How to Keep MetaMask Secure from Hackers (11 Practical Steps)

Knowing how to keep your MetaMask wallet secure from hackers is essential to protect your digital assets. Failing to secure your wallet could lead to your assets being stolen and all of your funds drained. 

Having used MetaMask for years myself, I’ve developed a list of actionable steps you can take to keep your MetaMask wallet safe from hackers.

How to Keep Your MetaMask Wallet Safe

1. Only download MetaMask from the official site

MetaMask's official website.
MetaMask’s official website

Let’s start with the basics. The only place you should download both the MetaMask extension and mobile app is the official website, which is MetaMask.io.

If you download this wallet from any other location—even your mobile device’s app store—you’re putting your funds at extreme risk.

Downloading a fake MetaMask wallet is the quickest way to get scammed.

The moment you fund your wallet, you’ll actually be funding someone else’s pocket.

Be sure to double-check that you’re visiting the correct URL, especially if you type it into Google search as it could result in a fake website.

2. Create a secure password

Components of a strong password.
Components of a strong password

When you create your MetaMask password make sure that it’s secure as can be. If you create a password that’s so complicated you can’t even remember it, that’s okay.

You should create a password that you’ve never used before.

Moreover, make sure to use upper and lower case letters, various numbers, and symbols. The more random your password is the better.

That said, it’s best not to use words. Instead, keep it completely random and write your password down on a piece of paper and store it in a safe location. 

Never store your password online or on your device. Hackers can gain access to it if your device is compromised.

Don’t worry if you forget or lose your password though, you can always reset it using your wallet’s secret recovery phrase.

Believe me, I’ve done this several times.

3. Store your seed phrase offline

Store your seed phrase offline.
Metal seed phrase plate

Your wallet’s seed phrase (secret recovery phrase) is the key to accessing your funds. Anyone who knows your seed phrase has full access and control over your wallet. 

This phrase is given to you when you create a new MetaMask wallet. You must record this phrase in the exact order as it’s displayed during the creation of your wallet.

Similar to your password, you should never store your secret recovery phrase anywhere online.

A good option is to write your phrase down on a piece of paper (preferably multiple pieces of paper) and store it in various locations that you have access to, but are still safe.

If you don’t have a fireproof safe at home, I highly suggest you get one and store it there.

For further protection and longevity, I can’t recommend a fireproof seed storage plate enough.

A piece of paper works fine. But recording your phrase on a nice chunk of metal ensures your phrase remains legible even in the harshest conditions.

4. Never share your seed phrase

Fake MetaMask support messages.
Scam comments on Twitter

After securing your seed phrase make sure to never share it with anyone. Not your mom, your bank teller, your CPA, and especially not “MetaMask Support”.

First off, the real MetaMask Support would never ask you for your secret phrase. If they do, they’re not the real support. This is a common scam.

The only reason someone would need to know your seed phrase is to access your wallet’s funds.

All transactions executed via your wallet can be viewed publicly on the blockchain, hence, no one would ever need your secret phrase to view such data. 

5. Don’t connect your wallet to random websites

Phishing links in my Twitter DM.
Phishing links in my Twitter DM

One of the most common ways MetaMask wallets are hacked is through a phishing link. These links direct you to a malicious website, that once connected, will drain your entire wallet.

These links can appear almost anywhere, but the most common places are Twitter, Discord, and Instagram DMs and posts, emails, and spammy websites.

Unless you are absolutely certain the site you’re connecting to can be trusted, you should never connect your wallet to a random site.

If you want to risk it, perhaps you should consider getting a separate wallet (we’ll discuss this later) for situations like this.

6. Always disconnect MetaMask from dapps

Even if you are connected to a trusted website or decentralized application (dapp), there’s no guarantee that it can’t be hacked.

That’s why it’s important to always disconnect MetaMask from dapps when you are done.

How do you disconnect MetaMask from websites? Follow the steps below.

3 steps to disconnect MetaMask mobile from a website.
  • MetaMask Mobile: In the app click on the hamburger icon and go to Settings, Security & Privacy, scroll down and tap Clear Privacy Data.
3 steps to disconnect MetaMask extension from a website.
  • MetaMask Extension: Within the Account view, tap the 3 dots button in the top right-hand corner. In the expanded menu, click on Connected Sites. To disconnect from the listed sites, tap the trash can button next to the site.

7. Don’t access MetaMask on public wifi

Using Proton VPN to secure my network
Using Proton VPN to secure my network

Connecting your computer or mobile device to a public wifi network is always a huge risk, especially if you want to keep your MetaMask account secure.

A public wifi network enables hackers to closely monitor all file sharing and traffic that’s sent between you and the server.

Using this data, a good hacker can inject malicious JavaScript into your device leading it and your wallet to be compromised.

If you must use a public wifi network or if you simply enjoy sitting at the cafe, you should use a virtual private network (VPN) to keep all your data encrypted so hackers can’t see what’s going on.

8. Adjust these recommended security settings

MetaMask recommended security settings.

MetaMask has a ton of security features that can be changed to make your wallet even more secure.

Many of these features may already be disabled/enabled, but it’s worth checking.

  • Settings, Advanced, disable Enhanced Token Detection.
  • Settings, Security & Privacy, set Auto-lock to immediately.
  • Settings, Security & Privacy, disable Remember me.
  • Settings, Security & Privacy, clear privacy data, browser history, and cookies at regular intervals.
  • Settings, Security & Privacy, Enable Privacy mode.
  • Settings, Security & Privacy, disable Participate in MetaMetrics.
  • Settings, Security & Privacy, disable Get incoming transactions.
  • Settings, Security & Privacy, disable Opensea API.
  • Settings, Security & Privacy, disable Autodetect NFTs.

A majority of these settings are used to create a better user experience, however, they come with the risk of exposing data you probably don’t want to expose.

You can always change these settings again if you don’t like the experience.

But, if your goal is to keep MetaMask safe then these changes are a step in the right direction.

9. Keep MetaMask app and extension up-to-date

First, tap Manage Extension

Keeping your MetaMask app and extension up-to-date is crucial for maintaining secure software.

Turn developer mode on and then tap update
Second, turn developer mode on and then tap update

Updates commonly involve fixes that prevent potential hackers and unauthorized access to applications and private data.

Failing to update MetaMask leaves you at risk for potential hacks. Although this might not be the most common form of an attack, it’s still possible. 

10. Lock your account when not in use

How to lock MetaMask wallet on mobile and the extension.
Mobile and Extension Lock

If you set your Auto-lock timer to “immediately” as I recommended above, you don’t need to worry about this one.

If for some reason you don’t want to set your auto-lock timer, you’ll have to make sure to lock your account manually every time you’re finished using MetaMask.

Each time you lock your account, you’ll need to enter your password to gain access to your wallet.

To lock your account on mobile simply tap the hamburger icon in the top-left corner of your wallet and press Lock.

To lock your wallet using the web extension, tap your profile icon, then tap Lock.

11. Don’t use MetaMask for storage

Me holding a Ledger hardware wallet
Holding my Ledger hardware wallet

If your main goal is to keep your assets secure, you shouldn’t store them on MetaMask to begin with. I know, I know.

Then what’s the point of this whole thing?

Well, just because you shouldn’t store assets like crypto and NFTs on MetaMask doesn’t mean you shouldn’t still keep your wallet safe.

Okay, so what should you use MetaMask for? I’m glad you asked.

MetaMask is great for transacting and interacting with dapps.

So, it’s okay when used to buy and sell things or to connect to a sketchy website, but you shouldn’t think of it as a storage solution for your digital assets.

MetaMask is a software wallet, hence it’s always connected to the internet. The internet is how hackers gain access to your wallet.

Therefore, there’s always a greater risk of being hacked when using this wallet.

So, what’s the alternative?

The best alternative for storing your digital goods is a hardware wallet.

This type of wallet is a physical device that holds your private key and secret phrase offline—meaning there’s minimal risk of being hacked.

That said, you can use MetaMask in conjunction with a hardware wallet to securely store your blockchain-based assets. 

The best way to do this is by using MetaMask to purchase your assets, such as NFTs, and then send them to your hardware wallet for safekeeping.

Likewise, when you’re ready to sell something you can send it back to MetaMask before making the sale.

This method ensures your MetaMask wallet remains empty in case it is hacked, while your funds remain safe on your hardware device.

1 thought on “How to Keep MetaMask Secure from Hackers (11 Practical Steps)”

  1. Pingback: How to Add Multiple Accounts to MetaMask (Definitive Guide) – Cyber Scrilla

Comments are closed.