I quit WoW a long time ago, and since then there have been significant changes, including the introduction of a keyfob like Paypal's. This site has not been updated in years. However, much of the information still applies.

You've heard it all before, but it's important.

• Keep up with OS updates (That includes you, Mac users. Mac OSX is NOT immune) WoW Analogy: +Dodge
• Keep an up-to-date anti-virus program. WoW Analogy: +Dodge
• Use a firewall and don't turn the damned thing off. At the very least, keep XP/Vista's built-in firewall on. WoW Analogy: Armor, +99% Worm Resistance
• Lock down your Internet Explorer security settings, even if you don't use it. WoW Analogy: +Dodge
• Use an alternative browser such as Opera, SeaMonkey, Firefox, or K-Meleon WoW Analogy: +Dodge
• Anything more is at your discretion. There are tons of other things you can do. See the Links page or Security In-Depth to learn more.
• For even more advanced methods of keeping safe, see Advanced Security Concepts

There are a lot of misconceptions about keyloggers. Time to clear that up.

1. Your keyboard is not the only thing being monitored!
2. Copy/Pasting your password will not protect you from a keylogger. (see #1)
3. A virtual keyboard will not help either. (see #1)
4. IP restrictions won't help much either. Consider that people move around, go to a friend's, and their IP at home may change quite often as well. It's even possible at times that the new IP would bear no similarity at all to the old. It'd be a huge hassle, and a fair majority of WoW players probably have no clue what an IP address is. Once an account is compromised, what's to stop them from adding whatever IP they want to the allowed list?
5. A captcha-type system such as Bank of America's sitekey won't help.
6. A dual-password system like one posted on the suggestions board, where the WoW client (or even the server) stores one password which you chose at account-creation and you enter a second won't help either.

There is only one way to keep login information safe, even on an infected computer: two-factor authentication. That's why captchas and dual-password systems will not work, they are still single-factor schemes. They're both "something you know" as opposed to "something you are" or "something you have." For an example of a working two-factor authentication scheme, take a look at Paypal's security key.

Given that WoW doesn't support such a scheme yet the best way to keep your login info safe is not to get your computer infected and not to share your login info with anyone.

Legitimate addons cannot harm your computer, as they contain no executable code. While it is theoretically possible that a hacker could find a weakness in WoW's LUA interpreter and exploit it, the chance of that happening is rather slim.

If you download an addon and it contains an executable (.exe, .bat, .pif, .com) delete it -- addons don't need executables and if it did, it's against TOS as a 3rd-party program anyway.