As someone who runs a stolen domain name recovery service, let's see, here are a few I can think of. Others have done a good job of covering most points (2fa with an app and yubikey), choose a secure registrar, etc..
- don't give your login credentials to your web designer/developer. Unfortunately there are unethical ones out there that will literally push the domain to their own account. Then when the project is over, they won't give you the domain back until you pay them more money. Cybercrime and extortion. Happens WAY more than you think. I get those cases at least once a week.
- don't use a gmail account where 27 of your company employees all use the same gmail.
- when upgrading your iPhone, don't let it out of your sight. Don't let the employee take your phone to the back to upgrade it...they may copy your SIM card and have full access to your phone, steal your crypto and steal all your domain names. Don't do that especially if you're a celebrity. Yeah, I got the domain back for them.
- Use registry lock, executive lock, registrar lock.
- Don't use a fake name and address when registering a domain. It's impossible to get your domain back when someone steals your domain and you have to prove to the registrar who you are: you literally don't have a driver's license or any paperwork that shows you're that fake name. So... you're not getting that domain back, no matter how valuable it is. I literally had a guy come to me/us for domain recovery. He said he used a fake name and fake address because of "privacy".
- never use your domain name registrar for your web host. Yeah, it happens. Someone hacks into your WordPress or your server, then they have access to your email accounts on that server.Then they can get into your registrar account, transfer domains, get auth codes, etc.
- never use the same domain's email listed on the whois record. For example, on the whois record for 'hartzer dot com' don't use something like
[email protected]. Use another email address, preferably NOT a gmail or hotmail or outlook.com email address. Use another domain's email, on a domain YOU own, like billhartzer dot com email. And oh yeah... make sure that you RENEW the domain (i.e., renew billhartzer.com if you're using that email as contact info on a domain record. People have stolen domains by registering a domain that was used on a WHOIS record. I've had that several times... and I believe there was a publicly disclosed case where that happened to Tilt dot com and CustomTilt dot com.
What more? I certainly have more stories after having recovered over 1,000 domains for people and companies over the past several years of doing this.
These are definitely crucial for security.
