рджреНрд╡рд╛рд░рд╛ William Harris ┬╖ рдЕрдВрддрд┐рдо рд╕рдореАрдХреНрд╖рд╛
How to Secure Your MetaTrader 5 Trading Account
рдЖрдкрдХреЛ рдХреНрдпрд╛ рдЪрд╛рд╣рд┐рдП
- тАв Password manager (Bitwarden, 1Password, KeePass)
- тАв 2FA authenticator app (Aegis, Authy, Google Authenticator)
- тАв Broker portal credentials
рдЪрд░рдг-рджрд░-рдЪрд░рдг рдирд┐рд░реНрджреЗрд╢
рдЪрд░рдг 1: Understand MT5's three-password model
MT5 accounts have three independent credentials, each with a different scope. Getting these right is the foundation of account security.
1. Master password тАФ full account control. Place orders, modify orders, change other passwords, configure account settings. Anyone with this can also (on most brokers) initiate withdrawals to the registered bank account. Treat as equivalent to your bank login.
2. Investor password тАФ read-only access. View positions, view history, view account balance, but cannot place or modify orders. Used by monitoring tools, demo platforms, and shared with people you want to show your performance to.
3. Trading account login (the 8-digit number) тАФ public identifier. Visible on every trade ticket. Not a secret.
Many users only set the master password and never generate an investor password. This is a mistake тАФ you'll inevitably need to share read-only access with a third party (signal aggregator, performance tracker, broker support staff) and without an investor password your only option is sharing the master, which gives them withdrawal authority.
рдЪрд░рдг 2: Set a strong master password
Brokers require master passwords to meet a minimum strength (usually 8+ characters with at least one digit and one uppercase). The minimum is not enough тАФ set 16+ characters of random output from a password manager.
Generate in your password manager: Bitwarden / 1Password / KeePass all have password generators. Use uppercase + lowercase + digits + symbols, 16+ chars, no dictionary words. Example: `Xj9$mK2vL@pR8nQ4`.
Store in the password manager. Never type it into anything except: (1) the official MT5 terminal login dialog, (2) the broker's official portal at the broker's official domain (verify the URL тАФ phishing fake-broker domains are common). If a third-party 'EA support' service or 'signal copier' asks for the master password, the answer is always no.
If you suspect the master is compromised, change it immediately from the broker portal and review recent trade history for unauthorised activity.
рдЪрд░рдг 3: Generate and use a separate investor password
Brokers require explicit activation of investor passwords тАФ they default to off. In your broker's portal, find 'MT5 Account Settings' тЖТ 'Set Investor Password'. Generate a different 16+ char random password and save in your password manager.
Now you have a credential to share with anyone who needs view-only access to the account. Common uses:
тАв Myfxbook / FxBlue / FX Stat tracking тАФ these services connect to MT5 in read-only mode using investor credentials and publish your equity curve. Investor password is exactly what they require; they should never need the master.
тАв MAM / PAMM aggregators тАФ if you're an investor in a managed account, the manager shares the investor password with you so you can verify trades.
тАв Broker support тАФ when filing a dispute, broker support sometimes asks for investor access to investigate. They should never need the master.
If any of these services ask for the master password instead, walk away. The investor password exists for a reason; legitimate services use it.
рдЪрд░рдг 4: Enable 2FA on the broker portal
MT5 itself doesn't support 2FA at the trading account level (architectural limitation тАФ EAs need to log in without human interaction). But the broker's web portal тАФ where you withdraw funds, change passwords, view documents тАФ does support 2FA on every reputable broker.
Enable 2FA via the broker portal's Security or Profile settings. Choose Authenticator app (TOTP) rather than SMS тАФ SIM swap attacks are common and SMS-based 2FA is effectively no 2FA against a targeted attacker.
Authenticator apps to consider: тАв Aegis (Android, open source, encrypted backup) тАФ preferred for privacy-conscious users. тАв Authy (cross-platform, cloud sync) тАФ best for users who lose phones often. тАв Google Authenticator (cross-platform, no cloud sync by default) тАФ fine for solo users with a single device. тАв 1Password / Bitwarden built-in TOTP тАФ convenient if your password manager already lives there.
Back up the TOTP seed. Most authenticator apps let you export the seed as a QR code; print it and store in a safe. If your phone is lost or destroyed without a backup, you'll need to email broker support with ID verification to regain access тАФ usually 3тАУ7 days of downtime.
рдЪрд░рдг 5: Restrict account login by IP (if supported)
Some brokers (IC Markets, Pepperstone, FxPro, Tickmill among others) support IP allowlisting on MT5 trading accounts. Login attempts from any IP not on the allowlist are rejected at the broker's edge, before the password is even checked.
The right allowlist for a typical setup: your VPS IP (where MT5 runs 24/5) and your home IP (for occasional manual checks). Both are static or near-static; ISP IP changes happen every few months at most for residential connections.
To enable: broker portal тЖТ Trading Account тЖТ Security or IP Access тЖТ Add allowed IP. Some brokers require you to verify each IP via email confirmation. Test from your phone (4G) to confirm the allowlist actually blocks unlisted IPs.
The downside: if your home ISP changes your IP unexpectedly (rare but possible), you'll be locked out from the broker until you log in to the portal from an allowlisted source (your VPS) to update the list. Plan for this тАФ keep an emergency RDP path to the VPS that doesn't depend on your home IP.
рдЪрд░рдг 6: Audit MQL5 Signals subscriptions
MT5 has a built-in copy-trading feature where you can subscribe to MQL5 Signals тАФ other traders' EAs whose trades automatically copy to your account. If someone gains access to your terminal, they can subscribe your account to a malicious signal that intentionally trades against you to drain the balance.
Review existing subscriptions: MT5 тЖТ Toolbox тЖТ Signals tab тЖТ 'Subscriptions'. You should see only signals you knowingly subscribed to. Any entries you don't recognise are suspect тАФ investigate before assuming they're legitimate.
If you don't use signal copying at all, disable the feature entirely: Tools тЖТ Options тЖТ Community тЖТ uncheck 'Allow algorithmic copying from MQL5 Signals'. Resubscribing requires re-checking this box, so accidental copying after a compromise is impossible.
Also disable 'Allow modification of Signal Settings' on per-EA basis if you don't use signals тАФ this prevents an EA from auto-subscribing your account to a signal as part of its initialisation routine.
рдЪрд░рдг 7: Monitor active sessions and revoke unknown ones
MT5 broker portals list active sessions: which IPs are currently logged in, what device, when the session started. Review monthly. Sessions you don't recognise should be force-logged-out from the portal, followed by an immediate master password change.
The specific UI varies by broker but is usually under 'Security' тЖТ 'Active Sessions' or 'Login History'. You'll see entries like 'Web Portal, 192.168.x.x, Chrome on Windows, Login 2026-05-15 14:32'.
Also review the broker's 'Login attempts' or 'Audit Log' once per quarter. Repeated failed logins from random IPs are normal background noise (every public IP gets brute-forced). Successful logins you didn't make are not normal and require immediate investigation.
Enable email notifications for new login from unknown device. Most brokers offer this in Security settings; turn it on. The friction of getting an email for every laptop you log in from is much smaller than the cost of missing a real compromise.
рдмрдЪрдиреЗ рдХреЗ рд▓рд┐рдП рд╕рд╛рдорд╛рдиреНрдп рдЧрд▓рддрд┐рдпрд╛рдБ
- тЬЧ Using the same password for the broker portal and the MT5 masterрдареАрдХ рдХрд░реЗрдВ: Different credentials for different systems. The broker portal compromise should not let an attacker move funds via MT5 even if they got the portal.
- тЬЧ Sharing the master password with a third-party 'signal service'рдареАрдХ рдХрд░реЗрдВ: Investor password gives read-only access; the master gives withdrawal authority. Never share the master with anyone.
- тЬЧ SMS-based 2FA instead of TOTP authenticatorрдареАрдХ рдХрд░реЗрдВ: SIM swap attacks make SMS 2FA worse than no 2FA against targeted attackers. Use Aegis/Authy/Google Authenticator.
- тЬЧ Not backing up the 2FA TOTP seedрдареАрдХ рдХрд░реЗрдВ: Lost phone without backup = 3тАУ7 days locked out + ID verification email. Print or photograph the seed QR on enrollment.
- тЬЧ Leaving MT5's investor password unsetрдареАрдХ рдХрд░реЗрдВ: You will inevitably want to share read-only access. Set the investor password proactively so you never have to share the master.
- тЬЧ Ignoring 'new device login' emailsрдареАрдХ рдХрд░реЗрдВ: Read every one. The 5 seconds to verify saves you from 5 weeks of disputed-trade recovery if a compromise occurred.
рдЕрдХреНрд╕рд░ рдкреВрдЫреЗ рдЬрд╛рдиреЗ рд╡рд╛рд▓реЗ рдкреНрд░рд╢реНрди
My broker doesn't offer 2FA. Should I switch?
There is no MT5-level 2FA because the EA architecture requires unattended login. But the broker portal тАФ where withdrawals happen тАФ must offer 2FA. If yours doesn't, the worst case is: someone gets your portal password, requests withdrawal to their bank account, and the broker processes it before you notice. The only protection is having 2FA on the withdrawal step. No 2FA = full account drain possible from a phished portal password.
How are MT5 passwords actually attacked in practice?
The defenses map cleanly to the attacks: (1) only ever type your password into the official broker domain тАФ verify the URL тАФ to defeat phishing. (2) Use a unique, randomly-generated password per service, stored in a password manager, to defeat credential stuffing. (3) Run AV on the trading machine, keep Windows updated, don't install random EAs from unknown sources, to defeat malware. (4) Trust the broker's rate-limiting to defeat brute-force.
MT5 'Save account information' is convenient. Is it safe?
On a dedicated VPS that only you access (with strong Windows credentials and 2FA-protected RDP), saving the MT5 password is a reasonable convenience. The alternative тАФ typing it in every reconnect тАФ leads to password-on-Post-It anti-patterns. On a shared machine (lab computer, friend's PC, internet cafe) never save credentials.
What do I do if I think my account has been compromised?
Speed matters. The longer a compromise goes unaddressed, the more time the attacker has to drain funds or accumulate losses on bad trades. Most regulated brokers have a fraud team that responds within 24 hours to compromise reports тАФ use them. Document everything: timestamps of suspicious activity, IP addresses of unrecognised logins, screenshots of unauthorised trades. The documentation is what gets you reimbursed if the compromise traces back to a broker-side failure.
Is it safe to install MT5 on my phone?
Enable iCloud/Google Find-My-Phone with remote-wipe capability before installing MT5 mobile. Use a 6+ digit PIN with biometric secondary. Disable lock-screen notifications for the MT5 app so trade alerts don't leak position information on a locked screen. With these precautions, mobile MT5 is comparable to mobile banking apps in security profile.
Account secured тАФ now monitor performance
Reading MT5's trading statistics correctly is essential to know whether your EA is actually working. The key metrics: Profit Factor, Sharpe Ratio, Recovery Factor, Max Drawdown.
Continue to: How to read trading statistics тЖТрд╕рдВрдмрдВрдзрд┐рдд рдЧрд╛рдЗрдб

William Harris
FxRobotEasy рдХреЗ рд╕рдВрд╕реНрдерд╛рдкрдХ рдФрд░ рд▓реАрдб рдбреЗрд╡рд▓рдкрд░
рд╢рд┐рдХрд╛рдЧреЛ, USA ┬╖ 2021 рд╕реЗ
- 12+ рд╕рд╛рд▓ рд▓рд╛рдЗрд╡ рдЯреНрд░реЗрдбрд┐рдВрдЧ
- 10+ рд╕рд╛рд▓ MQL5 / MQL4
- 3 рд▓рд╛рдЗрд╡-рд╕рддреНрдпрд╛рдкрд┐рдд Expert Advisors
- 2021 рдореЗрдВ рд╕реНрдерд╛рдкрд┐рдд
тАЬрдореИрдВ рдордзреНрдп рд╡рд┐рджреНрдпрд╛рд▓рдп рд╕реЗ рдХреЛрдб рдХреЗ рд╕рд╛рде рдЪреАрдЬреЗрдВ рдмрдирд╛ рд░рд╣рд╛ рд╣реВрдБред рдореИрдВ рд╡рд┐рд╢реНрд╡рд╡рд┐рджреНрдпрд╛рд▓рдп рд╕реЗ рдЯреНрд░реЗрдб рдХрд░ рд░рд╣рд╛ рд╣реВрдБред рдЙрди рджреЛ рджреБрдирд┐рдпрд╛рдУрдВ рдХрд╛ рдЪреМрд░рд╛рд╣рд╛ тАФ рдПрд▓реНрдЧреЛрд░рд┐рдердо, рдмрд╛рдЬрд╝рд╛рд░, рдФрд░ рдЙрдиреНрд╣реЗрдВ рдЬреЛрдбрд╝рдиреЗ рд╡рд╛рд▓реА рдкреНрд░реМрджреНрдпреЛрдЧрд┐рдХреА тАФ рд╡рд╣ рдЬрдЧрд╣ рд╣реИ рдЬрд╣рд╛рдБ рдореИрдВрдиреЗ рдкрд┐рдЫрд▓реЗ рдкрдВрджреНрд░рд╣ рд╡рд░реНрд╖ рдмрд┐рддрд╛рдП рд╣реИрдВред FxRobotEasy рддрдм рд╣реЛрддрд╛ рд╣реИ рдЬрдм рдЖрдк рддрдм рддрдХ рд░реБрдХрдиреЗ рд╕реЗ рдЗрдирдХрд╛рд░ рдХрд░рддреЗ рд╣реИрдВ рдЬрдм рддрдХ рдЖрдкрдиреЗ рдЬреЛ рдХрд▓реНрдкрдирд╛ рдХреА рд╡рд╣ рд╡рд╛рд╕реНрддрд╡ рдореЗрдВ рд▓рд╛рдЗрд╡ рдмреНрд░реЛрдХрд░ рдЦрд╛рддреЗ рдкрд░ рдХрд╛рдо рди рдХрд░реЗредтАЭ