Article image
The "Ghost Client" Problem: How to Manage Orphaned Domains and Abandoned Hosting
Every web design agency, freelancer, and managed service provider (MSP) eventually encounters it: the "ghost client." You built a beautiful website, launched it, and for a while, the partnership was fruitful. Then the client stops replying to emails. Their invoices go unpaid. The credit card on file expires and bounces.
Yet their website is still live, consuming your server resources. Worse, their domain name might be registered under your agency's master account and tied to your corporate credit card.
This scenario creates what the industry calls an "orphaned asset." When you don't have a process for managing abandoned client websites or orphaned domain management, your agency bleeds money and takes on legal and security liability it didn't sign up for.
This guide breaks down what actually happens — technically and legally — when a client stops paying for hosting, how domain expiration really works under ICANN's rules, and the standard operating procedures for offboarding web design clients who have gone dark.
- The Anatomy of the Ghost Client Problem When a client abandons their digital infrastructure, it doesn't disappear — it keeps accumulating cost and risk. The ghost client problem shows up in three areas of agency operations.
The Financial Bleed (Auto-Renewal Traps)
Agencies often bundle hosting, domain registration, and maintenance into one retainer. To make onboarding easy, the agency registers the domain and spins up hosting on its own wholesale accounts (WPEngine, DigitalOcean, GoDaddy Pro, and similar).
When the client disappears, the agency is left holding the bag. A $20/year domain renewal and a $30/month hosting seat don't sound like much on their own, but multiplied across five, ten, or twenty ghost clients over a few years, that's real money leaking out of a profitable book of business.
The Legal Liability (Data Deletion and "Holding Assets Hostage")
If a client stops paying, your first instinct might be to instantly delete their server and cancel their domain. Don't. Deleting a client's digital assets without a clear contractual right and a documented paper trail of warnings can expose you to claims for damages, lost business revenue, or destruction of property/data.
The opposite mistake is just as costly: refusing to hand over a domain or backups until a past-due invoice is paid. Depending on your contract and jurisdiction, this can look like a breach of contract, conversion (unlawfully withholding someone else's property), or an unfair/deceptive trade practice — and it damages your agency's reputation in ways that are hard to undo. (More on why this usually isn't "cybersquatting" — a common but inaccurate label — in Section 4.)
The Security Threat (Orphaned Domain Management)
Orphaned domain management is also a real cybersecurity issue. If an agency lets an abandoned client's domain lapse, anyone can register it once it clears ICANN's deletion process (see Section 3). Because the domain was previously trusted — indexed, linked, maybe still receiving stray email — a new owner can use it for phishing, email interception, or reputational damage to the original brand. If the agency is still listed as the technical or administrative contact when this happens, it can get pulled into the resulting mess, even after the client relationship has ended.
- What to Do When a Client Stops Paying for Hosting Handling unresponsive clients requires firmness, legal caution, and a clear paper trail. Here's a step-by-step triage protocol.
Step 1: Review Your Master Services Agreement (MSA)
Before taking any technical action, check what the signed contract actually says. A solid agency contract should spell out:
- The grace period for unpaid invoices (e.g., 15 days). * The date services will be suspended. * The date data will be permanently deleted. * That the agency holds no liability for lost data, lost SEO rankings, or lost revenue resulting from suspension due to non-payment.
If your contract is silent on these points, proceed with extra caution and heavier documentation than usual — you have less legal cover.
Step 2: A Documented Communication Cadence
Never take a website offline without a paper trail. A common structure agencies use:
- Day 1 (past due): Friendly reminder. * Day 15 (late): Second notice — warn that hosting and domain management are subject to suspension in 15 days. * Day 30 (suspension warning): Final warning — the site will go offline within 48 hours and be replaced with a holding page. * Day 45 (termination warning): Warn that the backup will eventually be deleted and the domain will be released or allowed to expire if there's no contact within 15 more days.
Adjust these windows to your contract and jurisdiction — some regions have specific notice requirements for service suspension.
Step 3: Service Suspension (Not Deletion)
The first technical step is suspension, not deletion. Don't delete the files. Route the DNS or configure the server to show a generic "temporarily unavailable" or maintenance page.
Avoid a page that explicitly says "Suspended for Non-Payment." Publicly airing a client's payment status can be construed as defamatory or as tortious interference with their business, and it's not necessary to accomplish your goal — the point is to get their attention, not to punish them publicly.
Step 4: Archiving and Final Deletion
If 60–90 days pass with zero communication, it's time to cut costs:
Take a full backup of the site (files and database).
Store the backup locally or in cold storage (e.g., S3, Google Drive).
Delete the active instance from your premium hosting to free up resources.
Send a final email stating that hosting has been terminated, that an archival backup will be held for a defined period, and that outstanding balances must be settled before the backup is released.
A note on data retention if any client is in the EU/UK: if the site or backups contain personal data (customer records, form submissions, email lists), GDPR's storage-limitation principle (Article 5(1)(e)) means you can't hold that data indefinitely "just in case." A fixed, documented retention window — 90 days is a reasonable, common choice — that you actually enforce is the right approach. What gets regulators' attention isn't having a retention period; it's not having one, or keeping data well past it with no justification. If you're a data processor for that client (rather than the sole controller), your contract should already specify what happens to their data when the engagement ends.
- How Domain Expiration Actually Works This is the part general "best practices" articles tend to get vague about, and it matters, because the exact timeline determines when you actually lose the ability to recover a domain.
For most generic TLDs (.com, .net, .org), ICANN's rules define a multi-stage lifecycle after a domain's expiration date:
Auto-Renew Grace Period — up to 45 days (registrars often offer less; commonly 0–45 days depending on the registrar and TLD). The domain can be renewed at the normal price. DNS typically stops resolving during this window even though the domain technically still belongs to the registrant — so the site and any email on that domain go down immediately, well before anything is "lost."
Redemption Grace Period (RGP) — roughly 30 days. The domain is locked and no longer resolves, but the original registrant can still recover ("restore") it — for a redemption fee that's substantially higher than a normal renewal, often in the $50–$250+ range depending on the registrar.
Pending Delete — about 5 days. Nothing can be done at this stage; the domain simply waits to be released.
Released — the domain becomes available to anyone on a first-come, first-served basis.
A few important caveats:
- Country-code TLDs vary widely. Some, like .uk, offer similar grace periods; others, like .au, have no grace period at all — the domain can become available almost immediately after expiration. Always check the specific registry's policy for any ccTLD you manage. * You cannot transfer a domain to a new registrar while it's in Redemption Grace Period or Pending Delete. If you want to hand a domain to a client's own account before it lapses, that has to happen during the active registration — not after it expires. * Registrars are contractually required (under ICANN's Expired Registration Recovery Policy) to send at least two renewal reminder notices before deleting an expired name, and to allow domains in the Redemption Grace Period to be restored.
Practically, this means "letting a ghost client's domain expire" isn't an instant event — it's a 60–80 day window (auto-renew grace + redemption + pending delete) during which the site is already dark, the client still has a real chance to reclaim the name, and then it's gone for good.
- Domain Ownership, Transfers, and Avoiding "Hostage" Situations Get the terminology right: this usually isn't "cybersquatting" The original guide (and a lot of agency advice online) warns that withholding a client's domain over unpaid invoices could get you accused of "cybersquatting" under ICANN policy. That's a common mix-up worth correcting, because it points you toward the wrong protections.
Cybersquatting and the ICANN dispute process that addresses it — the Uniform Domain-Name Dispute-Resolution Policy (UDRP) — is specifically about a third party registering a domain in bad faith to profit from someone else's trademark. It requires the complainant to prove the domain is confusingly similar to their mark, that the registrant has no legitimate interest in it, and that it was registered and is being used in bad faith. That's a different situation from an agency that legitimately registered a domain on a client's behalf and is now slow to transfer it over a billing dispute.
What you're actually exposed to in an agency-client standoff is more mundane and, frankly, more certain: breach of contract, a conversion claim (unlawfully controlling someone else's property), a consumer-protection or unfair-trade-practices complaint depending on your state or country, and — if the client has any trademark rights of their own in the domain — the possibility that your attempt to hold onto it looks bad in front of a court or arbitrator, even without a UDRP filing. None of this requires ICANN's involvement to hurt you; a client with a lawyer and a documented paper trail of unanswered transfer requests is enough.
(For completeness: the reverse of cybersquatting — a company with real trademark rights abusing the UDRP process to try to strong-arm a legitimate domain owner — is its own recognized problem called Reverse Domain Name Hijacking. It's rare in absolute terms, but it illustrates that ICANN's dispute machinery cuts both ways and isn't a tool either side should reach for casually.)
Domain transfers are getting easier for registrants — plan accordingly
ICANN approved a significant overhaul of its Transfer Policy in 2025, and registrars are rolling it out through 2026. The practical changes agencies should know about:
- The old, unpopular 60-day lock after a registrant change or new registration is being phased down to 30 days in the reformed policy, with the underlying working group recommending it be removed for many change-of-registrant scenarios entirely. * The static EPP authorization code that's been used to transfer domains for two decades is being replaced with a short-lived Transfer Authorization Code (TAC) — generated on demand and valid only for a limited window, rather than something that sits in an inbox indefinitely.
The upshot: it's becoming faster and simpler for a client to move a domain out of your account once they have the right credentials. That's a good reason to have transfer requests handled promptly and by policy rather than as a point of leverage — the technical friction that used to buy agencies time is disappearing.
The rules that still hold
- Never use a domain as leverage. If a client owes you money, that's a billing dispute — pursue it as one (invoicing terms, collections, small claims). Refusing a legitimate transfer request doesn't get you paid faster; it usually escalates the situation and adds legal exposure on top of the unpaid invoice. * If a domain you're paying for is coming up for renewal and the client has gone dark: turn off auto-renew, email them with a clear expiration date and a request to set up their own registrar account to receive the transfer, and if they don't respond, let it lapse through the normal ICANN lifecycle described in Section 3. You gave documented notice; you're not obligated to keep paying out of pocket for an asset that isn't generating revenue. * The best fix is structural, not procedural: have clients register domains on their own account and credit card from day one, and get delegated access (available through registrars like GoDaddy and Cloudflare) so your agency can manage DNS without ever being the legal registrant. This puts 100% of the financial and legal liability where it belongs — with the domain's actual owner — while you keep the technical access you need to do your job.
- Standardizing the Process: Offboarding Web Design Clients Ghost clients are just an extreme version of a normal business process: offboarding. Every agency needs a standard SOP for this, whether the split is amicable, hostile, or simply the result of a client disappearing.
The Offboarding Checklist
Audit the footprint. Identify every asset tied to the client: domain names, DNS (e.g., Cloudflare), hosting (VPS or shared), premium plugin licenses, CDN accounts, and third-party tools (Mailchimp, Google Analytics, etc.).
Revoke agency licenses. If the client isn't paying for your care plan anymore, remove agency-tier premium plugin licenses (WP Rocket, Elementor Pro, Gravity Forms, and similar). They'll need their own licenses to keep receiving updates.
Transfer ownership. Initiate transfers for any accounts registered under the agency's master email over to the client's own email/account.
Remove agency access. Remove your admin users from their WordPress dashboard, pull your SSH keys off their servers, and revoke delegated access from their domain registrar.
Send a final handoff document. New logins, server IPs, and DNS configuration, ideally as a single reference document. Once it's sent, your agency's ongoing liability for that infrastructure is meaningfully reduced (get this in writing in your contract, too — a handoff document alone doesn't automatically end liability without a contractual clause saying so).
When a client ghosts you, you run this same checklist unilaterally: strip your licenses, archive the backup, wind down the server, and send the final status email to whatever contact you have on file.
- Why Agencies Struggle with Asset Tracking The biggest reason agencies lose money to abandoned hosting and orphaned domains is a lack of visibility. A freelancer with five clients can keep track of who owns what in their head. An agency with 50, 100, or 500 clients cannot.
- Did we buy Client A's domain on Namecheap or Google Domains? * Is Client B's hosting on our WPEngine account or their own? * Client C hasn't paid us in four months, but their domain auto-renewed yesterday for $25 on our corporate card. Why wasn't this caught?
Agencies often try to solve this with a big, color-coded spreadsheet. Spreadsheets are static — they don't send alerts, they require manual upkeep, and they're usually out of date the moment they're saved. The result is what you might call the "ghost client subsidy": profitable, active clients are quietly subsidizing the infrastructure costs of accounts that left years ago.
- A Tool Built for This: InstaRenewal To manage abandoned client websites well, you need something that tracks the lifecycle of every digital asset and maps who owns it, who pays for it, and where it lives — updated as things change, not just at onboarding.
InstaRenewal is a renewal-and-asset-tracking platform aimed specifically at this problem for agencies and freelancers. Rather than a general CRM or project tool, it's intentionally narrow: a workspace for domains, SSL certificates, hosting, plugin/software licenses, and related renewals, with fields for who owns each asset, who's responsible for paying, who receives provider notices, and whether the agency currently has the access it needs to act.
Specifically, it can help with the ghost client problem in a few concrete ways:
- Ownership and payment mapping. Assets can be tagged by who owns them and who's responsible for renewal costs, so "wait, whose domain is this?" stops being a recurring fire drill. * Risk-state visibility. Rather than a wall of dates, assets are shown in states like expired, urgent, upcoming, safe, or unknown — making it easy to see what needs attention without parsing a spreadsheet. * SSL and renewal monitoring. It can detect SSL certificate expiry automatically for supported domains, which is one of the more common "silent" outage causes on abandoned sites. * Offboarding support. Pulling up a client's profile surfaces everything tied to them, which is exactly the audit step Section 5's checklist calls for — reducing the odds of accidentally leaving a dead site running on a paid server.
It won't resolve the legal questions in Sections 2 and 4 for you — that's still a matter of your contract and, where needed, an actual lawyer — but it removes the "we didn't even know this was still running" failure mode that turns a normal offboarding into a ghost client in the first place.
The Bigger Picture
The industry is maturing past "put everything on one shared server and hope clients pay their invoices." Strict MSAs, a documented communication cadence, an accurate understanding of how domain expiration actually works, and a system — spreadsheet or dedicated tool — for tracking who owns and pays for what: together, these are what keep ghost clients from quietly eating into agency margins.
Sources & further reading
- ICANN — About Redeeming a Domain Name in Redemption Grace Period * ICANN — FAQs for Registrants: Domain Name Renewals and Expiration * ICANN — Expired Registration Recovery Policy * ICANN — Transfer Policy * ICANN — FAQs for Registrants: Transferring Your Domain Name * WIPO — Guide to the Uniform Domain Name Dispute Resolution Policy (UDRP) * World Trademark Review — How proposed changes to ICANN's Transfer Policy will impact domain owners and registrants * GDPR Local — How Long Should Personal Data Be Kept For * InstaRenewal — Renewal operations for web agencies
Top comments (0)