Meta has started rolling out a new WhatsApp lockdown-style security feature designed to protect journalists, public figures, and other high-risk individuals from sophisticated threats, including spyware attacks.
Known as “Strict Account Settings,” this new feature builds on already existing end-to-end encryption by adding extreme safeguards for users who require heightened protection beyond standard security measures.
Users can enable these new extreme privacy and security controls only from their primary device by toggling on the “Strict account settings” option under Settings > Privacy > Advanced.
Once enabled, it will apply the most restrictive privacy controls, automatically turning on two-step verification, blocking media and attachments from unknown senders, silencing calls from unknown people, turning off link previews, locking access to the users’ last seen and online information, profile photo, About details, and profile links, and limiting other features that could expose users to attacks.
“We will always defend that right to privacy for everyone, starting with default end-to-end encryption. But we also know that a few of our users – like journalists or public-facing figures – may need extreme safeguards against rare and highly-sophisticated cyber attacks,” WhatsApp said in a Tuesday blog post.
“This feature is built for the very few users who may be the target of such attacks. Therefore, you should only turn this on if you think you may be a target of a sophisticated cyber campaign. Most people are not targeted by such attacks,” it added in a separate support document.
WhatsApp said that the feature will roll out gradually over the coming weeks and revealed that it’s also slowly migrating to the Rust programming language behind the scenes to boost protection against spyware targeting photos, videos, and messages.
Meta’s announcement comes after many journalists, activists, and political figures have had their phones infected with spyware, such as NSO Group’s Pegasus, through messaging apps like WhatsApp in attacks involving zero-click exploits, which allow threat actors (more often than not government-sponsored) to hack iOS and Android devices without user interaction.
In August, WhatsApp patched a zero-day vulnerability in its iOS and macOS messaging clients that was exploited in targeted zero-click attacks, months after releasing security updates to address another zero-day flaw that was used to infect devices with Paragon Graphite spyware.
In November 2024, court documents also revealed that the NSO Group Israeli surveillance firm allegedly deployed several zero-day exploits even after being sued by WhatsApp. In May 2025, the company was also fined $167 million for spyware attacks that targeted 1,400 WhatsApp users in 2019.
Apple rolled out its own Lockdown Mode almost three years ago, in July 2022, to protect high-risk individuals, such as journalists, activists, human rights defenders, and dissidents, against targeted spyware attacks by “strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware” on iOS, iPadOS, and macOS devices.
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.