If you use Chrome daily, do these 9 settings right now (it takes 10 minutes).

If you set up Chrome once, properly, you stop most common browser problems before they start: phishing, scam popups, notification spam, sketchy extensions, and the classic “my search engine keeps changing” hijacker mess.

This guide is built so a complete beginner can follow it end-to-end. Every change includes exact clicks and where to find the setting. When an option is a tradeoff (privacy vs convenience), I’ll tell you what to pick and why.

What You’re Protecting Against​

Chrome is usually not “hacked” in the Hollywood sense. Most real-world browser takeovers happen through:

• Bad extensions that can read what you see and type.
• Browser hijackers that change your search, homepage, or notifications.
• Phishing pages that look like Microsoft, Google, Apple, banks, delivery companies.
• Scareware pages that scream “Virus detected” and try to get you to call a number.

Hardening Chrome means reducing permissions, reducing attack surface, and improving recovery so you can get back to clean fast.

Before You Start (2 Minutes)​

1) Update Chrome​

You want the newest security fixes.

1. Open Chrome.
2. Click the three dots (top-right).
3. Click Help.
4. Click About Google Chrome.
5. Chrome will check for updates automatically.
6. If it updates, click Relaunch.

This is the single most important step.

2) Decide if you will use Chrome’s built-in password manager​

You have two good choices:

• Use Google Password Manager inside Chrome.
• Use a dedicated password manager extension like Bitwarden or 1Password.

Do not run two systems at once if you can avoid it. It creates confusion and weak habits.

Chrome includes password checkup tools inside Google Password Manager.

Step 1: Run Chrome’s Safety Check​

Safety Check is Chrome’s built-in “health scan.” It can warn about risky extensions, update status, and password safety.

How to run Safety Check (Desktop)​

1. Click three dots (top-right).
2. Click Settings.
3. Click Privacy and security (left side).
4. Find Safety Check.
5. Click Go to Safety Check (or Check now, depending on your version).

What to do with the results​

• Update available: update and relaunch immediately.
• Passwords compromised: change those passwords first (start with email).
• Extensions flagged: remove them unless you are 100% sure you need them.

Step 2: Turn On Stronger Phishing and Malware Protection (Safe Browsing)​

Safe Browsing helps block malicious sites and phishing pages. Chrome lets you choose the protection level, including Enhanced protection.

How to set Safe Browsing (Desktop)​

1. Click three dots.
2. Click Settings.
3. Click Privacy and security.
4. Click Security.
5. Find Safe Browsing.
6. Choose:
   • Enhanced protection (recommended for most people)
   • Standard protection (fine, but less protective)
   • Avoid No protection unless you have a special reason

Google also supports managing Enhanced Safe Browsing at the account level in some cases.

Step 3: Force HTTPS Whenever Possible (Always Use Secure Connections)​

HTTPS encrypts your connection. Chrome has an option called Always use secure connections that warns you before using insecure HTTP when possible.

How to enable it (Desktop)​

1. Click three dots.
2. Click Settings.
3. Click Privacy and security.
4. Click Security.
5. Scroll until you see Always use secure connections.
6. Turn it On.

Google has announced plans to push HTTPS-by-default more broadly over time, tied to this setting.

Step 4: Enable Secure DNS (DNS over HTTPS)​

DNS is how your device looks up website addresses. Secure DNS (DoH) helps prevent some network-level tampering and reduces snooping on certain networks.

How to enable Secure DNS (Desktop)​

1. Click three dots.
2. Click Settings.
3. Click Privacy and security.
4. Click Security.
5. Scroll to Use secure DNS.
6. Turn it On.
7. Choose either:
   • With your current service provider
   • Or pick a provider from the list (if offered)

Chrome’s Secure DNS setting is documented in guides and browser configuration references.

If you see “disabled by your organization,” your device may be managed or a policy may be set. In that case, do not fight it blindly. Investigate what is managing the browser first.

Step 5: Lock Down the Most Abused Permissions​

Most “browser infections” are really permission abuse.

Chrome lets you control permissions globally and per-site from Site settings.

How to open Site settings​

1. Click three dots.
2. Click Settings.
3. Click Privacy and security.
4. Click Site settings.

Now go through the following items.

5A) Notifications (Very important)​

Notification spam is a top cause of scam popups.

Best beginner choice​

• Set notifications to Don’t allow sites to send notifications (strict), or
• Allow only a tiny whitelist (more flexible)

How to manage notifications​

1. Settings → Privacy and security → Site settings → Notifications.
2. Choose your default behavior.
3. Remove anything suspicious from Allowed.

Google’s official steps for managing notifications are here.

Tip: If you only do one permission fix, do notifications first.

5B) Pop-ups and redirects​

Popups are often used for scams, fake download buttons, and abusive loops.

1. Site settings → Pop-ups and redirects.
2. Set to Blocked (recommended).
3. Add exceptions only if needed (some payment flows, some enterprise apps).

5C) Camera and microphone​

Most people should set the default to “blocked” and allow only trusted sites (Zoom, Google Meet, Teams, etc.).

1. Site settings → Camera.
2. Set default to Don’t allow.
3. Repeat for Microphone.

Google documents camera and microphone permission management.

5D) Location​

Location is rarely required.

1. Site settings → Location.
2. Set default to Don’t allow.
3. Add exceptions only for services you truly use (maps, delivery tracking).

---

Step 6: Block Third-Party Cookies (With Exceptions When Needed)​

Third-party cookies are mostly used for cross-site tracking. Blocking them improves privacy and can reduce some ad-tech abuse.

How to block third-party cookies​

1. Click three dots → Settings.
2. Go to Privacy and security.
3. Click Third-party cookies.
4. Select Block third-party cookies.
5. If a site breaks (usually sign-in or embedded content), add that site as an exception.

Google documents these options and the exact menu path.

Step 7: Harden Passwords and Autofill​

Passwords are still the main way accounts get stolen.

7A) Run Password Checkup in Google Password Manager​

1. Click three dots.
2. Click Passwords and autofill.
3. Click Google Password Manager.
4. Click Checkup.
5. Fix anything marked as:
   • compromised
   • reused
   • weak

7B) Decide what Chrome should autofill​

Autofill is convenient, but it can be risky on the wrong pages.

Good beginner settings:

• Keep autofill enabled for addresses and payment info only if you trust your device and your Windows account is protected.
• Be cautious with saving cards if multiple people use the computer.

If you use Bitwarden or 1Password, you can reduce reliance on Chrome’s built-in password storage and let the password manager handle it.

Step 8: Extensions (The Safe Way)​

Extensions are where most browser compromises happen. Even “popular” extensions can be sold, updated maliciously, or copied by fakes.

Extension rules that keep you safe​

• Install as few as possible.
• Prefer well-known publishers.
• Avoid “coupon,” “search enhancer,” “PDF converter,” “video downloader” add-ons unless you deeply trust the vendor.
• Review extension permissions after installation.
• Remove anything you do not actively use.

How to see and manage extensions​

1. Click the puzzle piece icon (Extensions) near the address bar, or
2. Type this into the address bar and press Enter:
   • chrome://extensions

From there you can:

• Toggle off an extension
• Remove it
• Click Details to see permissions

Recommended Extensions (With Links)​

Pick only what you actually need. You usually want:

• 1 content blocker
• 1 password manager (if not using Google Password Manager)
• 0 to 1 extra protection tool

Do not stack multiple ad blockers.

Here are reputable options:

Content blocking (choose ONE)
uBlock Origin Lite (MV3): uBlock Origin Lite - Chrome Web Store
AdGuard AdBlocker: AdGuard AdBlocker - Chrome Web Store

Privacy
Privacy Badger (EFF): Privacy Badger - Chrome Web Store

Password managers (choose ONE)
Bitwarden: Bitwarden Password Manager - Chrome Web Store
1Password: 1Password – Password Manager - Chrome Web Store

Extra browser protection
Malwarebytes Browser Guard: Malwarebytes Browser Guard - Chrome Web Store

How to install an extension safely​

1. Open the extension link (from the list above).
2. Confirm the publisher name looks correct.
3. Click Add to Chrome.
4. Click Add extension.
5. Immediately after installing, click Details and review permissions.

One setting you should change after installing some extensions​

Many extensions default to “On all sites,” which is too broad.

If the extension supports it, set access to:

• On specific sites
• Or On click

This limits damage if the extension ever misbehaves.

Step 9: The “My Browser Is Hijacked” Emergency Fix​

If your search engine keeps changing, or you get redirects, or Chrome feels “possessed,” do this in order.

9A) Remove notification permissions first​

Follow the Notifications steps above and remove anything suspicious.

9B) Remove suspicious extensions​

1. Open chrome://extensions
2. Remove anything you do not recognize
3. Restart Chrome

9C) Reset Chrome settings (fast recovery)​

Google’s official reset steps:

1. Click three dots → Settings.
2. Click Reset settings.
3. Click Restore settings to their original defaults.
4. Click Reset settings.

This resets many hijacked settings without being a full wipe.

If problems return after reset, something on the computer is reinstalling the hijack. At that point, check installed apps in Windows and scan for unwanted software.

A Simple Maintenance Routine (So You Stay Hardened)​

Once a month (3 minutes)​

1. Run Safety Check.
2. Review extensions and remove anything unused.
3. Check notification permissions.
4. Run Password Checkup and fix reuse.

When something feels off​

• Remove notification permissions
• Audit extensions
• Reset Chrome settings

FAQ​

What is the best “one setting” to harden Chrome right now?​

Turn on Enhanced Safe Browsing and block or tightly control site notifications. Enhanced Safe Browsing helps catch more phishing and malicious pages, and notification spam is one of the most common ways scammers keep popping up on people’s screens.

Why do I keep getting “virus” popups in Chrome?​

In most cases, it’s not a virus. It’s one of these:

• You allowed notifications from a shady site.
• You installed a bad extension.
• A site is using aggressive scareware tricks (full screen, loud sounds, fake alerts).

Fix it by removing notification permissions, uninstalling suspicious extensions, and resetting Chrome settings if needed.

How do I see which sites are allowed to send notifications?​

Chrome:

1. Three dots → Settings
2. Privacy and security
3. Site settings
4. Notifications
5. Under Allowed, remove anything you don’t fully trust.

What’s the safest way to install extensions?​

Only install extensions from the Chrome Web Store, and still verify:

• The publisher name
• The number of users and reviews (not perfect, but useful)
• The permissions it requests

If an extension wants “Read and change all your data on all websites,” it needs a very good reason.

How many extensions should I have?​

As few as possible. A good target for most people:

• 1 content blocker
• 1 password manager (if you don’t use Google Password Manager)
• 0–1 extra security/privacy extension

If you have 10+ extensions, the chance of conflicts and risk goes up fast.

Do I need an antivirus extension in Chrome?​

Usually no. Chrome’s own protections plus Smart browsing habits cover a lot. If you want extra web filtering, pick one reputable tool and keep your extension list minimal.

Why did my ad blocker stop working or get weaker on Chrome?​

Chrome has been moving extensions to newer rules that can limit how some blockers work compared to older versions. If a blocker changes or becomes “Lite,” that’s often why. Use one reputable blocker, keep it updated, and avoid stacking multiple blockers.

Is Incognito mode more secure?​

Incognito is mainly about local privacy. It reduces saved history and cookies on your device, but it does not:

• Make you anonymous online
• Block malware
• Prevent your ISP, employer, or the websites themselves from tracking you

It’s useful for temporary sessions, not as a security shield.

Should I block third-party cookies?​

For most users, yes. It reduces cross-site tracking and can cut down on ad-tech abuse. If a site breaks, add an exception for that specific site rather than turning cookies back on globally.

Will “Reset settings” delete my bookmarks and passwords?​

A Chrome reset is designed to restore many settings (search, startup, new tab behavior) and disable extensions. It typically does not delete bookmarks, but you should still make sure you can sign back into your Google account and access your passwords before doing any major cleanup.

My search engine keeps changing back. Why?​

That usually means persistence. Common causes:

• A malicious extension
• An unwanted program installed on Windows
• A browser policy set by adware or “managed by organization” settings

Remove the extension, uninstall suspicious programs, then reset Chrome. If it still returns, you likely need a deeper system cleanup.

How do I know if an extension is malicious?​

Red flags include:

• It was installed without you remembering
• It suddenly changed name or icon
• It forces a search engine or new tab page
• It demands broad permissions it doesn’t need
• Reviews mention redirects, ads, or data collection
• It was “recently updated” and problems started right after

When in doubt, remove it. You can always reinstall later.

Do I need Secure DNS (DNS over HTTPS)?​

It’s a good upgrade for many people, especially on public WiFi. It can reduce network-level snooping and some tampering. If your workplace or ISP setup is strict, it may be managed or disabled, and that’s normal.

What’s the safest way to stop fake “Microsoft Support” or “Apple Security” browser alerts?​

Do this:

1. Close the tab (or the browser if it’s stuck)
2. Remove notification permissions for unknown sites
3. Remove suspicious extensions
4. Run Chrome Safety Check
5. Reset Chrome settings if the problem persists

How often should I do maintenance?​

A simple routine works best:

• Monthly: Safety Check + extension audit + notification review
• Anytime something feels off: remove notifications + remove suspicious extensions immediately

I hardened Chrome but some sites broke. What should I do?​

Most breakage is caused by:

• Blocking third-party cookies
• Strict tracker blocking
• Aggressive content blocking

Fix it by adding exceptions for the specific site that needs it, instead of turning protections off globally.