Crypto Bot Security Checklist: 15 Steps Before You Start Trading

Automated crypto trading amplifies your reach, which is why zero-knowledge security should be your first priority, but it also amplifies your risk if security is not locked down first. Every year, traders lose millions to compromised API keys, phishing attacks, and misconfigured bot settings. The difference between a secure setup and a vulnerable one often comes down to a handful of configuration steps that take less than 30 minutes.

This checklist covers every security measure you should implement before connecting a trading bot to your exchange account. Print it out, bookmark it, or save it to your notes. Go through every item before your bot places its first trade.

Exchange Account Security (Steps 1-5)

These steps secure your exchange account itself, independent of any trading bot.

Step 1: Enable Hardware 2FA

Priority: Critical

Enable two-factor authentication on your exchange account. Prefer hardware security keys (YubiKey) over Google Authenticator, and Google Authenticator over SMS. SMS-based 2FA is vulnerable to SIM-swap attacks.

Verification: Log out of your exchange and log back in. You should be prompted for 2FA during login.

Applies to: Binance, Bybit, OKX, and all major exchanges.

Step 2: Set an Anti-Phishing Code

Priority: High

Most major exchanges (Binance, OKX, Bybit) allow you to set an anti-phishing code. This is a custom word or phrase that appears in all legitimate emails from the exchange. If you receive an email without your anti-phishing code, it is a phishing attempt.

Verification: Check your most recent email from the exchange. Your anti-phishing code should be visible.

Step 3: Enable Withdrawal Address Whitelist

Priority: Critical

Enable the withdrawal address whitelist feature on your exchange. When enabled, funds can only be withdrawn to pre-approved wallet addresses. Even if an attacker gains full access to your account, they cannot withdraw to their own address.

Most exchanges require a 24-48 hour waiting period before newly whitelisted addresses become active, providing an additional security window.

Verification: Attempt to withdraw to a non-whitelisted address. The exchange should reject the request.

Step 4: Disable Unnecessary Account Features

Priority: Medium

Disable features you do not use:

• P2P trading: If you do not use peer-to-peer trading, disable it
• Margin/futures: If your bot only trades spot, disable futures access at the account level
• NFT marketplace: Disable if not used
• Lending/staking: Disable if not used with bots

Each disabled feature reduces your attack surface. A compromised account with fewer enabled features is harder to exploit.

Step 5: Review Login History

Priority: Medium

Check your exchange's login history and active sessions regularly. Look for:

• Logins from unfamiliar IP addresses or locations
• Logins from devices you do not recognize
• Sessions that should have expired but are still active

Terminate any suspicious sessions immediately and change your password if you see unauthorized access.

API Key Security (Steps 6-10)

These steps secure the API keys that your trading bot uses to interact with your exchange. For detailed API key setup instructions, see our API key security guide.

Step 6: Create Dedicated Bot API Keys

Priority: Critical

Create a separate API key specifically for your trading bot. Do not reuse keys across multiple platforms. Do not use your "main" key for bot access.

Naming convention: Use descriptive labels like "Sentinel Bot - BTC/USDT - Trade Only" so you can identify each key's purpose at a glance.

Verification: Go to your exchange's API management page. Each active bot should have its own uniquely labeled API key.

Step 7: Set Trade-Only Permissions (No Withdrawals)

Priority: Critical

Configure your bot's API key with the minimum necessary permissions:

• Enable: Read (view balances, orders, market data)
• Enable: Trade (place and cancel orders)
• DISABLE: Withdraw (never enable this for trading bots)
• DISABLE: Transfer (sub-account transfers)

This single step prevents the worst-case scenario. Even if your API key is completely compromised, an attacker cannot withdraw your funds.

Verification: Attempt to initiate a withdrawal using the API key (via API documentation or a test script). It should be rejected.

Step 8: Enable IP Whitelisting

Priority: Critical

Restrict your API key to only accept requests from specific IP addresses:

• Desktop bot (home connection): Whitelist your home IP address. If your ISP assigns dynamic IPs, consider a VPN with a static IP.
• Cloud Node (VPS): Whitelist your VPS's static IP address.
• Sentinel Bot: Because Sentinel uses non-custodial architecture, you whitelist your own device's IP, not Sentinel's servers.

Verification: Note your current IP, then try accessing the API from a different IP (e.g., mobile data). It should be rejected.

Step 9: Store API Secrets in a Password Manager

Priority: High

Never store API keys in:

• Plain text files on your desktop
• Email drafts or sent messages
• Screenshots or photos
• Chat messages (Telegram, Discord, etc.)
• Shared documents or cloud storage

Use a dedicated password manager (1Password, Bitwarden, KeePass) to store your API key, secret, and passphrase. These tools encrypt your credentials at rest.

Verification: Search your computer for files containing your API key string. Delete any plaintext copies.

Step 10: Schedule API Key Rotation

Priority: Medium

Rotate your API keys every 3-6 months:

1. Create a new API key with the same permissions and IP restrictions
2. Update your bot configuration with the new key
3. Verify the bot works with the new key
4. Delete the old API key

Set a calendar reminder for key rotation. This limits the window of exposure if a key is compromised without your knowledge.

Bot and Device Security (Steps 11-15)

These steps secure the device running your trading bot and the bot's configuration.

Step 11: Keep Your Operating System Updated

Priority: High

Ensure your operating system (Windows, macOS, Linux) has the latest security patches installed. Enable automatic updates.

For Cloud Node deployments on a VPS, configure unattended security updates:

# Ubuntu/Debian
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

Verification: Check your OS update status. No critical security updates should be pending.

Step 12: Use a Non-Custodial Bot Architecture

Priority: High

Choose a trading bot that does not require uploading your API keys to their servers. Non-custodial (signal-push) bots like Sentinel Bot keep your keys on your device. Read our non-custodial trading bot guide for a detailed explanation of why this matters.

If you must use a custodial bot, at minimum ensure the platform:

• Encrypts keys at rest and in transit
• Provides proof of encryption practices
• Has a track record of security audits
• Offers insurance or compensation policies for breaches

Step 13: Secure Your VPS (Cloud Node Users)

Priority: High (for Cloud Node users)

If running a Cloud Node on a VPS:

• SSH key authentication only: Disable password-based SSH login
• Non-standard SSH port: Change SSH from port 22 to a random high port
• Firewall: Allow only necessary ports (SSH, bot communication)
• Fail2ban: Install to automatically block brute-force login attempts
• Regular updates: Keep the OS and Docker updated

Verification: Attempt to SSH with a password (should be rejected). Run sudo ufw status to verify firewall rules.

Step 14: Monitor Bot Activity

Priority: Medium

Set up monitoring for your bot's activity:

• Trade notifications: Enable exchange email or Telegram notifications for all trades executed by your API key
• Balance alerts: Set alerts for significant balance changes
• Connection monitoring: Ensure your bot client reports connection status (Sentinel's dashboard shows live connection state)
• Daily review: Spend 2 minutes daily reviewing bot trades against expected strategy behavior

Unexpected trades or balance changes could indicate a compromised API key or bot malfunction.

Step 15: Have an Emergency Response Plan

Priority: High

Know exactly what to do if you suspect a security breach:

1. Immediately revoke all API keys on your exchange (the exchange's API management page)
2. Change your exchange password and 2FA method
3. Check open positions and orders for anything unauthorized
4. Review withdrawal history for unauthorized transfers
5. Check login history for unauthorized sessions
6. Contact exchange support if unauthorized activity is confirmed
7. Shut down your bot client to prevent further automated actions
8. Document everything for potential law enforcement or insurance claims

Practice this sequence so you can execute it quickly under pressure. Bookmark your exchange's API management page for instant access.

Printable Quick-Reference Checklist

CRYPTO BOT SECURITY CHECKLIST

Exchange Account:
[ ] 1. Hardware 2FA enabled
[ ] 2. Anti-phishing code set
[ ] 3. Withdrawal address whitelist enabled
[ ] 4. Unnecessary features disabled
[ ] 5. Login history reviewed

API Keys:
[ ] 6. Dedicated bot API key created
[ ] 7. Trade-only permissions (NO withdrawals)
[ ] 8. IP whitelisting enabled
[ ] 9. Secrets stored in password manager
[ ] 10. Key rotation scheduled (every 3-6 months)

Bot & Device:
[ ] 11. OS fully updated
[ ] 12. Non-custodial bot architecture confirmed
[ ] 13. VPS secured (if using Cloud Node)
[ ] 14. Activity monitoring configured
[ ] 15. Emergency response plan documented

Completed: ___/15     Date: __________

Going Beyond the Checklist

This checklist covers the essential security measures that every crypto bot user should implement. For deeper security knowledge, explore these related resources:

• How to Set Up Exchange API Keys Safely: Detailed exchange-by-exchange setup instructions
• Non-Custodial Trading Bot Guide: Understanding custody models and signal-push architecture
• Cloud Node vs Desktop Security Comparison: Choosing the right deployment for your security needs
• Zero-Knowledge Architecture: How Sentinel Bot's architecture protects your credentials

Frequently Asked Questions

How long does this checklist take to complete?

For a new setup, expect 20-30 minutes to go through all 15 steps. If you already have 2FA enabled and a password manager, it can be done in 10-15 minutes. The time investment is trivial compared to the potential loss from a security breach.

Do I need to complete all 15 steps?

Steps marked "Critical" (1, 3, 6, 7, 8) are non-negotiable. Skipping any of these creates significant risk. Steps marked "High" are strongly recommended. Steps marked "Medium" are best practices that further reduce risk.

Should I use the same checklist for multiple exchanges?

Yes, apply this checklist to every exchange account connected to a trading bot. Each exchange should have its own dedicated API key with proper permissions and IP restrictions.

How often should I review this checklist?

Revisit the checklist monthly. Technology and threat landscapes evolve. What was secure last quarter may need updating. Pay special attention to items 5 (login history review), 10 (key rotation), and 11 (OS updates).

What if my exchange does not support all these features?

If your exchange lacks critical features like IP whitelisting or withdrawal address whitelisting, consider whether that exchange is appropriate for automated trading. The security of your funds depends on the security features your exchange provides.

Secure your automated trading from day one. Sign up for Sentinel Bot and trade with the confidence that comes from zero-knowledge, non-custodial architecture. Your keys, your control.

Disclaimer: This article is for educational purposes only and does not constitute financial advice. Security measures reduce but do not eliminate risk. Cryptocurrency trading involves significant risk of loss. Always do your own research and maintain vigilant security practices.