How to keep your Facebook account safe and secure

Simple steps to social media lockdown.
A person using Facebook on a laptop while sitting in front of a table with books on it.
You can use Facebook to share yourself with the world—just don't share too much. Kaboompics/Pexels

This article has been updated. It was originally published on March 30, 2017.

If you want to stay safe online, Facebook is an important part of the audit that’s required. Not only can unauthorized access reveal some of your most sensitive information, it can also lead hackers into other apps and accounts you’re connected to.

Fortunately, Facebook has a wealth of tools and features designed to ensure that you—and only you—can get access. Before your next round of News Feed browsing and status updating, make sure you switch them on.

Make full use of Facebook’s security settings

Facebook's page for account security settings
Facebook lets you make it harder for anyone else to gain access. David Nield

Account protection starts with your password: the longer, and the more difficult to guess, the better. That means avoiding anything like “1234”, “password”, or your pet’s first name (especially if your pet’s name is all over your linked Instagram account).

We wholeheartedly recommend turning on two-step verification too, which adds an extra layer of security and should really be enabled on all your accounts. It means that your account can’t be accessed with a username and password alone. In Facebook’s case, you’ll also need a code from a phone that’s verified and linked to your account.

[Related: How to protect all your online accounts]

Get this set up by opening Facebook settings on the web, then clicking Security and Login, followed by the Edit button next to the heading marked Use two-factor authentication. You can have an extra code sent to you via text message whenever you need to access your account from a new device, generate codes through an authentication app like Google Authenticator (for Android and iOS), or use a physical security key like YubiKey.

Another option is the Get alerts about unrecognized logins one. Click Edit here then turn notifications on, and you’ll get mobile alerts and emails if someone tries to access your account from an unrecognized device (one you haven’t used before). If it’s not you doing the accessing, you can quickly block the request.

Check for suspicious activity

A list of Facebook logins within the Facebook security settings page
Review the places where you’re logged into Facebook. David Nield

Other options on the Facebook settings page on the web can help you keep tabs on where your account is being accessed. If someone has managed to get into your Facebook profile, this is where you can find out about it.

Click the Security and Login tab, then check the devices under Where You’re Logged In (click See More) if you need to. This list shows web browsers, phones, and tablets where your account is currently active, so you should end the activity on any devices you don’t recognize (or that you’ve sold or given away). To do so, click the three vertical dots next to the device, then click Log Out.

While you’re on this screen, use the trusted contacts option under Settings Up Extra Security to specify three to five people you really trust. If you ever lose access to your Facebook account, these contacts will get a code they can pass on to you to let you back in, proving that you are who you say you are.

Another way hackers can gain access to your account is through third-party apps you’ve connected. Open the Apps and Websites tab from the menu on the left and remove access to any apps or services you don’t need any more (like that dating app you ditched three years ago). These connections aren’t necessarily dangerous, but the fewer of them you have, the safer you are.

Protect your privacy

Facebook's tagging options on its security and privacy settings page
Take control over who can tag you on Facebook. David Nield

Tightening the privacy around your Facebook account leaves hackers, marketers and stalkers alike with less to work with. Think twice about anything you share, and use the audience selector drop-down menu that appears under your name in the post box to choose who can see your posts.

Public posts can be viewed by anyone on the web, whether or not they’re friends with you. To see all the public updates you’ve posted, head to your profile page, click the three dots at the far right of the menu under your cover photo, and choose View As. You can also hide past public posts by opening the Privacy tab from the left-hand menu, finding Your Activity, and clicking Limit Past Posts.

[Related: How to make your Facebook account more private]

Head to the Profile and Tagging page to control the posts other people tag you in—the third group of options lets you review any tags before they go live. It won’t stop a “buddy” from uploading an embarrassing photo of you (there’s not much you can do about that beyond appealing to their better nature), but it will stop the post from being tagged and showing up on your personal Facebook page.

On the same page, you can also set the audience for posts you’re tagged in. By default, all your friends will see something you get tagged in, but you can set this to Only Me if you want to keep a lower profile.

Apply common sense

Windows Defender on a Windows computer
Applications like Windows Defender protect your computer, and by extension your social media accounts. David Nield

Restricting the audience for your Facebook posts isn’t directly linked to keeping your account more secure, but scammers and hackers will use any information they can get about you to try and wrestle your account from you—or to try and access something else, like your email, through Facebook.

You should therefore apply some common sense about who you make friends with on the social network and the sort of details you’re sharing. If your place of work, birthday, favorite movie, and pet’s name are all visible in public posts, you’ve made it a lot easier for someone to pretend to be you with those details at hand.

Social engineering—those old-fashioned con tricks—still play a major role in today’s tech-savvy world, so beware of links coming through emails or across messaging apps that make no sense or appear to come out of the blue. Be aware of the data you share over the phone or email, especially if you didn’t initiate the conversation.

You’ll also need to pay attention to computer and browser you use to access Facebook. Make sure you’re running up-to-date software at all times, with a solid antivirus tool installed, and avoid any suspect-looking browser extensions or Facebook add-ons that come from unknown developers, as they may well be looking for an easy way to get into your account.