What should I do first if I'm locked out of my own website?

Before anything else, copy whatever you can still reach. If any login still works — the website editor, the hosting control panel, an email account on your domain — quietly pull a full backup of your files and database and export your contact and customer lists to somewhere you own. Access can be revoked the moment a vendor senses you're leaving, so capture your leverage while you still have it.

Is my domain in my control, and how do I tell?

Separate three things: the registrar (the company where the domain is registered), the registrant (the legal owner — a field in the domain record), and the account login. Look yourself up at ICANN's public lookup tool to see who's listed. If the registrar account is yours, you control the domain. If it's in the vendor's account but registered to you, request the authorization (auth/EPP) code and start a transfer — your registrar must provide that code within five days and can't withhold it over a billing dispute.

Can I move my website to a new host without the old vendor's help?

Yes — once you control the domain. Nameservers are the switchboard that tells the internet which server answers for your domain. Point them at a new host, upload your site, and you're live again on your own terms, with no cooperation needed from the old vendor. This is the single move that gets your business back online.

How do I get my website files back if the vendor controls the hosting?

If you have the hosting login, pull a complete backup of the files and database. If you don't, most reputable hosts have a documented process to return an account to its verified owner — ask their support what proof they need. If the site was built on a closed, proprietary 'powered-by' platform, it may not be portable at all; in that case the move is a clean rebuild on a stack you own, not a rescue.

How do I recover Google Analytics or Search Console when someone else owns the account?

First request access or an ownership transfer from whoever holds it. If they won't respond, Google's recovery process grants access to whoever can prove they control the website — typically by placing a verification file or DNS record at your domain and submitting your property's measurement ID. It takes a few business days. This is the current Google Analytics 4 process; older Universal Analytics has been retired.

Do I need a lawyer to get my website back?

Usually not. Most cases resolve on the lowest rungs of a proportionate ladder: the registrar's or host's documented-owner recovery, then a complaint to the registrar and ICANN, a card chargeback if you paid by card (generally within about 120 days), and a plain written demand letter. An attorney is the genuine last resort, mainly for a domain truly registered in the vendor's name. WebPro360 builds and hosts websites and is not a law firm; this is not legal advice.

Insights · Owning Your Web Presence

Held Hostage by Your Web Guy: What to Do When You're Locked Out of Your Own Website

A calm, step-by-step recovery playbook for the owner who's already locked out — what you can get back yourself, in what order, an honest answer at every dead-end, and how to rebuild so it can't happen again.

Roger Stanton

Founder, WebPro360 · est. 2002

You ran the audit, and the answer came back wrong. Or nobody warned you — the invoice went unpaid, an email bounced, and one morning your own website won't let you in. The domain, the logins, the site itself aren't in your hands, and the person who has them has gone quiet, gotten cute, or disappeared.

That's a bad morning, and there's no point pretending otherwise. It feels like your business is being held for ransom, and every day the site is stuck has a real cost.

Now the turn — because that's the last time we'll dwell on the stress. You almost certainly have more leverage than it feels like right now, and it goes in a specific order. The plan is simple: recover what you can reach yourself first, escalate only as far as you actually have to, and rebuild so no vendor can do this to you again. Most of these situations resolve well short of a lawyer. Let's work the order.

Step 01

Before you do anything else: copy what you can still reach

If you still have any working login — the website's editor, the hosting control panel, an email account on your domain — use it right now, quietly, before you tip your hand. The moment a vendor senses you're leaving, access has a way of vanishing.

Pull a full backup of the site: the files and the database. Download your content and images. Export your contact and customer lists out of email and any CRM. Save all of it somewhere you own. Leverage you don't capture today may be gone tomorrow. (As we put it in How to Fire Your Marketing Agency: export before you give notice.)

That's the whole first move. Don't overthink it — just grab what you can while you can.

Step 02

What do you actually hold?

Make two columns: what you can log into, and what you can't. Run down the list — the domain registrar, the DNS, the hosting, the website admin, your business email, your analytics. This inventory decides everything that follows, and most of it hinges on a single item: the domain.

If you haven't built that list yet, the six-check audit in Do You Actually Own Your Website? is the fastest way to do it. This post starts where that one ends — you found the problem, now here's how to get unstuck.

Step 03

Is the domain in your control? (this is the keystone)

Three things get confused here, so let's separate them:

The registrar is the company where the domain is registered — GoDaddy, Namecheap, and the like. The registrant is the legal owner; it's a specific field in the domain's record, and it answers the only question that matters: whose name is this in? The account login is simply who can sign in and manage it.

Whoever is the registrant, and whoever holds the account login, controls the domain. You can see who's listed by looking yourself up at ICANN's public lookup tool — ICANN being the body that sets the rules for domain names.

If the registrar account is yours: you're most of the way home. You can move the domain and repoint the site without anyone's permission. Skip to the next step.

If it's in the vendor's account but registered to you (your name or company in the registrant field): ask them, in writing, for the authorization code — also called the auth code, EPP code, or transfer code. It's the password that lets a domain move from one registrar to another. Then start a transfer into a registrar account you control. Two facts worth keeping in your back pocket: under ICANN's rules your registrar must hand over that code within five days of your request, and they are not allowed to withhold it just because you owe them money or you're mid-argument. A billing dispute is not a valid reason to lock your domain.

Dead-end branchIf they stall, ignore you, or flat-out refuse, that refusal is itself a rules violation — and that's exactly what the escalation ladder below is for.

Honest noteA domain genuinely registered in the vendor's name — not yours — is the hard case. Prying that loose can take real leverage or a lawyer, and candidly, it may not come back at all. If that's where you are, the smart move is to rebuild on a domain you own outright from day one, rather than spend months fighting for a name you were never the registrant of.

Step 04

Where does the domain point? (DNS and nameservers)

Once you control the domain, you can aim it anywhere — and the old vendor doesn't get a vote. Nameservers are the switchboard: they tell the internet which server answers for your domain. Point them at a new host, upload your site (the backup you grabbed first, or a fresh build), and you're live again on your own terms.

This is the single move that gets your business back online without the old vendor's cooperation. It's also why the domain is the keystone: control it, and almost everything else becomes optional. If you don't control it yet, this step waits on the one above.

Step 05

Can you get your site and its files? (hosting and backup)

If you have the hosting login: pull a complete backup — files and database both — exactly as in the first step.

If you don't: most reputable hosts have a documented process for returning an account to its verified owner. Call their support and ask what proof they need; it's usually proof you own the domain and can answer for the account. Worst case, you can rebuild from a copy of your public-facing site.

Honest branchIf your site was built on a proprietary “powered-by” platform — a closed system the vendor owns and rents to you — there may be nothing portable to recover. You can save the content; the site itself often can't leave the platform. When that's the situation, the answer isn't a rescue, it's a clean rebuild on a stack you own. A custom site you actually own — ours start at $2,995, owned by the client, on hosting in your name — is what closes that trap permanently, instead of trading one landlord for another.

Step 06

Can you get back into the website itself? (CMS and admin)

Your target is a true administrator login: full control over settings, users, and files — not an editor seat that lets you change a headline but nothing that matters. If you can recover real admin, do it. If you can't, stand up a fresh install on the hosting you now control and move your content into it.

Either way, the last step is the one people forget: once you're back in, remove the old vendor's access. Delete their logins, rotate the passwords, and close the door behind you so the same person can't lock it again next month.

Step 07

Can you save your history? (analytics and Search Console)

Years of traffic data and search history are worth keeping — but don't let them hold up getting your site live. Reclaiming them is a parallel errand, not a blocker.

The path when your Google Analytics or Search Console sits in someone else's account: first, request access or an ownership transfer from whoever holds it. If they won't respond, Google has a recovery process that grants access to whoever can prove they control the website — typically by placing a small verification file or a DNS record at your domain, then submitting your property's measurement ID. It takes a few business days, and it works precisely because it rewards genuine ownership of the domain. That's one more reason the domain step carries so much weight.

(One note so you don't chase a ghost: this is the current Google Analytics 4 process. If someone tells you to go find an old “Universal Analytics” login, that system has been retired — the data behind it is gone.)

Search Console works the same way: verify the domain, reclaim the property.

When a step is blocked

The escalation ladder — only as far as you have to

A reassurance before the rungs: most of these situations end on the first one. You climb only when the step below is blocked, and you stop the moment you're unstuck. Lowest-friction first.

Documented-owner recovery. The registrar's or host's own process for returning an account to its verified owner. Quietest, fastest, cheapest — start here every time.
Registrar complaint, then ICANN. If your registrar won't release your auth code or is ignoring the five-day rule, escalate inside the registrar first. If that fails, file a complaint with ICANN, which enforces the transfer rules registrars agreed to follow.
Payment chargeback. If you paid by card and didn't get what you paid for, your card issuer can dispute the charge. There's a clock — generally around 120 days from the charge, or from when the service fell through — so don't sit on it. A pending chargeback also has a way of making an unresponsive vendor suddenly responsive.
A plain demand letter. A firm, specific written demand — what you own, what you want returned, by when — often does the work a lawsuit would, for free. You don't need a lawyer to write a clear one. The termination/demand template in our owner's kit gives you the language to drop your details into.
An attorney — the genuine last resort. For the hard cases — a domain truly in the vendor's name, a vendor who simply won't move — a few hundred dollars of a lawyer's time and a letter on their letterhead usually breaks the logjam. By the time you reach this rung, you've already tried everything cheaper, and you'll know it was worth it.

One plain thing, owner to owner: we build and host websites, we're not a law firm, and none of this is legal advice. When a situation truly needs a lawyer, get one. Almost everything below that top rung, you can handle yourself.

The audit, and the template that goes with it

Our free Owner's 5-Minute Audit comes with the termination/demand letter template these steps point to. Same kit, both tools — we'll email you the download.

No spam, no sales calls. The download lands in your inbox.

What unstuck looks like

And how to stay that way

Here's the finish line: the domain registered to your business, the hosting account in your name, a true admin login you hold, and a written record of every credential — kept somewhere that isn't one freelancer's personal Gmail. A vendor worth keeping hands those keys over by default and documents the handoff, because a good relationship never depends on holding your business hostage.

That's not a high bar. It's just the floor — the same one we've held across 218 sites since 2002, on owned infrastructure with 100% uptime, now documented and monitored with AI assistance so the record stays current. You don't have to hire us to expect it. But you should expect it from whoever you work with next.

And once you've got your site back and want to formalize the switch cleanly, How to Fire Your Marketing Agency walks through doing it the right way.

Locked out right now?

Not sure which rung you're on? Book a 30-minute strategy call and we'll help you map your recovery — no pitch, no pressure.

Book a strategy call