A graphic of privacy and security icons: a profile, shield, padlock, password, and credit cards, connected by lines on a yellow background.
Privacy & Security July 26, 2023

What is Domain Locking?

Worried about unauthorized domain changes or transfers? Learn how a common, registrar-provided security feature can help to safeguard your website and your brand.

Once you’ve claimed and set up your domain name, domain locking will play a key role in keeping it safe. As a default security measure provided by your registrar, domain locking prevents unauthorized attempts to modify or transfer your domain. Here’s what you should know about domain locking—and what to expect from your registrar.

What is domain locking (and how does it work)?

Domain locking is one of many status code locks placed on your domain by your registrar. It essentially ‘freezes’ your key domain configurations until the lock is removed. You can ask your registrar to place or remove your lock at any time.

The broad involvement of different security features—alongside domain locking—creates a layered defense. If initial security layers are compromised, a stringent identity verification process is still needed to crack the lock on your domain, usually in the form of an authentication code or validation email link (the specifics will depend on your registrar and the type of lock).

Why is it necessary?

This virtual locking mechanism helps protect against “domain hijacking”—fraudulent parties who gain access to your registrar account to steal your domain by transferring it to another registrar, or make DNS modifications that redirect users to malicious sites.

Types of domain locks

There are two main types of domain locks that offer varying levels of domain security.

Registrar Lock:

  • This is the standard domain lock, offered by virtually all registrars.
  • It is implemented at the registrar level, where your domain is registered.
  • Purpose: Prevents unauthorized changes to your domain settings or transfers without your approval.

Registry Lock:

  • Considered the most comprehensive domain lock, available for certain gTLDs (such as .com and .net) and several ccTLDs.
  • This high-level lock is managed and implemented by the domain registry.
  • Unlocking requires an identity verification process involving you, the registrar, and the registry.
  • In a WHOIS lookup, it appears under the status section as the word “server.”
  • Purpose: Offers an additional layer of protection, reducing the risk of domain theft or redirection.

The fundamental purpose of both “registrar” and “registry” locks is the same—to prevent unauthorized manipulation of your domain, insulating you from the catastrophe of a stolen or redirected domain name.

Is domain locking free?

Domain locking is free of charge and implemented by your registrar. If your registrar offers registry lock in addition to the standard registrar lock, the registry may charge a recurring fee.

Why registry lock isn’t as common

Registry lock isn’t something all registrars offer. Put plainly, the majority of registrants don’t really need it, since they’re unlikely targets of hijackers. Registry lock can create more of an inconvenience than an ideal solution, since there’s additional administrative hoops to jump through and a significant delay to make any changes to your domain settings.

That being said, registry lock is experiencing a new surge of attention—and rightfully so—with larger business who are more likely to be a valuable hijacking target. Registry lock in tandem with registrar lock is an effective way for popular domains to make a preemptive strike against hackers.

How “Thick” and “Thin” registries affect your domain lock

The way that your top-level domain (like .com) handles WHOIS information will partly determine your domain lock’s effectiveness. For example, domain locking doesn’t prevent changes to personal contact details if your TLD uses a thin registry—only a thick registry will block contact changes while your domain is locked.

Let’s take a closer look at what these terms mean.

A thin registry indicates that the registry stores limited visible information associated with the domain name, while the registrar maintains the bulk of information associated with the registrant and its contacts.

A thick registry indicates that the registry maintains the bulk of privacy-sensitive information, while the registrar stores limited information and relies on the registry for most the information.

Currently, “.com” and “.net” are examples of thin registries, while “.info” and “.biz” are examples of thick registries

How do I check the status of my domain locks?

There’s a couple methods to check whether the doors to your domain are open or not: through your registrar account, or by performing a WHOIS lookup. If you’re checking on a typical domain (registrar) lock, either method is efficient. If you’re checking the status of a registrar and registry lock, it’s quicker to perform a WHOIS lookup.

For a registrar lock: Log into your account with your registrar, and you can usually find an account dashboard with the lock status displayed, or by going to the “Settings” section.

For a registry lock: A WHOIS lookup will work best for you. Perform a search on your domain name and you’ll see a “Status” section displayed on the WHOIS record.


Possible locked domain WHOIS statuses:

Domain locks show up with one or more of these statuses. Registrar lock will display “client” as the first word, while registry locks begins with the word “server.”

• [client or server] Delete Prohibited – prevents domain name deletion

• [client or server] Transfer Prohibited – rejects requests to transfer domain name away from registrar

• [client or server] Update Prohibited – blocks WHOIS modifications, including contact information and name server re-delegations

As an example, when checking on your registrar lock, you might see just one listed status, like “clientTransferProhibited”—or you might see all three listed, depending on your registrar’s particular implementation. These statuses get added automatically to your WHOIS data once they’re implemented.


Mandatory Domain Lock: What it Means

Rules for lock-up periods on your key domain operations are primarily meant to prevent domain abuse, like rapid resales, and ensure your registrar isn’t duped by internet crooks in a domain hijacking.

Why can’t I unlock my domain?

Per ICANN policy, registrars enforce a domain lock following a new registration, deletion, or transfer on most gTLDs. These locks will sunset after 60 days—there’s no escape hatch before then. This time-bound lock-up sometimes applies to domain contact changes made, except you usually have the option to opt out of this default rule.

If you don’t fall in this category, you’re likely dealing with an auto-lock. It’s common practice for registrars to auto-lock a domain that’s been sitting unlocked for a certain amount of time (usually 30 days).

Will a domain lock prevent my domain from working?

No—a locked domain will remain fully operational, meaning things like your website hosting, features, and email are unaffected and will continue to function normally.

Can I renew my domain while it’s locked?

Yes, you’re free to renew your domain while your domain lock is active.

Can I connect my locked domain to my website?

Yes—connecting to your website is within bounds while your domain is locked. Since your domain will still remain with its current host, you can connect the domain to take visitors to your site elsewhere. This is usually done by changing name servers in your domain registrar account.

If your domain is hijacked…

Despite your best attempts at domain safety, somebody may hijack your domain nonetheless. If your faced with the menace of a domain hijacker, here’s the best way to wrest back your domain name.

1. Contact your registrar (or ICANN, if necessary). Talk to your registrar’s transfer dispute department and validate who you are, so you can try and regain control of your domain. If your registrar isn’t helpful, you can submit a transfer complaint form to ICANN.

2. Determine whether your domain was transferred or the DNS records were changed. There’s a chance your domain wasn’t transferred away—smarter scammers know doing so might alert the domain owner, and instead they change your DNS records to point to a malicious website. Your registrar can help you regain access of your account to resolve the problem.

3. Check marketplaces and forums. Don’t throw in the towel if you’re still without a domain. Check popular marketplaces and forums or discussion boards to see if your domain is up for sale (or raise awareness so a third party is less likely to purchase it).