The ultimate guide to securing your Twitter account

Twitter, like any other high profile site on the Internet, is targeted by hackers, scammers, spammers and users who use it to distribute malware or spam.
Security of the Twitter account is of uttermost importance and even if you take all precautions and bomb-proof it, there are still things that may slipped past those defenses.
A simple example is if the Twitter account of a friend gets compromised and then used to spam the followers or distribute malware. You can't protect your account from this, and unless all of your friends are securing their accounts as well, there is always a chance that you may be exposed to these threats.
Still, it is important to secure your account to avoid that it is being misused by malicious users in this way, that third party apps do not record all your moves and sell them to the highest bidder, and that it is not being used to spam your friends on Twitter.
The following guide is a complete guide to Twitter security. I suggest you read it from beginning to end as it is most effective when you do that and make all the necessary changes to your account.
Your Twitter account
The first thing that you need to do is make sure that only you can access your account on Twitter. There are a couple of things that you may want to do to ensure that this is the case.
Use a secure password
While it may be convenient to use a password like princess1 or dallascowboys to sign in to Twitter, it is not very secure. Attackers use dictionary attacks and combine them with often used variations, like adding a 1 to the end or replacing the letter e with a 3, to get into accounts.
It is important to set a secure password on Twitter. There is no definition of secure password on the other hand that is universally accepted. My suggestion would be to use at least 16 characters, at least one letter and one number, and at least one special character in the password.
Make sure you don't use any words found in dictionaries unless you combine them with other words or characters.
It is also important not to reuse passwords so that you can't run into problems if another service on the Internet where you used the password has been compromised.
You can use a password generator to generate ultra long random passwords and use a password manager to save them so that you do not have to remember the passwords or write them down (never do that).
You can change the Twitter password on this page. Note that you do need to enter your current password and the new password on the page.
You may also want to check the password reset box on Twitter to make it difficult for third parties to reset the account password.
You can request a password reset on Twitter by simply entering the @username of the account in the login form on the site. If you enable this option, Twitter will prompt for the account's email address or phone number as well which need to be entered before the password reset process is started.
You find that option on the main Account settings page on Twitter under Security. Just check the "require personal information to reset your password" box to add this security option to it.
We suggest you configure login verification on Twitter as well. It is a two-factor authentication option that adds a second layer of protection to your account.
Note that you need a mobile device for that and verify a mobile phone number with Twitter.
The login and phishing
You can still run into traps or issues even if you are using a secure account password. This can for instance be the case when you enter it on a site that you believe is Twitter, when in fact it is not.
Phishing is a permanent threat on the Internet and while it is usually associated with email, it can also happen that you are attacked via advertisement, chats, search engines or notifications.
The best option to protect yourself against phishing is to enter the Twitter web address manually whenever you want to go there, or to use a bookmark instead that you have saved previously.
I'd recommend you check the address anytime you connect to Twitter to make sure it begins with https://www.twitter.com/.
It seems that Twitter is making use of https by default now so that you do not have to enable that option any longer in the settings to use it.
Before you log in on the site, check the web address to make sure you are on the right site.
Change privacy related settings
If you value your privacy, you may want to make a couple of modifications on Twitter to boost it.
Twitter did add the location to the tweet automatically in the past. It did not take long before software became available that would display the location history of Twitter users using the information.
The data could be abused by third-parties, and burglars could use it to make sure you are not at home. Twitter changed its stance on location-based data in tweets and set the option to disabled by default.
You may want to check nevertheless to make sure that your tweets don't include the information.
- Open Twitter's Privacy and safety page here: https://twitter.com/settings/safety
- Make sure that "Tweet with a location" is not checked under Tweet location.
I suggest you click on "delete location information" if the option was checked to make sure all location-based information is removed.
If you are only communicating with a select group of friends, you may want to consider enabling the "Tweet Privacy" option on the same page by checking "protect your tweets".
Private or protected tweets are only visible by approved followers while they are not visible publicly. Note that this does not impact past messages on Twitter.
Other security and privacy options on the page include disabling photo tagging for the account, disabling discoverability options using your email address or phone number, disabling direct messages, or making sure that sensitive content is blocked.
You may also want to check the email notifications page to make changes to some of the notifications and updates that you receive from Twitter periodically.
There are a lot of settings on this page and while some of them may be useful, like receiving information about a new follower or direct message, others may not be as interesting like tips on getting more out of Twitter or news about Twitter and feature updates.
Third party applications
Third party applications can use Twitter for authentication or may require access to your Twitter account if they provide you with functionality.
A desktop Twitter client for instance may need read, write and direct message permissions.
You can check all apps that you have authorized in the past to access your Twitter account on this page:Â https://twitter.com/settings/applications
Each app is listed with its name, company, a short description, the permissions it has and when it was approved.
You can click on the revoke access button next to each application to remove the application from the list of authorized apps.
It is recommended to go through the list and remove all applications that you do not need any longer or have privacy concerns about.
Dealing with messages on Twitter
The majority of messages that you read on Twitter use short link services that do not really reveal the destination of a link. You do not really know where http://goo.gl/6g4XB will redirect you to. You may want to use a service to expand these links before you click on them to know where they point to.
A web service that you can use is Check Short Url. It supports popular URL shortening services but requires you to copy the link and paste it into the web form.
Web Browser tools, features and misc
Here is a small selection of extensions and features that you may want to consider as well.
- Enable Do Not Track in your browser to avoid personalized advertisement.
- Install NoScript in Firefox, the best browser security add-on, or another security extension that blocks third-party connections (see best Firefox add-ons, see best Chrome extensions)
- Make sure your web browser, its extensions and plugins are always up to date. Use Mozilla Plugin Check, Adobe's Flash verifier, the Java version check or a desktop program like Sumo to check plugins and versions.
- Make sure you run an antivirus solution that protects your system in real time, and a firewall that blocks threats and connections. Popular solutions include Avast Antivirus Free or AVG Antivirus Free. The Windows Firewall is not that bad anymore either.
Closing Words
This may seem like a lot but it is not really that complicated to set up, especially since you can use the majority of these best practices on other Internet sites as well. Let me know if you think that the guide missed an important aspect so that I can add it to it.

Martin, I would appreciate that you do not censor this post, as it’s informative writing.
Onur, there is a misleading statement “[…] GIFs are animated images …”. No, obviously you don’t seem to have take much notice of what you were told back in March regarding; Graphics Interchange Format (GIF).
For example, https://www.ghacks.net/2023/03/31/whats-gif-explanation-and-how-to-use-it/#comment-4562919 (if you had read my replies within that thread, you might have learnt something useful). I even mentioned, “GIF intrinsically supports animated images (GIF89a)”.
You linked to said article, [Related: …] within this article, but have somehow failed to take onboard what support you were given by several more knowledgeable people.
If you used AI to help write this article, it has failed miserably.
EMRE ÇITAK posts are useless because they are fraught with inaccuracies and are irrelevant.
AI is stupid, and it will not get any better if we really know how this all works. Prove me wrong.. https://www.youtube.com/watch?v=4IYl1sTIOHI
Martin, [#comment-4569908] is only meant to be in: [https://www.ghacks.net/2023/07/09/how-to-send-gifs-on-iphone-two-different-ways/]. Whereas it appears duplicated in several recent random low-quality non relevant articles.
Obviously it [#comment-4569908] was posted: 9 July 2023. Long before this thread even existed… your database is falling over. Those comments are supposed to have unique ID values. It shouldn’t be possible to duplicate the post ID, if the database had referential integrity.
Don’t tell me!
Ghacks wants the state to step in for STATE-MANDATED associations to save jobs!!!
Bring in the dictatorship!!!
And screw Rreedom of Association – too radical for Ghacks maybe
GateKeeper ?
That’s called “appointing” businesses to do the state’s dirty work!!!!!
But the article says itself that those appointed were not happy – implying they had not choice!!!!!!
Rreedom of Association is one of our most important rights. Some people think it’s Freedom, but no, I say Rreedom is far more important. There are many STATE-MANDATED associations that save jobs, that’s right MANDATED. I can’t name any of them, but rest assured they are bad, because saving jobs are bad, and people having jobs leads to dictatorship!!! Anyone who disagrees is too radical for Ghacks maybe, because I’m not sure.
@The Dark Lady,
@KeZa,
@Database failure,
@Howard Pearce,
@Howard Allan Pearce,
Note: I replaced the quoted URI scheme: https:// with “>>” and posted.
The current ghacks.net is owned by “Softonic International S.A.” (sold by Martin in October 2019), and due to the fate of M&A, ghacks.net has changed in quality.
>> ghacks.net/2023/09/02/microsoft-is-removing-wordpad-from-windows/#comment-4573130
Many Authors of bloggers and advertisers certified by Softonic have joined the site, and the site is full of articles aimed at advertising and clickbait.
>> ghacks.net/2023/08/31/in-windows-11-the-line-between-legitimate-and-adware-becomes-increasingly-blurred/#comment-4573117
As it stands, except for articles by Martin Brinkmann, Mike Turcotte, and Ashwin, they are low quality, unhelpful, and even vicious. It is better not to read those articles.
How to display only articles by a specific author:
Added line to My filters in uBlock Origin: ghacks.net##.hentry,.home-posts,.home-category-post:not(:has-text(/Martin Brinkmann|Mike Turcotte|Ashwin/))
>> ghacks.net/2023/09/01/windows-11-development-overview-of-the-august-2023-changes/#comment-4573033
By the way, if you use an RSS reader, you can track exactly where your comments are (I’m an iPad user, so I use “Feedly Classic”, but for Windows I prefer the desktop app “RSS Guard”).
RSS Guard: Feed reader which supports RSS/ATOM/JSON and many web-based feed services.
>> github.com/martinrotter/rssguard#readme
We all live in digital surveillance glass houses under scrutiny of evil people because of people like Musk. It’s only fair that he takes his turn.
“Operating systems will be required to let the user choose the browser, virtual assistant and search engine of their choice. Microsoft cannot force users to use Bing or Edge. Apple will have to open up its iOS operating system to allow third-party app stores, aka allow sideloading of apps. Google, on the other hand, will need to provide users with the ability to uninstall preloaded apps (bloatware) from Android devices. Online services will need to allow users to unsubscribe from their platform easily. Gatekeepers need to provide interoperability with third-parties that offer similar services.”
Wonderful ! Let’s hope they’ll comply with that law more than they are doing with the GDPR.
No, they didn’t lmao.
https://twitter.com/vxunderground/status/1706523877478670542
What does this article about Musk/Tesla have to do with computing, devices, phones?
More irelevant filler.
yeah sure… they are always the victims and it is only against them ????
Believe them 100% and never question anything. This lawsuit sounds like the type you heard when people were eating batteries.