How to Best Secure Your Home Router

Managed IT & Security Services for Small Business

How to Best Secure Your Home Router

Your home router is the most important piece of your home network. It allows you to connect devices to the internet and allows you to connect devices directly to each other. There is so much PII (Personally Identifiable Information) that your router handles that it makes it a very tempting target for threat actors. Here are the steps you should take to secure your router as much as possible.

Secure The Admin Panel – Reset the Password

When setting up a new router, one important security measure that is most often forgotten is to set the admin password in the router’s configuration settings. Often manufacturers ship routers with the default credentials where the password is something like admin or password. Changing this closes the front door to your router and therefore your personal data. Make sure to use a strong and unique password. I’d recommend saving this password in your password manager. If you have the ability to change the login name, you should do that as well. Default credentials are easy to search for on the internet, and the harder you can make it for someone to guess the better.

You can access the admin panel by typing the IP address of your router into your internet browser. The two most common router addresses are 192.168.0.1 and 192.168.1.1 but you can find out by looking at the IP address of any device, like your phone or computer that is on your home network. Once you have the IP address just replace the last number after the period with a 1. To find your IP address on your phone you can go to the Wi-Fi settings and view the information about your network, and it will give you your IP address. For Windows you just need to type ipconfig into the command prompt and it will display your network information. For Mac or Linux the command is ifconfig or ip addr.

Keep in mind not all routers allow access to their admin panel this way. Many newer routers, especially mesh style routers, only communicate with an app. They will not give you access to any configuration settings going through the web portal.

Keep Your Firmware Updated

In order to have the most up to date security measures, you need to make sure the firmware of your router is up to date. When router manufacturers release patches, they include all the security fixes they have done since the last release. Most new out of the box routers will not have the newest firmware available preinstalled. It is always a good idea to check the firmware for updates during initial setup, as well as a regular basis. Two or three times a year should be sufficient, but if you hear news about a security breach involving the company who makes your router, or news about a new exploit that targets the brand of your router, you should at that point check for firmware updates and consider checking on a more regular basis.

Updating your router’s firmware closes the front window of your home network, offers bug fixes and often new software features as well.

Wi-Fi Configuration Best Practices

There are a few steps that should be taken during the initial setup of your wireless router. It may look like a lot of stuff, but you only have to do it once. Most of these are set it and forget it with the notable exception of the password. You should periodically change the password to your wireless network.

Change the Default Wi-Fi SSID

Choosing your Wi-Fi SSID (Service Set Identifier aka the wireless network name) can often feel like a personal choice and a reflection of your sparkling personality, however, in practice this is not always the best idea. You need to choose a SSID name that contains no personal identifiable information, and no other information that can identify the type of router you’re using. Often the default Wi-Fi SSID name will indicate the brand of the router, this is to make it easier for initial setup when your searching through many Wi-Fi signals to find the one that’s yours. TP-Link_017060, netgear24, Linksys0044 and Asus3789 are just a couple examples of default SSID names that could ship with your new router.

I still like to create amusing or downright comical SSID names. For me the best Wi-Fi names are just a couple random words. They can be amusing while keeping you anonymous.

  • smugly generous
  • graceless snowplow
  • footloose botanist
  • koala clause

The list could go on forever, but know that most routers have a character limit of 32 characters for the SSID name.

Use the Newest Wi-Fi Encryption Available

When your setting up your network for the first time, you will be asked to choose the encryption method you want to use. This encryption method is what secures all the data flying through the air between your phone and router. This data is transmitted everywhere in all directions, so your router and phone use a secret encryption key that only they know in order to secure the communication from a potential threat actor who could capture the data, but without the key, would not be able to read it.

WPA3 is the newest encryption method and while it is slightly more secure then WPA2 with AES, it can cause some really annoying issues with older Wi-Fi devices. Because of this reason I stick to WPA2 with AES.

Here is a link to a much more technical explanation that is pretty easy to follow if you understand tech jargon. He goes much more in depth about the differences and the nuances of the different types of Wi-Fi encryption. Credit goes to Michael Horowitz for his comprehensive write ups that he self publishes on the public domain for free.

Guest Network

I choose to use a guest network at home for the exact purpose it is named for, guests. It allows me to keep all my devices on my home network which keeps them separated from all the guests’ devices on the guest network. Since I don’t tell people my home network’s Wi-Fi password, I use a unique and complex password which is admittedly a pain in the butt when I am adding new devices. Since I’m not connecting new devices all the time, I value the security of my pain in the butt password over the convenience of an easy to remember password.

Back to the guest network. This password is relatively easy to input and remember because I like having guests over. The guest network is also useful for IOT devices like smart lights, smart switches, smart fans, smart refrigerators; basically anything with the word “smart” in front of it that needs to connect to the internet. More often than not, these devices are created to be replaced. Instead of the manufacturer updating their old products, they create new products with new features to try and convince you to upgrade that old device that is in great working order. Due to this marketing tactic, old products’ firmware rarely gets updated and vulnerabilities rarely get patched.

In addition to segmenting them with the guest network, another tip to minimize the attack surface created from IOT devices is to buy products that are backed by larger companies with good reputations rather than cheap AliExpress style companies. A large company like Phillips with their comprehensive lineup of Phillips Hue lighting, is much more likely to keep their older products in good working order by offering updated firmware.

If, however, you are not utilizing the guest network, it is best to disable it.

Disable UPnP and Turn Off WPS

UPnP stands for Universal Plug N Play and it’s a network protocol that automatically allows connections between all the devices on your home network that have UPnP capabilities. In a perfect world, this is a nice feature, it minimizes friction when connecting new devices, however, your router might unknowingly connect with a malicious threat actor who is trying to invade your network. It is best to leave this feature off and manually connect your devices.

WPS stands for Wi-Fi Protected Setup and it’s a convenience feature for adding new devices to your wireless network. It’s biggest flaw is that the passcode it uses to connect a device to the network is only 8 numerical digits. This type of passcode can be brute forced in a matter of seconds.

The security risks outweigh the convenience of these outdated features and they should be disabled.

Check the Port Forwarding Settings

Port forwarding is a feature of your router that allows holes to be punched through your router’s firewall. Port forwarding can be a useful tool, but it needs to be setup properly and actively maintained. If you don’t know about port forwarding then it is safe to assume that you should disable any that might be in your router settings. It’s biggest security flaw, aside the from the hole in your firewall, is that you may forget you have that hole open.

If you are setting up a new router, there should be no port forwarding setup by default and the rule list should be empty. If you are doing a security checkup on your up and running router, this is something you should glance at periodically.

Whitelisting & Blacklisting

Blacklisting is basically an internal blocklist for devices connected to your network. You can have your router block certain devices, identified by their MAC address, from interacting with your network. Here’s the rub though, many modern devices have security features built in to randomize their MAC Address on a periodic basis, so its not going to effective against all types of devices.

Whitelisting is the opposite, it is an allow list and can actually be a very useful security tool. If you are concerned with your home network security, you can choose to block all devices except for the ones you specifically add to your allow list. This will give you very fine control over what devices are allowed to communicate with your network. The downside is that its a lot harder to add devices to your home network and get them communicating. For example, if you had forgotten that you implemented this and was trying to troubleshoot why your new printer isn’t working, you might bang your head against the wall a few times. The important thing to remember is that many modern devices, especially phones, have the ability to randomize their MAC address, so you might want to turn that feature off so you don’t lock yourself out of your network by accident.

There are so many vulnerabilities in quite literally everything. Taking the steps to secure your router is a great start. I could not possibly cover every option available, but if you wanted to read about what appears to be every possibility then you need to check out this very informative website built by Michael Horowitz. RouterSecurity.org

Tags: , ,

Serving the Greater San Diego Area

contact@sd-tech-solutions.com

links.sd-tech-solutions.com

©  2025 SD Tech Solutions. Built using WordPress and the Highlight Theme