • Ensure email addresses in whois data are secure (see above)
  • Add as many renewal years as possible (10 years for .com)
1 Like

Also make sure the email account associated with your Cloudflare account is not on a domain you’ve added to Cloudflare. I use Protonmail, so that end is pretty secure.

3 Likes

Thanks for your reply. Perhaps you could offer some advice to me: There is a locked thread that addresses an issue that I have a specific question about. The user who I would like to contact is a regular contributor, but the relevant thread is locked. How should I proceed to ask them about one of their prior replies?

Thank you.

Thanks for feedback.

Can you share a link to that thread?

Otherwise, create a new topic and refer to that topic and mention the original poster (user), hopefully he/she would respond as far as would get a notification about it.

Hi @sdayman,

Could you please explain this in more detail for me please? Why is it necessary/important to make sure the email account associated with your Cloudflare account is not on a domain that’s been added to Cloudflare?

There is a combination of circumstances that make it very difficult to regain access to your account. This is mainly along the lines of “l don’t have access to my old email account and I forgot my Cloudflare password”. In that scenario you cannot receive a password reset email and you also cannot point your MX records to a new mailbox.

On my work account with SSO enabled (so all staff use our company SSO to sign in to CF) I maintain a few break-glass accounts in totally separate domains. This ensures we still have access in the event out SSO fails, or a super-admin is hit by a bus.

Enterprise Accounts can have multiple super-admin level users, which mitigates most of the issues.

3 Likes

Thank you @michael for your reply.

I appreciate your explanation. So, what do you suggest for an effective break-glass/non-domain email account? It feels a little bit like a never-ending circle. If I create another email account with access to the CF account, now I have to make certain that that email’s domain/DNS/etc is all locked down very well too.

Unfortunately, I do not have access to the Enterprise level service so SSO, etc are unavailable to me.

In some ways I think, well, if I lost access to the CF account I could always re-create and use the domain registrar to point to a different CF account, but that feels incomplete as well…