X hardening starts with the control paths that can reset or reuse the account: the inbox, recovery methods, signed-in sessions, and third-party app permissions.
If you lock those four areas down, most repeat takeovers lose their leverage. If one of them stays weak, the account can be pulled back again even after a password change.
| Situation | First move | Why it matters |
|---|---|---|
| You still have access | Secure email, then change the X password, set stronger 2FA, and review sessions | Stops the attacker before they build persistence |
| You already see suspicious posts or DMs | Switch to recovery mode, preserve evidence, and revoke access | Public harm and impersonation risk are already in play |
| You changed the password but the behavior keeps returning | Assume a session or app token is still active | Password changes alone do not remove every access path |
| You clicked a message that looked like support | Use only official X pages and ignore requests for codes or passwords | Phishing is still the shortest path into the account |
Safety note: X says it will never ask for your password by email, Direct Message, or reply. Any message asking for a code or password is a trap until proven otherwise.
Secure the inbox first
X recommends a strong unique password, two-factor authentication, password reset protection, and a secure email address tied to the account. That order matters because the inbox usually controls the recovery path.
- Change the email password to something unique and store it in a password manager.
- Turn on two-factor authentication for the email account too, not only for X.
- Check recovery email, recovery phone, forwarding rules, filters, and any app passwords or sign-in exceptions.
- Review recent sign-ins and sign out unknown devices.
- Watch for fake X support messages. If the email claims to be from X, compare it with how to identify scam emails before you click anything.
X also says its own security alerts will notify you when a suspicious login or email address change happens. Treat those alerts as a cue to stop, verify, and rotate credentials, not as noise.
Key idea: if the inbox is weak, X is weak. Most account recoveries fail when people harden X before they harden the email account that can reset X.
Choose the strongest 2FA you can keep
X currently offers text message, authentication app, security key, and passkey options depending on the path you are using. X also says passkeys are highly encouraged and that security keys can be your sole authentication method.
- Use a passkey if the option is available on your device. Passkeys are less susceptible to phishing and are designed as a stronger alternative to passwords. See passkeys and X's passkey help page.
- Use a security key if you want the most phishing-resistant setup X documents. See security keys. X says a security key can be the only method turned on.
- Use an authentication app if you need a practical second factor without relying on SMS. X lists TOTP apps such as Google Authenticator, Authy, Duo Mobile, and 1Password on the 2FA setup page.
- Use text message only if it is the only method you can keep reliably. If the phone number is also a recovery path, treat that number as part of the control plane, not as an afterthought.
For setup, X currently places 2FA under Settings and privacy, then Security and account access, then Security, then Two-factor authentication. The same page also shows backup codes for text-message enrollment and a login prompt that lets you choose a different 2FA method on subsequent sign-ins. See two-factor authentication and X's 2FA help page.
Rule of thumb: choose the method that survives device loss and phishing. In practice that means passkey or security key first, then an authentication app, then text message.
If X removes or disables your second factor unexpectedly, compare the behavior with twitter removed my two-factor authentication without notice before you assume it is a normal login problem.
Review sessions and connected apps
Third-party apps can do more than post for you. X's help center says authorized apps may read your posts, see who you follow, update your profile, access Direct Messages, and even see your email address depending on permissions. That is why session review and app review belong in the hardening workflow, not after it.
- Open Apps and sessions in Settings and privacy.
- Review active sessions and log out anything you do not recognize.
- Revoke access for apps you do not use or do not trust.
- If an app asked for your X username and password instead of using OAuth, revoke it and change your X password.
- If a trusted third-party tool was using your password directly, update the password there too so repeated failed logins do not keep creating lockouts.
X specifically says OAuth is the secure connection method, and that apps should not need your password. If a login page looks off, go directly to X.com instead of following the app's link. See OAuth and X's third-party apps and sessions help page.
Common mistake: people change the password and stop there. That leaves the old session token or app access alive, which is enough for an attacker to keep acting on the account.
Contain impersonation before it spreads
If the account is public, the damage is often not only access. Attackers use the profile to impersonate you, push scams, or send follower-targeted DMs. Save screenshots and the account URL before you make cosmetic changes if the account is already behaving oddly.
- Capture the handle, profile URL, suspicious posts, DMs, and any changed bio or avatar.
- Use a trusted channel outside X to warn people who might have seen the scam content.
- Report impersonation through X's authenticity flow if your name, brand, or account identity is being copied.
- If the issue is already active on a public profile, consider pausing posting until sessions and apps are clean.
X's report page says you do not need an X account to file an impersonation report. Use that path when the account itself is part of the problem, or when someone is copying your identity on the platform. See X's report impersonation help page.
If compromise is already suspected
If you are seeing unexpected posts, DMs, follows, password reset emails, or email address changes, stop treating the problem as hardening and switch to containment.
- Change the X password immediately.
- Secure the email account attached to X.
- Revoke third-party app access.
- Log out other sessions.
- Delete unwanted posts and scan devices for malware.
- If you are still locked out, use the support request path and include your username and the date you last had access.
X's compromised-account guidance also says to change passwords in trusted third-party apps that were using the X password, because otherwise failed login attempts can keep locking you out. If access is gone entirely, move to the recovery workflow in how to recover a hacked X account.
For official support, X says to use the compromised account help page if you can still log in, or the help center contact forms if you need the account-access route.
Keep the account quiet for a week
After you harden the account, watch the signals that usually show persistence: unexpected login alerts, new app connections, password reset emails, or people telling you the account is sending odd DMs. If any of those appear, go back to sessions, apps, and email security before making more cosmetic changes.
Keep the device clean too. X recommends updated browser and operating system software, plus malware scanning, because compromised devices can keep reintroducing the problem even after a successful password change.
The strongest account setup is not the one with the most features turned on. It is the one you can still operate when your phone is lost, your inbox is noisy, and a fake support email arrives at the worst possible time.
That is why email control, phishing resistance, session cleanup, and app hygiene belong together. Each one removes a different way back in.
If those controls stay consistent, X becomes predictable to defend. If one of them drifts, the attacker only needs the weakest link once.