Most Twitter users tweet publicly, so if someone takes control of your account, they can quickly damage your reputation by tweeting obscenities or lies. And if you use your Twitter account to log into other websites, then someone who gains access to your Twitter account gains the keys to those other accounts.
For these reasons, it’s critical that you take the time to set your security and privacy settings on Twitter. Let’s walk through them.
This guide shows the full, desktop version of the Twitter website. The steps will be similar for the mobile website and Twitter apps. The links throughout the guide will take you directly to the pages referenced.
For some settings, I don’t have a recommendation related to security or privacy, so I don’t describe them in this guide. For those, feel free to keep the default, or choose based on your preferences.
In Twitter, click your profile photo in the top right corner of the screen, then click Settings and privacy. You’ll see a menu on the left side of the screen with various categories of settings. We’ll go through them in order. Be sure to click the Save changes button at the bottom of each screen.
In the menu on the left side of the screen, click Account.
Password reset verification: check this box.
Click Review your login verification methods. Confirm your password, then you’ll see the Login verification page. Click Set up for each option that you’d like to enable. I recommend Mobile security key with the Authy or Google Authenticator apps. If you have a security key, enable that option (I like the YubiKey). Text messages can be spoofed and intercepted, so it’s better to use the mobile security app or security key options than the text message option.
Click Get backup code. Save the backup code somewhere secure; I use the Notes field of the entry in LastPass.
Learn more in How & Why to Use Two-Factor Authentication.
Tweet privacy: If you don’t need your tweets to be public to the world, check this box. This makes your tweets private, only visible to those whom you approve. This defeats the purpose for which many people use Twitter, but not everyone needs to make their tweets public. Learn more about public and protected Tweets.
Tweet location: I recommend unchecking this, so that you’re not constantly revealing your location. Learn more in Don’t Post About Travel Before or While You’re Away.
Delete location information: I recommend clicking this to remove location info from your past tweets.
Personalization and Data: Click Edit. On the Personalization and Data page, I suggest clicking Disable all to limit the amount of data Twitter and other companies collect about you. After clicking Save changes, return to Privacy and safety.
Direct Messages: I like to uncheck Send/Receive read receipts. I’m not a fan of read receipts in any messaging platform, because I don’t like people knowing when I’ve read their message. Not only does it reveal behavioral patterns about when you check messages, it also causes people to judge you based on how quickly you reply.
Set a long, strong password (20+ characters, with a mix of uppercase, lowercase, numbers, and special characters). I recommend using a password manager, such as LastPass, to create and store your password.
Review the Apps connected to your Twitter account. If there are any that don’t truly need access to your Twitter account, click Revoke access.
Review the Recently used devices to access Twitter. If there are any that don’t truly need access to your Twitter account, click Log out.
In Twitter, click your profile photo in the top right corner of the screen, then click Profile.
Below your header photo, click Edit profile.
On the left side of the screen, below your name, edit your Bio, Location, and Website. Think carefully about what info you want to to be public.
Click the Birthday. Next to these fields are visibility settings. I strongly recommend you set the visibility for these fields to Only you. If you insist on showing your birthday, set the visibility for the month and day to something other than Public, but leave the year as Only you. Learn more.
Using Twitter Safely
If you’ve protected your tweets, then they’re only visible to people you approve. When you receive a request, it’s a good idea to verify the person’s identity (that they are the actual owner of the Twitter account, and that they sent you a request). You can do that by asking them in person, or through some other trusted channel that you’ve previously used to communicate with them (email, other social media, text/SMS, phone, etc.). Or you could ask a trusted mutual friend to confirm their identity.
If you use someone else’s device (computer, phone, tablet, etc.) to log into your Twitter account, be sure to log out when you’re finished! Otherwise, the other person can use Twitter as you after you leave.
Some websites let you log in with your Twitter account. Don’t use this option! If someone hacks your Twitter account, they gain access to all the accounts you’ve set up for Twitter login. Yes, it’s more work to create separate logins for each site, but remembering the logins doesn’t take any extra effort if you use a password manager (I like LastPass).
Just as you need to be careful about clicking links in email and other messages, you must be careful about clicking links you receive in Twitter direct messages (DMs).
Regardless of whether your tweets are public or private, be careful what you tweet. I’ve seen people tweet pictures of credit cards and plane tickets, and tweet that they’re on vacation far from home. Be wise about what you share with others. Learn more about the dangers of posting about travel.