WhatsApp is beginning a gradual rollout of a new optional security feature called Strict account settings, aimed at users who may face a higher risk of targeted cyberattacks. The feature is designed for people such as journalists, activists, and public-facing professionals whose accounts may be attractive targets for spyware, social engineering, or other forms of digital surveillance.
Strict account settings function as a bundled security mode that automatically applies WhatsApp’s most restrictive privacy and safety options in one step. Rather than requiring users to manually adjust multiple menus, the setting locks down several parts of the account at once and prevents those options from being loosened unless the mode is turned off entirely. The approach mirrors similar efforts by other platform providers to create high-security profiles for vulnerable users, including comparable tools introduced at the operating system level by Apple.
One of the most immediate changes affects how messages and media are handled. When Strict account settings are enabled, attachments and media from senders who are not in the user’s contacts are automatically blocked. This reduces exposure to malicious files and so-called zero-click exploits that can be delivered through seemingly harmless images or documents. Link previews are also disabled, limiting the amount of data processed from external sources.
Account-level protections are tightened as well. Two-step verification is automatically enabled and cannot be turned off while the mode is active. Security notifications are also locked on, ensuring users are alerted if encryption keys change. For those who use backups, WhatsApp strongly encourages the use of end-to-end encrypted backups, aligning with its broader push toward keeping user data inaccessible even in the event of account compromise.
Profile visibility is another area affected by the new setting. Information such as profile photos, last seen and online status, about details, and profile links are restricted to contacts only or to a pre-defined, more selective list of people. Group invitations are similarly limited, preventing unknown accounts from adding users to group chats without approval. WhatsApp has previously identified unwanted group additions as a common vector for harassment and phishing attempts.
Strict account settings can be found under Settings, then Privacy, and finally Advanced. WhatsApp notes that the rollout is happening in stages over the coming weeks, so availability may vary by region. The feature must be managed from a user’s primary device and is not accessible through WhatsApp Web, reflecting the higher trust placed in devices with local authentication.
Alongside the feature launch, WhatsApp also disclosed ongoing changes to its underlying software infrastructure, including a transition of certain components to the Rust programming language. According to the company, this shift improves memory safety and reduces classes of vulnerabilities that spyware has historically exploited. Additional technical details have been shared through Meta’s engineering channels.
Strict account settings do not introduce entirely new protections, but they consolidate existing ones into a clearer, more defensive posture. For most users, the default experience may remain sufficient. For those at higher risk, however, the new mode offers a simpler way to prioritize security over convenience without needing deep technical knowledge.
