Your home router is the gateway between your devices and the internet. If it’s compromised, everything on your network is potentially exposed. Yet most people never touch their router settings after initial setup.

Router manufacturers optimize for easy setup and low support calls, not maximum security. The default configurations often include weak admin passwords, outdated encryption standards, and enabled services that most users don’t need.

Here’s a practical guide to hardening your home router without a networking degree.

Change the Admin Password Immediately

Almost every router ships with a default admin password — often “admin” or “password” or printed on a sticker. These defaults are public knowledge. Anyone on your local network can log into your router’s admin interface if you haven’t changed it.

Once in, an attacker can change DNS settings (redirecting your traffic), view connected devices, capture network traffic, or simply lock you out by changing the admin password themselves.

What to do: Log into your router’s admin interface (usually at 192.168.1.1 or 192.168.0.1), find the admin password setting, and change it to a strong unique password. Store this password in your password manager.

Disable WPS

Wi-Fi Protected Setup (WPS) allows devices to connect to your network by pressing a button on the router or entering an 8-digit PIN. It’s convenient and also fundamentally insecure.

The PIN authentication method is vulnerable to brute force attacks that can recover your WPA2 password in hours. Even routers that claim to have “secure WPS implementations” have had vulnerabilities.

What to do: In your router settings, find the WPS option and disable it entirely. Devices will need to enter your WiFi password manually, which is a minor inconvenience for significantly better security.

Use WPA3 (or WPA2 if WPA3 Isn’t Available)

WiFi encryption standards have evolved. WEP is ancient and trivially broken. WPA is better but still vulnerable. WPA2 is the current minimum acceptable standard. WPA3 is the latest and strongest.

Many routers still ship with WPA2/WPA mixed mode or even WPA/WPA2 mixed mode to support older devices. Mixed modes allow connections using the weakest common protocol, which undermines security.

What to do: Set your WiFi encryption to WPA3 Personal (or WPA3-SAE) if your router supports it and all your devices are compatible. If you have older devices that don’t support WPA3, use WPA2 Personal (AES) only, not mixed mode.

If you have devices too old to support WPA2, consider whether they’re worth keeping on your network or whether they should be replaced.

Change the Default SSID

The SSID (network name) that your router broadcasts identifies what brand and model you have. “Netgear47” or “TPLink_2E4F” tells attackers exactly what hardware you’re running, which helps them identify known vulnerabilities.

What to do: Change your SSID to something that doesn’t identify your router model, your address, or personal information. “Smith Family WiFi” is better than “Netgear47” but still tells people whose network it is. “Apartment 3B” identifies where you live. Generic names like “NotYourWiFi” or “GetYourOwn” work fine.

Don’t hide your SSID entirely — this provides minimal security benefit and breaks compatibility with some devices.

Disable Remote Administration

Many routers allow remote administration — the ability to access the router’s admin interface from outside your home network. This is useful for managed business networks. For a home network, it’s an unnecessary attack vector.

If remote admin is enabled, anyone on the internet who knows (or guesses) your router’s IP address can attempt to log in. Even with a strong admin password, enabling remote admin expands your attack surface.

What to do: Find the remote administration setting (sometimes called “remote management” or “WAN access”) and disable it. If you genuinely need to manage your router while away from home, use a VPN to access your home network first, then administer the router locally.

Update the Firmware

Router firmware vulnerabilities are discovered regularly. Manufacturers release updates to fix them. Most routers don’t update automatically, and most users never manually update firmware.

CISA’s Known Exploited Vulnerabilities catalog includes numerous router vulnerabilities that have been exploited in the wild. Many of these affect default configurations and have patches available.

What to do: Check your router’s admin interface for a firmware update option. Apply any available updates. Set a calendar reminder to check quarterly.

Some newer routers support automatic firmware updates. If yours does, enable it. The risk of a bad firmware update bricking your router is much lower than the risk of running vulnerable firmware indefinitely.

Disable UPnP

Universal Plug and Play (UPnP) allows devices on your network to automatically open ports on your router for incoming connections. This is convenient for gaming consoles, media servers, and VoIP phones.

It’s also exploitable. Malware running on any device on your network can use UPnP to open ports without your knowledge, creating pathways for external attacks.

What to do: Disable UPnP unless you have a specific need for it. If you do need it (e.g., for specific gaming or media applications), manually configure port forwarding for just those applications instead of leaving UPnP enabled globally.

Use a Guest Network

Most modern routers support a guest network — a separate WiFi network isolated from your main network. Devices on the guest network can access the internet but can’t see or interact with devices on your main network.

What to do: Set up a guest network and use it for:

• Visitors’ devices (friends, family, contractors)
• IoT devices (smart speakers, cameras, thermostats)
• Anything you don’t fully trust

This limits the damage if a guest’s device is compromised or if your smart light bulb turns out to have security vulnerabilities (which happens more often than it should).

Change DNS to Reputable Providers

Your router’s DNS settings determine how domain names get translated to IP addresses. By default, your router uses your ISP’s DNS servers.

Some ISPs’ DNS servers log your browsing history. Some have poor uptime or slow response times. Some don’t support modern security features like DNSSEC.

What to do: Change your router’s DNS servers to reputable providers:

• Cloudflare: 1.1.1.1 and 1.0.0.1
• Google Public DNS: 8.8.8.8 and 8.8.4.4
• Quad9: 9.9.9.9 and 149.112.112.112

Quad9 specifically blocks known malicious domains, providing an additional layer of protection against phishing and malware.

Disable Unused Services

Many routers enable features by default that most users don’t need: FTP servers, DLNA media servers, USB printer sharing, Telnet access.

Each enabled service is a potential vulnerability. If you’re not using them, disable them.

What to do: Go through your router’s settings and disable any services you don’t recognize or use. If you’re unsure what something does, search for it online. If you still don’t know and aren’t consciously using it, disable it. You can always re-enable it later if something breaks.

Consider Replacing Ancient Routers

If your router is more than 5-7 years old, it may no longer receive firmware updates. At that point, known vulnerabilities will never be patched.

Router hardware has also improved significantly. Modern routers support WPA3, have better range, handle more devices simultaneously, and often include better security features.

A router from 2015 that hasn’t been updated since 2020 is a security liability regardless of what settings you change.

What to do: If your router is old and no longer supported by the manufacturer, replace it. A decent home router costs $80-150. The security and performance improvements are worth it.

The Realistic Effort

Going through all these settings takes 30-60 minutes. It’s not difficult — mostly clicking through menus and changing dropdown options — but it requires attention and finding the right settings, which vary by manufacturer.

Most people never do this. The router sits in a closet with default settings for years until it’s replaced.

The security improvement from hardening your router is disproportionate to the effort. You’re closing the most obvious vulnerabilities that automated attacks and opportunistic attackers exploit routinely.

The Bottom Line

Router security isn’t exciting. It’s not visible. Most people don’t think about it.

But routers are the foundation of your home network security. A compromised router exposes every device you own. The default settings are convenient for manufacturers and insufficient for security.

Spending an hour hardening your router settings is one of the highest-value security improvements you can make. It protects every device on your network with a one-time effort.

Do it now, before you forget again. Your future self will thank you.