DNS & Domain Guides

Registrar Lock: Preventing Unauthorized Domain Transfers

Learn what registrar lock is, how it protects a domain from unauthorized transfers, when to keep it enabled, and when to disable it safely.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 7 min read Beginner

Introduction

Registrar lock is a domain security setting that helps prevent unauthorized transfers from one registrar to another. When enabled, the domain cannot usually be transferred away until the owner unlocks it.

For most domains, registrar lock should stay enabled by default. It protects against accidental transfers, unauthorized transfer attempts and account-management mistakes. The lock is usually disabled only when you intentionally want to transfer the domain to another registrar.

Quick answer

Quick answer

Registrar lock is a protection setting that prevents a domain from being transferred to another registrar without first unlocking it. In WHOIS or RDAP results, it often appears as clientTransferProhibited. This status is common and usually means the domain is protected against transfer.

What is registrar lock?

Registrar lock, also called domain lock or transfer lock, is a registrar-level protection that blocks domain transfers unless the lock is removed.

When registrar lock is active, WHOIS or RDAP may show a status such as:

Common status
clientTransferProhibited

This usually means the domain cannot be transferred to another registrar until the owner unlocks it inside the registrar account.

Registrar lock does not normally stop the domain from working. It only affects transfer ability.

Why registrar lock matters

Registrar lock matters because the domain name is often one of the most important assets behind a website, email system or business identity.

Prevents unauthorized transfers

The domain cannot usually be moved to another registrar while locked.

Reduces accidental transfer risk

It helps avoid mistakes when multiple people manage domains.

Protects business continuity

If a domain is transferred incorrectly, website, email and DNS management can become disrupted.

Adds a security layer

It works together with registrar account security, two-factor authentication and domain ownership controls.

Supports safer domain management

Domains can stay locked until a planned transfer is needed.

Registrar lock is not a replacement for account security. If someone controls the registrar account, they may still be able to unlock the domain.

What clientTransferProhibited means

clientTransferProhibited is a common domain status code that means the registrar has placed a transfer lock on the domain.

In most cases, this is normal and safe. Many registrars enable this status by default to prevent unauthorized transfers.

Status

clientTransferProhibited

Why it matters: The domain is locked against transfer.

Usually a problem?

No, unless you are trying to transfer the domain.

Why it matters: This status is protective for most active domains.

What to do

Keep it enabled unless you intentionally need to transfer the domain.

Why it matters: Unlock only for planned transfers and request an authorization code.

If you are planning a transfer, you usually need to unlock the domain first and request an authorization code.

Registrar lock vs other domain statuses

Status codes compared

Do not confuse transfer lock with hold or expiry-related statuses. clientTransferProhibited is usually protective, while clientHold or redemptionPeriod may require urgent attention.

Status code Meaning
clientTransferProhibited Domain transfer is locked. Usually normal and protective.
clientUpdateProhibited Some domain updates may be restricted.
clientDeleteProhibited Domain deletion is restricted.
clientHold Domain may be on hold and may stop resolving.
redemptionPeriod Domain expired and is in recovery stage.
pendingDelete Domain is near deletion and may be released.

When should registrar lock be enabled?

For most domains, registrar lock should remain enabled all the time.

Keep it enabled when:

  • the domain is used for a live website
  • the domain is used for business email
  • the domain is important for branding
  • the domain is managed by a business or agency
  • no registrar transfer is planned
  • multiple people have access to domain management
  • the domain is connected to production systems

Important domains should also use strong registrar passwords, two-factor authentication and monitored contact email addresses.

When should registrar lock be disabled?

Registrar lock should usually be disabled only when you intentionally want to transfer the domain to another registrar.

Before disabling registrar lock, confirm:

  • you are transferring the correct domain
  • the destination registrar is correct
  • you have registrar account access
  • you have access to the domain owner email
  • the domain is not expired or in redemption
  • the domain is eligible for transfer
  • you have or can request the EPP/Auth code

Do not leave registrar lock disabled after a transfer is completed or canceled. Re-enable it when possible.

Registrar lock and EPP/Auth code

To transfer a domain, most registrars require an authorization code, often called an EPP code, Auth code or transfer code.

Registrar lock and EPP/Auth code work together:

  • registrar lock blocks transfer while enabled
  • EPP/Auth code authorizes the transfer request
  • transfer approval usually happens through registrar emails or account actions

Never share an EPP/Auth code unless you are intentionally transferring the domain.

How to check registrar lock status

Use WHOIS Lookup to review domain status codes. Look for statuses such as clientTransferProhibited, clientUpdateProhibited, clientHold or redemptionPeriod.

When checking registrar lock, review

These five areas help confirm whether the domain is protected and healthy.

Domain status

Look for clientTransferProhibited or similar transfer lock status.

Registrar

Confirm which company currently manages the domain.

Expiry date

Check that the domain is active and not close to expiration.

Nameservers

Confirm whether nameservers look expected.

Updated date

Recent changes may indicate registrar, status or nameserver updates.

Check registrar lock now

Use WHOIS Lookup to review domain status, registrar, expiry date and nameservers.

Run WHOIS Lookup →

Common registrar lock problems

Registrar lock is disabled unexpectedly

High

The domain may be transferable if someone has the EPP/Auth code and transfer approval access.

Next step: Re-enable registrar lock if no transfer is planned and review registrar account security.

Domain cannot be transferred

Medium

Registrar lock may be enabled, or the domain may be ineligible for transfer due to registry or registrar rules.

Next step: Unlock the domain only if you intentionally want to transfer it and confirm eligibility.

EPP/Auth code was shared with the wrong party

High

The authorization code can be used to initiate a domain transfer.

Next step: Cancel any unauthorized transfer request, regenerate the code if possible and contact the registrar.

Domain status shows clientHold

High

This is not just a transfer lock. The domain may stop resolving.

Next step: Contact the registrar and resolve billing, verification or policy issues.

Domain is expired or in redemption

High

Expired or redemption-stage domains may have transfer restrictions and recovery costs.

Next step: Renew or recover the domain through the current registrar first.

Transfer lock prevents planned migration

Low

The domain is protected, but the lock must be removed before a planned transfer.

Next step: Unlock the domain temporarily, complete the transfer, then enable lock at the new registrar.

Wrong registrar account controls the domain

Medium

The domain may be managed by an old agency, employee or reseller.

Next step: Confirm ownership and regain registrar account access.

Registrar lock was not re-enabled after transfer

Medium

The domain may remain less protected after moving to a new registrar.

Next step: Enable transfer lock at the new registrar.

How to manage registrar lock safely

  1. Check the current domain status

    Use WHOIS Lookup to see whether the domain shows clientTransferProhibited or another transfer-related status.

  2. Confirm registrar account access

    Make sure the correct domain owner can log in to the registrar account and manage security settings.

  3. Keep lock enabled by default

    If no transfer is planned, keep registrar lock enabled for important domains.

  4. Unlock only for planned transfers

    Disable registrar lock only when you intentionally want to transfer the domain.

  5. Protect the EPP/Auth code

    Request and share the EPP/Auth code only with the trusted destination registrar or responsible administrator.

  6. Monitor transfer emails

    Watch registrar emails during transfer. Unauthorized transfer requests should be canceled immediately.

  7. Re-enable lock after transfer

    After the domain arrives at the new registrar, enable registrar lock again if it is not enabled automatically.

  8. Improve account security

    Use strong passwords, two-factor authentication and monitored registrar contact emails.

Registrar lock status example

Sample WHOIS output
Domain: example.com
Registrar: Example Registrar Inc.
Status:
  clientTransferProhibited
  clientUpdateProhibited
Expires: 2027-05-12
Nameservers:
  ns1.provider.com
  ns2.provider.com

Meaning:
- Transfer lock is enabled
- Domain is protected against registrar transfer
- Domain is active and not near expiry
Check commands
whois example.com
dig example.com NS
dig example.com SOA

WHOIS status labels can vary by registry and registrar. Always confirm transfer lock inside the registrar account before starting a transfer.

Safe domain transfer checklist

Before transferring a domain, confirm:

  • domain is active and not expired
  • domain is eligible for transfer
  • registrar lock can be disabled
  • correct destination registrar is selected
  • owner email is accessible
  • EPP/Auth code is requested securely
  • nameservers and DNS records are documented
  • email and website services are understood
  • transfer request is expected
  • lock will be re-enabled after transfer

A registrar transfer does not necessarily change DNS records, but mistakes during domain management can still affect nameservers, billing or access.

Registrar lock and domain security

Registrar lock is one layer of domain security. It should be combined with other protections.

Recommended protections:

  • strong registrar account password
  • two-factor authentication
  • monitored account email
  • current billing details
  • limited account access
  • domain expiry monitoring
  • registrar lock enabled
  • careful handling of EPP/Auth codes

For important business domains, domain security should be treated like server or email security.

Registrar lock and DNS

Registrar lock usually does not stop DNS records from working. A locked domain can still use normal nameservers, DNS records, email and SSL.

However, if the registrar account is compromised, an attacker may try to unlock the domain, change nameservers or initiate a transfer. This is why registrar lock should be combined with account security and DNS monitoring.

Frequently asked questions

What is registrar lock?

Registrar lock is a domain protection setting that prevents a domain from being transferred to another registrar until it is unlocked.

What does clientTransferProhibited mean?

It usually means the domain is locked against transfer. This is common and normally protective.

Should registrar lock be enabled?

Yes, for most active domains it should remain enabled unless you are intentionally transferring the domain.

Does registrar lock affect my website?

Usually no. Registrar lock affects domain transfer ability, not normal website or DNS operation.

How do I transfer a locked domain?

You usually need to unlock the domain at the registrar, request the EPP/Auth code, start the transfer at the new registrar and approve the transfer.

Is registrar lock the same as domain expiry?

No. Registrar lock protects against transfer. Domain expiry relates to renewal and registration period.

Can someone steal my domain if registrar lock is enabled?

Registrar lock reduces transfer risk, but account security is still critical. Protect registrar login, email and EPP/Auth codes.

Should I disable registrar lock permanently?

No. Disable it only for a planned transfer and re-enable it after the transfer is complete.

Use these free tools to verify your configuration after applying changes.

Browse all DNS & Domain guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.