How to Protect Your Mac: 12 Steps That Actually Matter in 2026

Most Mac security advice falls into two camps: people telling you Macs are invincible (they're not), or people trying to sell you a $70/year subscription you probably don't need. The truth is in the middle, and the most effective protections are free and take about 30 minutes to set up.

I've been building Mac security software for the past two years, and I've seen hundreds of machines — some compromised, most not. Here's what actually matters, ranked roughly by impact.

1. Turn On FileVault Disk Encryption

This is the single most important thing you can do if you ever take your Mac outside your home. FileVault encrypts your entire startup disk, which means if someone steals your laptop, they can't read your files — even if they pull the SSD out.

Go to System Settings > Privacy & Security > FileVault and turn it on. On Apple Silicon Macs, the performance impact is essentially zero because encryption is handled by the hardware. On older Intel Macs with T2 chips, same deal.

Save your recovery key somewhere safe. I keep mine in a password manager, not iCloud, but that's a personal preference.

If you want to verify it's on from Terminal:

fdesetup status

You should see "FileVault is On." If your Mac was bought new with macOS Ventura or later, it might already be enabled. We covered FileVault in depth here.

2. Keep macOS and Apps Updated

I know, this sounds obvious. But I've personally seen Macs running two major versions behind because someone hit "Remind Me Tomorrow" for six months straight. Apple patches critical security vulnerabilities in every update — Sequoia 15.3 alone fixed over 30 security issues.

Go to System Settings > General > Software Update and make sure automatic updates are on. Check all the boxes: download new updates, install macOS updates, install app updates, and install Security Responses and system files.

That last one — Security Responses — is relatively new. It lets Apple push small security patches without requiring a full OS update or restart. Leave it on.

For apps, update through the App Store and check individual apps regularly. Third-party apps installed outside the App Store don't auto-update through macOS — you need to update them manually or rely on their built-in updaters.

3. Enable the Firewall

Your Mac's built-in firewall is turned off by default, which surprises most people. Head to System Settings > Network > Firewall and flip it on.

Here's the honest caveat: the macOS firewall only blocks incoming connections, not outgoing. If malware is already on your machine and phoning home, the firewall won't stop it. But it does prevent unauthorized incoming connections, which matters a lot on public Wi-Fi or shared networks.

I'd also recommend turning on stealth mode. Click Options under the firewall toggle and enable "Enable stealth mode." This makes your Mac not respond to ping requests or connection attempts from closed ports — basically making it invisible on the network.

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode

If it says "Stealth mode disabled," you can enable it with:

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

To be fair, if you're always behind a home router with NAT, the firewall is less critical. But on any network you don't control, it's essential. Here's more on whether you should turn it on.

4. Audit Your Privacy Permissions

This is the one most people skip, and it's genuinely important. Over time, apps accumulate permissions you've forgotten about — camera access, microphone access, full disk access, screen recording. Some of these are incredibly powerful.

Go to System Settings > Privacy & Security and review each category:

• Camera and Microphone: Only apps that actively use your camera or mic should be here. If you see a PDF reader or a calculator with camera access, that's a red flag.
• Full Disk Access: This is one of the most powerful permissions. It gives an app access to your Mail, Messages, Safari data, and Time Machine backups. Be very selective.
• Accessibility: Apps with this permission can control your mouse, keyboard, and read screen content. Malware loves this permission.
• Screen Recording: Can see everything on your screen, including passwords as you type them.
• Input Monitoring: Can log your keystrokes.

I built CoreLock's permission audit feature after I discovered a note-taking app had microphone access on my personal Mac — I'd granted it for a voice memo feature I used once and completely forgot about.

Remove any permissions that don't make sense. The worst that happens is an app asks for permission again when it actually needs it.

5. Review Login Items and Background Apps

macOS Ventura and later split login items into two sections: Login Items (apps that launch at login) and Allow in the Background (processes that run silently). Both live in System Settings > General > Login Items.

Check what's there. You might find apps you uninstalled months ago still running background processes. This is also a common persistence mechanism for malware — a sketchy LaunchAgent that loads every time you start your Mac.

For a more thorough check, look in these directories:

ls ~/Library/LaunchAgents/
ls /Library/LaunchAgents/
ls /Library/LaunchDaemons/

If you see plist files you don't recognize, open them and check the ProgramArguments key to see what they're actually running. Legitimate software usually has obvious names (com.google.Chrome, com.apple.something). If you see random strings or paths to binaries in odd locations, investigate further. We have a deep dive on hidden processes here.

6. Use Strong, Unique Passwords with a Password Manager

Your Mac's login password should be strong — at least 12 characters, not something guessable. But more importantly, every online account should have a unique password.

macOS has a solid built-in option now: the Passwords app (introduced in Sequoia) or iCloud Keychain on older versions. It generates strong passwords, syncs across your Apple devices, and auto-fills in Safari and some third-party browsers.

If you're cross-platform or want more features, 1Password and Bitwarden are both excellent. Bitwarden is free and open-source.

The most common way Macs get "hacked" isn't through malware — it's through credential reuse. Someone's LinkedIn password leaks, and because they use the same password for everything, an attacker walks into their email, their bank, their iCloud.

7. Enable Two-Factor Authentication on Your Apple ID

If someone gets into your Apple ID, they can wipe your Mac remotely, access your iCloud Drive, read your messages, track your location. This is arguably more dangerous than malware.

Go to System Settings > [Your Name] > Sign-In & Security > Two-Factor Authentication. If it says it's already on, good. If not, turn it on immediately.

Use your phone number as the second factor at minimum. If you want to go further, hardware security keys (like YubiKey) work with Apple ID as of macOS Ventura.

8. Be Careful with What You Download

Gatekeeper — macOS's first line of defense against malicious software — blocks apps that aren't notarized by Apple. But it only kicks in when you first open an app. After that, it trusts it.

The most common way Mac malware gets installed is through user interaction: fake Flash Player updates, pirated software with bundled malware, or "your Mac is infected" popups in the browser.

Before installing anything, verify it:

spctl --assess --type execute -v /path/to/app.app
codesign -dv --verbose=4 /path/to/app.app

The spctl command checks if Gatekeeper would approve the app. The codesign command shows you who signed it. If an app isn't signed or notarized, think twice. Learn more about checking if apps are legitimate.

9. Lock Down Safari (or Your Browser)

Safari is the most secure browser on Mac because of its deep integration with macOS sandboxing. A few settings worth checking:

Go to Safari > Settings > Privacy:

• Turn on "Prevent cross-site tracking"
• Turn on "Hide IP address from trackers"

Go to Safari > Settings > Security:

• Make sure "Warn when visiting a fraudulent website" is on

Go to Safari > Settings > Extensions:

• Remove any extensions you don't actively use. Browser extensions are a common attack vector — they can read every page you visit, modify content, and exfiltrate data.

If you use Chrome or Firefox, the same principle applies: audit your extensions regularly and remove anything unnecessary.

10. Secure Your Network Settings

A few network-level changes that take 30 seconds:

Change your DNS to a privacy-focused provider. Your ISP can see every domain you visit through DNS. Go to System Settings > Network > Wi-Fi > Details > DNS and change it to:

• Cloudflare: 1.1.1.1 and 1.0.0.1
• Quad9: 9.9.9.9 and 149.112.112.112

Both are faster than most ISP DNS and block known malicious domains. More on DNS privacy settings here.

Disable sharing services you don't use. Go to System Settings > General > Sharing and turn off anything you don't actively need: File Sharing, Screen Sharing, Remote Login (SSH), Remote Management. Each one is a potential entry point if not properly secured.

11. Set Up Time Machine Backups

This isn't technically a security hardening step, but it's the single best protection against ransomware and data loss. If your Mac gets compromised, a clean Time Machine backup lets you restore to a known-good state.

Plug in an external drive, go to System Settings > General > Time Machine, and set it up. It's genuinely that simple.

One tip: if you're worried about ransomware encrypting your backup drive too, disconnect the Time Machine drive when not actively backing up, or use a network-attached Time Machine destination. Ransomware can't encrypt a drive that isn't mounted.

For the truly paranoid (I say that with respect), keep a second backup in a different physical location. One at home, one at the office, or use a cloud backup service as a secondary.

12. Monitor What's Actually Happening on Your Mac

All the hardening in the world doesn't help if you never check what's going on. Make it a habit to occasionally open Activity Monitor (Applications > Utilities > Activity Monitor) and look at:

• CPU tab: Sort by CPU usage. Anything consistently using high CPU that you don't recognize deserves investigation. Cryptominers love hiding here.
• Network tab: Sort by "Sent Bytes" or "Rcvd Bytes." If an unfamiliar process is sending a lot of data, that's worth checking.

From Terminal, you can see network connections:

lsof -i -P | head -30

This shows every process with an active network connection. If you see connections to IPs you don't recognize, look them up.

This is actually one of the things I built CoreLock to handle — continuously monitoring processes, network connections, and permissions so you don't have to manually check Activity Monitor every week. But even without any tools, spending five minutes in Activity Monitor every couple of weeks teaches you what "normal" looks like on your machine. And knowing normal is half the battle when something abnormal shows up. Here's our guide on finding suspicious processes.

What About Antivirus Software?

I'm honestly a bit biased here, since I build security software. But my genuine opinion: most Mac users don't need traditional antivirus. What they need is visibility — understanding what's running, what has permissions, and what's communicating over the network.

macOS already has XProtect (signature-based malware scanning), Gatekeeper (app verification), and XProtect Remediator (automatic malware removal). These cover the basics. We wrote a full breakdown of whether Macs need antivirus in 2026.

Where third-party tools help is in the gaps: behavioral analysis (detecting threats by what they do, not what they look like), privacy auditing, and real-time monitoring. If you want that layer, CoreLock's free tier gives you 3 scans per day, which is enough for most people. You can also check which apps have camera access directly from the privacy audit.

The 5-Minute Version

If you're skimming and just want the highest-impact steps:

1. Turn on FileVault (System Settings > Privacy & Security > FileVault)
2. Turn on the firewall (System Settings > Network > Firewall)
3. Review privacy permissions (System Settings > Privacy & Security)
4. Check login items (System Settings > General > Login Items)
5. Enable automatic updates (System Settings > General > Software Update)

Those five changes, done in five minutes, cover 80% of what matters. The rest is good practice but less critical.

Your Mac is already a reasonably secure machine out of the box. Apple gets a lot right at the system level — SIP, Gatekeeper, the Secure Enclave, hardware-enforced kernel integrity. The gaps are at the application layer: what apps you install, what permissions you grant, and whether you're paying attention to what's happening under the hood. Close those gaps, and you're ahead of 95% of Mac users.