The seven settings every MetaMask user should change

MetaMask is the default Ethereum wallet for retail users. It is also the most-targeted wallet by phishing operations, drainer toolkits, and malicious browser extensions. Out of the box, MetaMask's defaults prioritize usability over security. The following seven changes flip that priority.

The settings, in order of impact

  • Enable hardware-wallet pairing for any address holding more than $1,000. Connect a Ledger or Trezor to MetaMask. Sign every transaction on the hardware device. The MetaMask extension becomes a viewer, not a signer. The seed phrase in MetaMask itself can be a low-value account used for gas and small DeFi positions.
  • Disable "phishing detection" if you also run an ad-blocker with phishing-list support. MetaMask's built-in detection is good but not exhaustive. uBlock Origin with the phishing-protection list catches more. Running both is fine, but understand the layers.
  • Turn on "blockaid" security alerts. Settings → Experimental → Security alerts. This integrates Blockaid's real-time risk scoring for signature requests. The red banner on high-risk approvals is the single highest-value alert in the MetaMask UI.
  • Disable "allow access to my contract addresses." Settings → Advanced. This stops auto-detection of new tokens, which is the on-ramp for the "dust airdrop" attack pattern.
  • Set a custom RPC endpoint for high-stakes transactions. Use Flashbots Protect (rpc.flashbots.net) or MEV Blocker (rpc.mevblocker.io) for swaps over $5K. This routes transactions through a private mempool, eliminating MEV sandwich attacks and front-running.
  • Lock the extension after 5 minutes of inactivity. Settings → Advanced → Auto-lock timer. Default is 12 hours, which means a malicious browser tab can interact with an unlocked wallet during a long browsing session.
  • Audit token approvals monthly via revoke.cash. Not a MetaMask setting, but a MetaMask hygiene practice. Most users accumulate 30–80 stale approvals from DeFi experiments. Each one is an open spending permission on an old contract.

The phishing-resistance posture

Most MetaMask compromises start with a phishing site. The defensive layer most users miss: use only bookmarked URLs for any wallet-connect. Never search "uniswap" in Google. Never click the first link in a Discord message. Never approve a "verification signature" on a site you reached through a redirect.

The seed-phrase protection

The MetaMask seed phrase is stored encrypted in browser local storage, with the password as the decryption key. A weak password (12345, your name) means the seed is effectively in plaintext. Use a strong password (16+ characters, generated by a password manager). Then store that password in the password manager, not in your head, because forgetting the MetaMask password requires re-importing the seed — which means re-typing the 12 words.

The browser profile separation

Run MetaMask in a dedicated browser profile that has only two extensions: MetaMask and uBlock Origin. Use that profile only for wallet interactions. Every other browsing activity — work, email, news, social — happens in a separate profile that does not have MetaMask installed. This eliminates the cross-tab attack surface entirely.