Sign in Subscribe
By The Chimp

Pre-Checked Add-Ons and Domain Registrar Dark Patterns: What You're Actually Paying For

Introduction

Buying a domain should be simple. You search for a name, add it to a cart, pay, and move on. But anyone who's registered a domain recently knows the checkout process has become a minefield of pre-checked add-ons, confusing upsells, and features that sound critical but often duplicate what you already get for free.

This post breaks down what domain registrar add-ons actually do, which ones matter, and what you can do yourself for free — with a specific look at the "Domain Protection" add-on that quietly appeared on my recent order despite my best efforts to uncheck it. The domain itself was part of migrating my self-hosted stack to a .com.

The Checkout Dark Pattern

When I registered [DOMAIN].com through WHC.ca, the checkout page showed a 95% discount on the first year — $0.75 for a .com. Hard to say no.

But tucked in below the domain price was a pre-checked Domain Protection add-on at $9.99/year.

I unchecked it. The page refreshed to a confirmation screen. I clicked Pay — assuming my unchecked selection carried over.

It didn't. The add-on was charged.

This is a textbook dark pattern: a pre-checked optional item that resets on page navigation, combined with a multi-step checkout that creates ambiguity about whether your previous selections were preserved.

What "Domain Protection" Actually Includes

Domain Protection add-ons vary by registrar, but they typically bundle three things:

1. WHOIS Privacy (Private Registration) Hides your personal contact information — name, address, email, phone — from public WHOIS lookups. Without this, anyone can run whois [DOMAIN].com and see your details.

2. Domain Lock / Transfer Lock Prevents unauthorized domain transfers. When enabled, a transfer request requires additional verification before it can proceed.

3. Monitoring and Alerts Notifies you if changes are made to your domain — DNS updates, nameserver changes, contact info edits. Early warning if something unexpected happens.

Some registrars also include domain restoration assistance — help recovering a domain if it gets hijacked or accidentally expires and is snapped up by a squatter.

What You Can Do For Free

Here's the thing: most of what Domain Protection covers is either already free or trivially handled yourself.

WHOIS Privacy — Already Free (Usually)

Most modern registrars include WHOIS privacy at no cost. ICANN rules changed in 2018 around GDPR compliance, and privacy protection became standard practice. WHC's own checkout page said exactly this:

✅ FREE Privacy protection forever

So the Domain Protection add-on was charging $9.99/year to bundle a feature that was already included for free. Read the fine print before paying for anything.

Transfer Lock — One Click in Your Dashboard

Registrar lock (also called transfer lock or domain lock) is a free feature available in every registrar's domain management panel. Log in, find your domain, toggle it on. It takes 30 seconds.

Account Security — The Most Important Part

The most effective protection against domain hijacking is securing the account that owns the domain:

  • Enable 2FA on your registrar account. This is more valuable than any paid add-on.
  • Use a strong, unique password — ideally from a password manager.
  • Secure the email address associated with the account. If someone can get into your email, they can reset your registrar password.

DNSSEC

If your registrar supports it (and many do for .ca and .com), enabling DNSSEC is free and protects against DNS spoofing attacks — a more technical threat that paid Domain Protection rarely covers anyway.

When Domain Protection Is Worth It

There are cases where the paid add-on makes sense:

High-value domains. If your domain is worth thousands of dollars or is directly tied to significant revenue, the extra monitoring and restoration assistance is cheap insurance.

Domains you set-and-forget. If you're not regularly logging into your registrar dashboard, automated monitoring can catch issues you'd otherwise miss.

Peace of mind. For some people, paying $9.99/year to have the registrar handle security alerting is worth it regardless of whether you could replicate it yourself.

For a developer managing their own infrastructure with 2FA and DNS console access, it's largely redundant.

How to Dispute an Unwanted Add-On

If you got charged for a pre-checked add-on you tried to remove, here's how to approach the dispute:

Document exactly what happened. The more specific you are, the stronger your case. "I unchecked it on step one, the page refreshed for confirmation, and I clicked pay assuming my selection carried over" is much more compelling than "I didn't want it."

Frame it as a UI/UX issue, not buyer's remorse. You're not saying you changed your mind — you're saying the checkout flow reset your selection without making that visible. That's a legitimate complaint.

Ask for escalation if the first response is a no. Front-line support often works from a script. A billing manager or supervisor has more discretion to issue refunds on add-ons, especially when the amount is small and the customer's account history is clean.

Mention chargeback as a last resort. Most registrars would rather issue a $9.99 refund than deal with a credit card dispute. Mentioning it (calmly) in a follow-up email usually moves things along.

Here's the kind of follow-up message that tends to work:

Hi,

I'd like to escalate my refund request regarding the Domain Protection 
add-on charged on my recent order.

Here's exactly what happened:

1. I unchecked the Domain Protection add-on on the first checkout screen
2. The page refreshed to a confirmation screen
3. Assuming my previous selection was preserved, I clicked Pay
4. The add-on was charged without my informed consent

I'm not disputing the domain registration charge — only the $9.99 add-on 
that was added via a pre-checked option that reset on page refresh.

I'd appreciate escalation to a billing specialist. If this can't be 
resolved directly, I'll need to dispute the charge with my bank.

Thank you

Key Lessons

1. WHOIS privacy is almost always free now. Before paying for any privacy or protection add-on, check if it's already included. Most registrars include it by default.

2. Read every line of the checkout page before clicking Pay. Multi-step checkouts with page refreshes can reset your selections silently. Treat every screen as a fresh start.

3. Transfer lock and 2FA are the two most important security steps. They're both free. Do them immediately after registering any domain.

4. Paid Domain Protection is mostly useful for high-value domains or people who don't actively manage their own infrastructure. If you're already in your DNS console weekly, you'll notice problems before any monitoring service would alert you.

5. When disputing charges, specificity wins. Describing the exact sequence of UI interactions that led to the unintended charge is far more effective than a general complaint.

This post is part of a series on running a self-hosted stack. Also read: Adding a .com Domain to a Running Self-Hosted Stack Without Downtime and Why MicroBin's Uploader Password Silently Does Nothing.

Subscribe to The Chimp Talks

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe