Locking down a Compromised Account
If you experience security difficulties, locking someone completely out of your account requires a number of steps.
Your account's security can become compromised in a number of ways:
- Customer accounts can be accessed by password, validated over the phone by PIN or account billing information.
- Hosting can be accessed through the main customer account or via FTP.
- Databases have their own passwords.
- Other products, such as email, have individual passwords.
- Domain names with outdated contact information are susceptible to transfer or change of account by the currently-listed registrant.
Security compromises generally happen in one of the following ways:
- The other party had the information in the first place (spouse, webmaster, business partner.)
- The other party determined one of your passwords or other login info such as PIN or last 6 digits of credit card.
- You did not update a domain name's contact information.
- Your computer has a key logger installed, which the other party used to access your account.
NOTE: A key logger is a program that records the keystrokes you type and sends them to a third party. This is a frequent type of spyware in free applications such as screen savers etc. Accessing your account from public computers or letting less cautious users use your machine can increase the risk of exposure.
You must remove key loggers or any other malware first; otherwise, any updates you make might not prevent further security issues. Once you are on a clean local computer follow these steps to lock down your account.
Changing Account Ownership Information
To update the account owner name, phone number, or mailing address see Managing Your Account Information.
Updating the Account Security Settings
Change your account password, the password hint and the account PIN.
To Update the Account Security Settings
- Log in to your Account Manager.
- From My Account, click Settings.
- Click Account Security Settings.
- In the Current Password field, enter your current password.
- In the New Password and Confirm Password fields, enter your new password. The password must meet these requirements:
- 8-14 characters in length
- Contain at least one Upper Case Letter
- Contain at least one Lower Case Letter
- Contain at least one Number (the password cannot start with a number)
- No special characters
- Select Card on File if you want the account to lock itself after five consecutive failed login attempts.
- In the Password Hint field, enter a hint to jog your memory later.
- In the Call in PIN field, change your PIN to something new and difficult to guess.
- Click Save Changes.
Changing Your Billing Information
The last six digits of your payment methods can be used to validate your the account over the phone. Changing this information can prevent someone from accessing your account.
Adding a new payment method and removing the existing ones can prevent them from accessing your account over the phone.
NOTE: You must have at least one payment method active in your account if you have active products or services, so you must add a new payment method before you can remove all your existing payment methods.
Here additional resources to assist you with updating your payment information:
Updating Domain Name Information to Prevent Transfer
Domain names with outdated contact information are susceptible to transfer or change of account requested by the currently-listed registrant. If the requestor proves they are the owner using the registrant contact information, they can successfully request a domain name change of account. We email information for domain transfer to the administrative contact email address for the domain name. To protect domain names all domain name contact information should be up to date.
For more information, see Updating Your Domain Name Contact Information
WARNING: You voluntarily agree to a 60-day lock preventing you from transferring your domain name when you update the first name and last name or organization for the registrant contact.
For additional domain name protection consider Protected Registration. For more information, see What is Protected Registration?
Updating Hosting and all FTP user Passwords
If your website has been compromised, you need to fix any corrupted files after you securing your account. Compromised code can live in either the website's files or the database; some scripts can even move back and forth between the two. Be aware that applications which have not been systematically updated to address security risks are also vulnerabilities.
Website Protection Site Scanner can help you identify weaknesses hackers can use to compromise your site. For more information, see Why do I need Website Protection Site Scanner if you host my website?
If necessary, you can change the password for your hosting account, which you use to upload files via FTP.
For more information, see Changing Your Hosting Account (FTP/Panel) Password and Username.
Updating Database Passwords
Databases passwords can be a weakness, just like any other password. However updating them can pose problems to the function of your website.
Database passwords are separate from the rest of the hosting account, including other databases. However, updating the database password can make your website cease working. If you update database passwords, you need to update them in the database, the connection strings (configuration file), and, potentially, any HTML files using the database. You should only do this if you know how, have done adequate research, or have contracted expert assistance to do it for you.
For more information, see:
Resetting Your MySQL Database PasswordUpdating Other Product Passwords
Use these resources to update passwords related to products in your account:
