MetaMask is one of the most popular wallets in crypto—used by millions to store, send, and swap digital assets. But with great convenience comes great responsibility. A single wrong click or missed setting could expose your funds to phishing, hacks, or even total loss.
If you’re using MetaMask, take 5 minutes to tighten your wallet security by changing these 7 critical settings. Don’t wait until it’s too late.
7 Settings You Must Change now to boost your MetaMask Security
1. Disable Token Detection
When enabled, MetaMask does the following:
- Scans your wallet address and queries external APIs to detect any ERC-20 or ERC-721 tokens associated with it.
- Automatically adds those tokens to your wallet interface so you can see them without manually importing contract addresses.
Sounds useful, right?
But here’s the problem:
Why You Should Disable It
1. Privacy Leakage
Token Detection sends your public wallet address to third-party services. This creates a direct link between your IP address, browser fingerprint, and your wallet activity.
You’re essentially telling outside companies:
“Hey, here’s my address—can you tell me what I own?”
They now know:
- Which tokens you hold
- How active your wallet is
- When and where you’re checking it from
This data can be used to profile you, advertise to you, or worse—target you for scams or phishing attempts.
2. Automatic Trust in Untrusted Tokens
Scammers often airdrop malicious or “dust” tokens to wallets. These tokens might:
- Tempt you into clicking malicious dApps or fake swaps
- Be used to trick you into approving harmful contracts
- Be part of social engineering scams (“Look, you won a token!”)
With Token Detection on, these tokens automatically appear in your MetaMask UI, giving them undeserved legitimacy.
3. Clutter & Confusion
Your wallet interface can get messy with dozens of irrelevant tokens you never asked for. This makes it harder to manage the tokens that actually matter to you.
This setting automatically adds tokens to your wallet—but it relies on third-party APIs, which can introduce risk. More importantly, it can encourage blind trust in unfamiliar tokens.
- Go to Settings → Privacy and Security
- Toggle off “Autodetect tokens”
Do the same for NFTs –
2. Manually Review Every Approval
When you connect your MetaMask wallet to a decentralized app (dApp), you’re often prompted to grant permissions to access or spend your tokens. Many users, especially beginners, click “Approve” without fully understanding what they’re agreeing to.
But here’s the problem:
That approval could give the dApp unlimited access to a token—which means it can drain your entire balance of that token at any time, without additional confirmation.
In some cases, malicious smart contracts have waited days or weeks before exploiting token approvals. Others might appear legitimate at first but get compromised or rug-pulled later. Once approved, the damage is often irreversible.
Never approve token permissions without reading the message. Look out for:
- Spend limit: Many dApps request “Unlimited” spending. Opt for a custom limit if possible.
- Contract address: Double-check the contract being interacted with, especially on lesser-known platforms.
- Network: Confirm you’re on the right chain (Ethereum, Polygon, etc.).
Pro Tip: Revoke Old Approvals Regularly
Use https://revoke.cash to audit your wallet. It shows a list of dApps that have access to your tokens, along with their approval limits.
If you see anything you don’t recognize—or approvals you no longer use—revoke them immediately. Think of it like deactivating old access keys to your vault.
3. Disable “Show Incoming Transactions”
At first glance, the “Show Incoming Transactions” feature in MetaMask sounds convenient. It allows you to see tokens or funds being sent to your wallet—even before you interact with them.
But there’s a catch:
To enable this feature, MetaMask relies on third-party APIs like Etherscan or Blocknative to fetch that transaction data. This means your wallet address is shared with external services, which can then log, monitor, and track your on-chain behavior.
The Hidden Privacy Risk
Every time your wallet checks for incoming transactions via these APIs, it sends your IP address and public wallet address together. This effectively links your digital identity to your physical location or device, violating one of the core principles of Web3—privacy and self-sovereignty.
Even if these services don’t misuse the data today, their databases could be compromised or sold. Worse still, it can be used to:
- Build shadow profiles of your wallet activity.
- Connect multiple wallets you own based on IP overlaps.
- Target you for phishing or scam attempts based on your holdings.
How to Fix It
It’s a quick fix:
- Go to Settings → Security & Privacy
- Toggle off the option for “Show Incoming Transactions”
Once disabled, MetaMask will only show transactions that you’ve initiated—not unsolicited ones or tokens someone randomly sends you.
4. Use a Custom RPC (and avoid the default)
Most MetaMask users don’t realize this:
By default, MetaMask routes your blockchain traffic through Infura—a centralized RPC provider owned by ConsenSys. This means your IP address and wallet activity can be logged and linked together.
So even if you’re using a self-custodial wallet, your on-chain actions aren’t entirely private.
How to protect your privacy:
1. Go to MetaMask → Settings → Networks → Add Network
2. Choose a privacy-respecting RPC provider, like:
- Ankr
- Alchemy
- Chainstack
- Or better: run your own node (advanced users)
Some of these services offer enhanced privacy modes, rate limiting controls, and no data logging.
Why this matters:
In DeFi, your financial activity is public by design. That makes network-level privacy even more important. Don’t let your IP become the weak link.
Take control. Use a better RPC.
5. Set a Strong Password (and store your seed securely)
It’s shocking how many users still use weak passwords like “123456” or reuse passwords across platforms.
How to fix it:
• Use a long, complex MetaMask password (minimum 12 characters).
• Store your seed phrase offline—preferably on a steel plate or air-gapped device. Never upload it to the cloud.
🚫 Never screenshot. Never email. Never Google Doc.
6. Enable Phishing Detection
MetaMask includes a built-in blocklist for malicious websites. If you disabled it for some reason, re-enable it now.
How to fix it:
- Settings → Security & Privacy.
- Toggle ON “Phishing Detection.”
It’s your first line of defense against scammy links.
7. Customize transaction nonce
What is a Nonce in Ethereum?
- Every transaction sent from your wallet has a unique nonce—a sequential number that starts from 0 and increases by 1 with each transaction.
- Ethereum uses this to ensure that transactions are processed in the correct order.
- If two transactions have the same nonce, only one will go through—the other will be dropped or stuck.
Why Customize the Nonce?
1. Speed Up or Replace Stuck Transactions
Ever sent a transaction with too low a gas fee and it got stuck for hours (or days)?
You can send a new transaction with the same nonce, higher gas, and it will replace the stuck one.
This is called “speeding up” or “canceling” a transaction—made possible only when you can control the nonce.
2. Maintain Custom Transaction Sequences
Advanced users, DeFi traders, and developers often need to:
- Send multiple transactions out of order
- Cancel or overwrite pending ones
- Manually manage sequence gaps (e.g., after using other wallets with the same address)
Having nonce control gives you precision over execution, which is critical in time-sensitive actions like arbitrage, flash loans, or minting NFTs.
3. Protect Against Front-running or Sandwich Attacks
Some traders use nonces in conjunction with gas settings to obfuscate their activity from front-runners or MEV bots. While nonce control alone isn’t a shield, it’s an essential tool in more advanced anti-MEV strategies.
How to Enable It in MetaMask
- Go to Settings → Advanced
- Find “Customize transaction nonce”
- Toggle it ON
Now, when sending a transaction, you’ll see an extra field that lets you enter a custom nonce.
Final Thoughts: Lock Down Your MetaMask Now
MetaMask is one of the most powerful tools in Web3—but with great power comes great responsibility. Many of its default settings prioritize convenience over security, leaving your wallet vulnerable to scams, tracking, or worse—total loss of funds.
By changing just a few settings, you can dramatically reduce your attack surface, protect your privacy, and stay in control of your assets:
As you explore the decentralized world—whether you’re trading, collecting, or minting on platforms like Spaace.io, a next-gen NFT marketplace offering 100% revenue-sharing Spaace—wallet security should be non-negotiable.
Because in crypto, you are your own bank. There’s no “forgot password” button if something goes wrong. Taking five minutes to harden your MetaMask today could save you thousands tomorrow.
