New .COMs at $14.99 per year! Renewals and Transfers Too!

         
   
         

Do You Really Own Your Domain Name and Hosting Service?

More than once in recent weeks we have worked with clients who do not have control of their domain and hosting account
When you hire someone to develop your web site, even if that person is doing your site for free as a favor, the domain name should be in your name and you should have full access to the hosting account or control panel as well as any add-ons necessary for your website.

We continue to research domain name ownerships established by a third party; ie a friend, an advertising agency, web designer, or IT provider.  The purpose of our research is because the relationship between the third party and domain owner has dissolved. Subsequently the domain owner is unable to move the domain to another service or access their files.
________________________________________________________________________

Not sure of what all of this means?
Here are the basic workings of a website.

Setting up a web site consists of two parts:

1) The Domain, URL or the Dot Com.
There are servers on the internet known as DNS (Domain Name Server) Servers that deliver URL or “www” address to send the visitor to so the right web site thus appearing in the browser. Ownership of the domain name means you have purchased the right to have www.yourniftydomain.com on the internet.

2) Web Hosting Service.
This is a company that provides space on their servers to host your website. Some providers have a control panel or other means to manage your site, ftp and email accounts.  Your web site files will reside physically on this service and tell the previously mentioned DNS servers where your site is located. This is the place you make changes to your site, either directly to the files or via a content management system (CMS) like Joomla or WordPress.

The #1 important thing is YOU have proper control of the domain name and #2 is you have full access to the hosting account.

Web designers may want to put your web site on their account or related servers. By doing this, you are not protecting your business interests and relinquishing control of these basic items.

A professional can help you set up your domain and hosting and may provide hosting and domain registration services You must make sure the domains and hosting accounts are in your name

If you are working with a friend and not a professional, provide them a separate administrator account that can be removed when the work is done

Let’s take a look at each aspect and what you should know

The Domain, URL or the Dot Com
It is important that your business or organization has their domain names (eg yourniftydomain.com) registered in your company or personal name, and the administrative contact is you or a senior person within the company or organization.

There are a couple of reasons for this.

Domain names are often registered by an advertising agency, web designer, or IT provider for the customer. These companies should register the domain in their customer’s name, but often register it in their own name. This may be because they feel it is simpler and easier for them to manage it for you or various other reasons.

Domain names are valuable assets; they need to be registered in the actual owner’s name. Problems arise when the relationship dissolves and the party in whose name your domain is registered could:

  • Refuse to transfer ownership to you
  • Keep control of your web site
  • Disable your web site.
  • Replace your website with unwanted/unrelated content

In such an event, there are procedures available to restore a domain name to the proper owner. This takes considerable amount of time and money.

New web site launches could be delayed for weeks or months while the domain name ownership is resolved

There are four potential parts associated with a domain registration

  1. Registrant
    The Registrant is the licensee of the domain name – this is the individual or company who has the right to use, sell or destroy a domain name.
  2. Administrative Contact
    The Administrative Contact is the licensee’s appointed agent for the functions above and any other purpose. In the case that the Registrant is a company the Administrative Contact should be an employee, director, or manager of the company. This person has full authority for all changes so care should be taken in selecting the appropriate person for this role
  3. Technical or DNS Contact
    The Technical Contact is the person responsible for maintaining the DNS name servers associated with the domain name. This enables the contact to make updates if necessary. for example, the name of the DNS name server changes.
  4. 4.      Billing Contact
    The Billing Contact is the appointed person responsible for paying the domain name’s license renewals.

Not all registrars use all four contacts and some may use other names but all will have the Registrant and Administrative Contacts.  The most important names that establish ownership are the Registrant and Administrative Contact.

Even if the Registrant is listed in the rightful owner’s name but the Administrative Contact is in a third party’s name it can lead to problems. Domain name Registrars, such as Godaddy will ONLY take instructions from the Administrative Contact. This could be for assigning the DNS Servers, renewing, transferring or to change any of the contact information.

Our Rule: when we register a domain for a client all contact info is set to match the Administrative Contact.

There are processes available to change the Administrative Contact without the consent of the listed Administrative Contact. Due to the risk of fraud and the potential for abuse, Registrars require a significant process to ensure the domain name is not being fraudulently changed.

An ounce of prevention:  the simple solution is to set up the account correctly from the beginning as this can be an expensive and time consuming process to correct  if it is not done properly.

How do your Determine the names listed on your domain name?

There are a few services to check domain ownership, I personally start with http://whois.domaintools.com. You simply enter the domain name and click lookup and it will return the available registration info associated with the domain name. Depending on the Registrar, you may or may not be able to see all of the contact information and you may need to create an account with Domain Tools to view all of the contact information., This as a free of charge.  Once you see the company that registered the domain then you can go directly to their whois service.

Once you are able view the Registrant and Administrative Contacts make sure these show your correct company name, address, phone number and email address associated with your company and preferably have these match your official company documents such as Articles of Incorporation or business license. If it is a personal site the information should match your driver’s license or some other legal document. If you should need to prove ownership you have matching legal documents.

You should also make sure the Registrar Status is Locked or states Transfer Prohibited. Each Registrar has different terms for displaying the status and you should research the status to make sure it is locked with the Registrar. Locking the domain is done in order to prevent unauthorized, unwanted or accidental changes to the domain name.

Privacy Protection

There is another level of protection called Domain Privacy which hides the true contact information from public searches. There are different reasons to enable Domain Privacy and if you are using this service you will probably be aware of it. With Domain Privacy the Registrar shows generic contact information and will relay any public requests to the actual registered owner. If this turns out to be the case then you will need to check further to make sure you have ownership which can be done by logging into the management area at the Registrar.

Finally, you should have a management login for the domain name with the Registrar. This varies between Registrars but if you registered your domain name or the domain name was registered for you by an advertising agency, web designer, or IT provider this information should have been provided.  This is where you would adjust contact information and set name servers to point your domain at a webhosting service, among other things. If you do not have this login information contact the Registrar or the third party who registered your domain name for you and request the credentials. Change the password and keep this information in a safe place.

Web Hosting Service.

When your webhost service provider created your hosting account you should have been provided a control panel login or a means to log into your account. There are different hosting control panels such as Cpanel, Plesk or DotNetPanel to name a few. These control panels enable you to perform various tasks related to your website such as:

  • Create FTP accounts
  • Create Email Addresses
  • Install software like WordPress
  • Backup your site
  • Create sub domains
  • Park additional domains
  • Create databases

These services are a few of the things you may or may not be able to do based on the account you purchased but you should have the ability to perform some of the tasks above.

Normally the control panel is accessed by adding something to your URL like yourniftydomain.com/cpanel and this depends on the software your hosting company uses.

Ownership.  It is yours

Ultimately having full and complete ownership of your domain and hosting is the best scenario. You can always recreate a website but if someone else has control of your domain name things get a more complicated.

Summary

Hopefully everything is in order but if you have found an issue you are probably asking, “what do I do now?” First, start with the person or company that created these accounts for you with them and ask that corrections are made and accesses to accounts are provided. Even if you do not have a good relationship with the company they will more than likely turn things over and transfer domains to you.   There is no legitimate reason for them to keep ownership beyond payment for these services. If they will not transfer these accounts, you may need to consider legal action. We cannot give you legal advice, but you will need to consult an attorney for this.  Depending on how the domain is registered we can provide some steps to recover ownership of your domain.

If you would like us to look at your domain name then send  us your  information here http://www.fullthrottlewebdesign.com/contact-us/ and we will provide you a report of our research.

Extremely Large WordPress WP-Admin Brute Force Attacks

wptargetedThere is an ongoing WordPress brute-force attack that is affecting a large number of providers.  CloudFlare has made a blog post about the issue and has reported that the attack is coming from upwards of 100,000 individual IP addresses or systems.  Many providers have had entire servers taken offline and accounts compromised as a result of this ongoing attack.

While we haven’t had any servers go offline as a result of these attacks the larger issue comes as a result of any compromised WordPress installations that may result from this attack.  Should your WordPress installation be brute-forced successfully, the attacker could upload malicious files to your account to include your account in this attack, future attacks, or worse.  They could view all of your data, delete your data, modify your data, etc.

One basic step that can be taken to protect your WordPress installation and your account with us, is to make sure that you are not using the default username of ‘admin’ for your WordPress administration.  This is the default username for a new WordPress installation.  WordPress does suggest changing this username as a method of security through obscurity. We have followed these steps for years and if FullThrottle Webdesign has created a site for you, we do not use the Admin username.

As a result of this attack we’ve chosen to take a step that we would not ordinarily take, and that is to change the log-in username of any WordPress installation where it is currently ‘admin’.  This not only will help keep your account secure from this attack, but also from all possible future brute-force attacks on your WordPress installations while still allowing you full access to your WordPress administration via the new username.  Keep in mind that if you’ve already changed your administration username to something other than ‘admin’ or you use an alternate username to log-in to your WordPress administration – this change will not affect you.

In the interest of keeping your WordPress installation secure, and keeping the username obscure from potential attackers we are not going to include the new usernames into this post.  We are going to be sending out a mass mail to all of our customers advising you of the change and what the new usernames are.

If you have any questions about this, you are welcome to ask them here if they are generic in nature.  If your questions are specific to your account, do please open a support ticket and a member of the senior staff will answer your questions concerning this.

Update regarding WordPress Network/MultiSite:
An issue has come to our attention regarding WordPress Network Installations (formerly WordPress MultiSite). If you were previously using the default ‘admin’ log in to access all of your WordPress network sites and can no longer access other sites in your WordPress network with the new username, please open a support ticket so can verify the issue and correct it for you. When opening the support ticket, please be sure to include the URL to access WordPress, and if possible, the WordPress database name.

Do not reply on our forums to request assistance with this issue. A support ticket is required to protect the privacy of your information.

123