Registrar Lock: Preventing Unauthorized Domain Transfers
Learn what registrar lock is, how it protects a domain from unauthorized transfers, when to keep it enabled, and when to disable it safely.
Introduction
Registrar lock is a domain security setting that helps prevent unauthorized transfers from one registrar to another. When enabled, the domain cannot usually be transferred away until the owner unlocks it.
For most domains, registrar lock should stay enabled by default. It protects against accidental transfers, unauthorized transfer attempts and account-management mistakes. The lock is usually disabled only when you intentionally want to transfer the domain to another registrar.
Quick answer
Registrar lock is a protection setting that prevents a domain from being transferred to another registrar without first unlocking it. In WHOIS or RDAP results, it often appears as clientTransferProhibited. This status is common and usually means the domain is protected against transfer.
What is registrar lock?
Registrar lock, also called domain lock or transfer lock, is a registrar-level protection that blocks domain transfers unless the lock is removed.
When registrar lock is active, WHOIS or RDAP may show a status such as:
clientTransferProhibited
This usually means the domain cannot be transferred to another registrar until the owner unlocks it inside the registrar account.
Registrar lock does not normally stop the domain from working. It only affects transfer ability.
Why registrar lock matters
Registrar lock matters because the domain name is often one of the most important assets behind a website, email system or business identity.
Prevents unauthorized transfers
The domain cannot usually be moved to another registrar while locked.
Reduces accidental transfer risk
It helps avoid mistakes when multiple people manage domains.
Protects business continuity
If a domain is transferred incorrectly, website, email and DNS management can become disrupted.
Adds a security layer
It works together with registrar account security, two-factor authentication and domain ownership controls.
Supports safer domain management
Domains can stay locked until a planned transfer is needed.
Registrar lock is not a replacement for account security. If someone controls the registrar account, they may still be able to unlock the domain.
What clientTransferProhibited means
clientTransferProhibited is a common domain status code that means the registrar has placed a transfer lock on the domain.
In most cases, this is normal and safe. Many registrars enable this status by default to prevent unauthorized transfers.
Status
clientTransferProhibited
Why it matters: The domain is locked against transfer.
Usually a problem?
No, unless you are trying to transfer the domain.
Why it matters: This status is protective for most active domains.
What to do
Keep it enabled unless you intentionally need to transfer the domain.
Why it matters: Unlock only for planned transfers and request an authorization code.
If you are planning a transfer, you usually need to unlock the domain first and request an authorization code.
Registrar lock vs other domain statuses
Status codes compared
Do not confuse transfer lock with hold or expiry-related statuses. clientTransferProhibited is usually protective, while clientHold or redemptionPeriod may require urgent attention.
| Status code | Meaning |
|---|---|
| clientTransferProhibited | Domain transfer is locked. Usually normal and protective. |
| clientUpdateProhibited | Some domain updates may be restricted. |
| clientDeleteProhibited | Domain deletion is restricted. |
| clientHold | Domain may be on hold and may stop resolving. |
| redemptionPeriod | Domain expired and is in recovery stage. |
| pendingDelete | Domain is near deletion and may be released. |
When should registrar lock be enabled?
For most domains, registrar lock should remain enabled all the time.
Keep it enabled when:
- the domain is used for a live website
- the domain is used for business email
- the domain is important for branding
- the domain is managed by a business or agency
- no registrar transfer is planned
- multiple people have access to domain management
- the domain is connected to production systems
Important domains should also use strong registrar passwords, two-factor authentication and monitored contact email addresses.
When should registrar lock be disabled?
Registrar lock should usually be disabled only when you intentionally want to transfer the domain to another registrar.
Before disabling registrar lock, confirm:
- you are transferring the correct domain
- the destination registrar is correct
- you have registrar account access
- you have access to the domain owner email
- the domain is not expired or in redemption
- the domain is eligible for transfer
- you have or can request the EPP/Auth code
Do not leave registrar lock disabled after a transfer is completed or canceled. Re-enable it when possible.
Registrar lock and EPP/Auth code
To transfer a domain, most registrars require an authorization code, often called an EPP code, Auth code or transfer code.
Registrar lock and EPP/Auth code work together:
- registrar lock blocks transfer while enabled
- EPP/Auth code authorizes the transfer request
- transfer approval usually happens through registrar emails or account actions
Never share an EPP/Auth code unless you are intentionally transferring the domain.
How to check registrar lock status
Use WHOIS Lookup to review domain status codes. Look for statuses such as clientTransferProhibited, clientUpdateProhibited, clientHold or redemptionPeriod.
When checking registrar lock, review
These five areas help confirm whether the domain is protected and healthy.
Domain status
Look for clientTransferProhibited or similar transfer lock status.
Registrar
Confirm which company currently manages the domain.
Expiry date
Check that the domain is active and not close to expiration.
Nameservers
Confirm whether nameservers look expected.
Updated date
Recent changes may indicate registrar, status or nameserver updates.
Check registrar lock now
Use WHOIS Lookup to review domain status, registrar, expiry date and nameservers.
Common registrar lock problems
Registrar lock is disabled unexpectedly
HighThe domain may be transferable if someone has the EPP/Auth code and transfer approval access.
Next step: Re-enable registrar lock if no transfer is planned and review registrar account security.
Domain cannot be transferred
MediumRegistrar lock may be enabled, or the domain may be ineligible for transfer due to registry or registrar rules.
Next step: Unlock the domain only if you intentionally want to transfer it and confirm eligibility.
EPP/Auth code was shared with the wrong party
HighThe authorization code can be used to initiate a domain transfer.
Next step: Cancel any unauthorized transfer request, regenerate the code if possible and contact the registrar.
Domain status shows clientHold
HighThis is not just a transfer lock. The domain may stop resolving.
Next step: Contact the registrar and resolve billing, verification or policy issues.
Domain is expired or in redemption
HighExpired or redemption-stage domains may have transfer restrictions and recovery costs.
Next step: Renew or recover the domain through the current registrar first.
Transfer lock prevents planned migration
LowThe domain is protected, but the lock must be removed before a planned transfer.
Next step: Unlock the domain temporarily, complete the transfer, then enable lock at the new registrar.
Wrong registrar account controls the domain
MediumThe domain may be managed by an old agency, employee or reseller.
Next step: Confirm ownership and regain registrar account access.
Registrar lock was not re-enabled after transfer
MediumThe domain may remain less protected after moving to a new registrar.
Next step: Enable transfer lock at the new registrar.
How to manage registrar lock safely
-
Check the current domain status
Use WHOIS Lookup to see whether the domain shows clientTransferProhibited or another transfer-related status.
-
Confirm registrar account access
Make sure the correct domain owner can log in to the registrar account and manage security settings.
-
Keep lock enabled by default
If no transfer is planned, keep registrar lock enabled for important domains.
-
Unlock only for planned transfers
Disable registrar lock only when you intentionally want to transfer the domain.
-
Protect the EPP/Auth code
Request and share the EPP/Auth code only with the trusted destination registrar or responsible administrator.
-
Monitor transfer emails
Watch registrar emails during transfer. Unauthorized transfer requests should be canceled immediately.
-
Re-enable lock after transfer
After the domain arrives at the new registrar, enable registrar lock again if it is not enabled automatically.
-
Improve account security
Use strong passwords, two-factor authentication and monitored registrar contact emails.
Registrar lock status example
Domain: example.com
Registrar: Example Registrar Inc.
Status:
clientTransferProhibited
clientUpdateProhibited
Expires: 2027-05-12
Nameservers:
ns1.provider.com
ns2.provider.com
Meaning:
- Transfer lock is enabled
- Domain is protected against registrar transfer
- Domain is active and not near expiry
whois example.com
dig example.com NS
dig example.com SOA
WHOIS status labels can vary by registry and registrar. Always confirm transfer lock inside the registrar account before starting a transfer.
Safe domain transfer checklist
Before transferring a domain, confirm:
- domain is active and not expired
- domain is eligible for transfer
- registrar lock can be disabled
- correct destination registrar is selected
- owner email is accessible
- EPP/Auth code is requested securely
- nameservers and DNS records are documented
- email and website services are understood
- transfer request is expected
- lock will be re-enabled after transfer
A registrar transfer does not necessarily change DNS records, but mistakes during domain management can still affect nameservers, billing or access.
Registrar lock and domain security
Registrar lock is one layer of domain security. It should be combined with other protections.
Recommended protections:
- strong registrar account password
- two-factor authentication
- monitored account email
- current billing details
- limited account access
- domain expiry monitoring
- registrar lock enabled
- careful handling of EPP/Auth codes
For important business domains, domain security should be treated like server or email security.
Registrar lock and DNS
Registrar lock usually does not stop DNS records from working. A locked domain can still use normal nameservers, DNS records, email and SSL.
However, if the registrar account is compromised, an attacker may try to unlock the domain, change nameservers or initiate a transfer. This is why registrar lock should be combined with account security and DNS monitoring.
Frequently asked questions
What is registrar lock?
Registrar lock is a domain protection setting that prevents a domain from being transferred to another registrar until it is unlocked.
What does clientTransferProhibited mean?
It usually means the domain is locked against transfer. This is common and normally protective.
Should registrar lock be enabled?
Yes, for most active domains it should remain enabled unless you are intentionally transferring the domain.
Does registrar lock affect my website?
Usually no. Registrar lock affects domain transfer ability, not normal website or DNS operation.
How do I transfer a locked domain?
You usually need to unlock the domain at the registrar, request the EPP/Auth code, start the transfer at the new registrar and approve the transfer.
Is registrar lock the same as domain expiry?
No. Registrar lock protects against transfer. Domain expiry relates to renewal and registration period.
Can someone steal my domain if registrar lock is enabled?
Registrar lock reduces transfer risk, but account security is still critical. Protect registrar login, email and EPP/Auth codes.
Should I disable registrar lock permanently?
No. Disable it only for a planned transfer and re-enable it after the transfer is complete.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all DNS & Domain guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!