How to Secure Your Home Router

Most routers ship with settings improve for ease of setup, not security. Every week, botnets actively scan home networks for routers still running default credentials. This guide walks you through every meaningful security improvement you can make in an afternoon.

What You Are Actually Defending Against

Home router attacks are not theoretical. In 2018, the VPNFilter malware infected over 500,000 routers in 54 countries by exploiting known vulnerabilities in Netgear, TP-Link, and Linksys devices. In 2022, the Cyclops Blink botnet targeted WatchGuard and Asus routers. These attacks succeed almost entirely because of two factors: default admin credentials left unchanged, and outdated firmware with unpatched vulnerabilities.

A compromised router is more dangerous than a compromised computer. It sits between every device in your home and the internet, allowing attackers to intercept traffic, redirect DNS requests to phishing sites, or use your connection for illegal activities. The fixes are not complicated - they just need to be done.

Credential Attacks

Automated bots scan millions of IPs daily, trying default username/password combinations from publicly documented router defaults. Routers with unchanged credentials are compromised within hours of going online.

Firmware Exploits

Security researchers regularly publish vulnerabilities in router firmware. Manufacturers patch them, but only users who update their firmware get the fix. Unpatched routers remain vulnerable indefinitely.

Wi-Fi Attacks

WPA2 PMKID attacks can crack short Wi-Fi passwords offline in hours. WPS PIN vulnerabilities allow network access in under 10,000 guesses. Both are addressed by specific configuration changes.

Local Network Threats

Guests, smart home devices, and even visiting friends' devices on your network can access your router admin panel if you have not changed the default admin credentials.

Priority Order: Do These First

Security improvements are not equal. These four changes address the most common attack vectors and should be done before anything else:

1
Change the admin password

Default router admin passwords (admin, password, 1234) are published on manufacturer websites and aggregator databases. Anyone connected to your Wi-Fi - a guest, a neighbor who guessed your Wi-Fi password, or malware on any connected device - can open a browser, navigate to 192.168.1.1, and log into your router with the default credentials. Change it to something unique and store it in a password manager. See: How to Change Router Admin Password.

2
Update to the latest firmware

Router firmware patches close known vulnerabilities. A router running firmware from 2021 has years of unpatched security holes. Log into your router admin panel and check for firmware updates under Administration or System settings. Enable automatic updates if available - modern routers from Asus, Netgear, and TP-Link support this. See: How to Update Router Firmware.

3
Disable WPS

The WPS PIN method has a documented vulnerability that allows the 8-digit PIN to be cracked in under 11,000 guesses - typically less than 4 hours. An attacker in range of your Wi-Fi signal can use free tools to do this. Disable WPS in your router wireless settings. The button-press method is safer, but if you rarely use it, disabling WPS entirely removes the attack surface. See: What Is WPS and Why Disable It.

4
Enable WPA3 or at minimum WPA2-AES

If your router and devices support WPA3, enable it. WPA3 makes offline password cracking attacks dramatically harder. If WPA3 is not available, ensure you are using WPA2-AES (not WPA2-TKIP, not WEP). TKIP has known weaknesses and WEP was broken in 2001. Check Wireless > Security in your admin panel. See: How to Enable WPA3.

Additional Hardening

After the four critical fixes above, these improvements provide meaningful additional protection:

5
Create a guest network for IoT devices

Smart TVs, cameras, thermostats, and voice assistants rarely receive security updates for more than 2-3 years. Placing them on a guest network isolates them from your computers and NAS drives. If a camera or smart bulb gets compromised, the attacker cannot reach your main devices. See: How to Set Up a Guest Network.

6
Disable UPnP if you do not need it

UPnP allows devices on your network to automatically open ports on your router. Malware can abuse this to create persistent backdoors. Unless you actively use applications that require UPnP (some games, Plex Media Server), disabling it removes this attack vector without any visible impact on normal browsing. See: What Is UPnP.

7
Change DNS to a filtering provider

ISP DNS servers do not block malware domains. Switching to Cloudflare 1.1.1.2 (malware filtering) or Quad9 9.9.9.9 (malware + threat intelligence) blocks known malicious domains before any device on your network can reach them. Takes 2 minutes to implement. See: How to Change Router DNS.

8
Disable remote management

Remote management allows access to your router admin panel from outside your home network over the internet. This is rarely needed by home users but exposes the admin panel to the entire internet. Confirm it is disabled in Advanced > Remote Management settings. If you need remote access, use a VPN instead.

9
Use a strong, unique Wi-Fi password

WPA2 handshakes can be captured passively and cracked offline using GPU-based dictionary attacks. A 12+ character Wi-Fi password mixing letters, numbers, and symbols makes this attack impractical. Use our Wi-Fi Password Generator to create one instantly.

10
Review connected devices regularly

Check your router's connected devices list (usually under Status > Attached Devices or DHCP > Client List) monthly. Unexpected devices could indicate unauthorized Wi-Fi access. If you find something you do not recognize, change your Wi-Fi password immediately. See: How to See Connected Devices.

Security Checklist

  • Admin password changed from factory default
  • Wi-Fi password is 12+ characters, mixed character types
  • Firmware updated to latest version
  • WPA3 or WPA2-AES encryption enabled (not WEP or TKIP)
  • WPS disabled in wireless settings
  • Guest network enabled for IoT and smart home devices
  • UPnP disabled (unless actively needed)
  • Remote management disabled
  • DNS changed to a filtering provider (Cloudflare 1.1.1.2 or Quad9)
  • Automatic firmware updates enabled if supported
  • SPI firewall enabled (usually on by default)

Completing all 11 items above puts you significantly ahead of the average home network from a security standpoint. Most successful router compromises target the first three items on this list.

Frequently Asked Questions

How do I know if my router has already been compromised?

Signs include: DNS settings changed to unknown servers (check Advanced > DNS in the admin panel), unfamiliar devices in the connected device list, unexpected port forwarding rules, the router admin password changed without your involvement, or unusual internet activity patterns. If you suspect compromise, perform a factory reset, update firmware before reconfiguring, and then apply all security settings from scratch.

Is a hardware firewall (separate device) necessary for a home network?

For most home users, no. Modern consumer routers include a stateful packet inspection firewall that blocks unsolicited inbound connections. A dedicated hardware firewall (pfSense, Firewalla, Protectli) offers more granular control, VLAN segmentation, and detailed logging, but requires technical knowledge to configure and maintain. If you have a home lab, remote workers, or many IoT devices, a hardware firewall is worth considering.

Should I hide my Wi-Fi SSID (network name)?

No - SSID hiding is a cosmetic security measure with real drawbacks. Hidden SSIDs are trivially detectable with any Wi-Fi scanning tool (the beacon frames are still transmitted). Meanwhile, hiding the SSID causes connection issues with some devices and requires manual network configuration when adding new devices. A visible SSID with a strong WPA3 password is far more secure than a hidden SSID with a weak password.