How to Configure Your Router to Make Your Home Network Really Secure

Tina Sieber 05-06-2015

Default router settings put your network at risk Why Your Router Is a Security Risk (And How to Fix It) Read More . Not only could strangers in your vicinity use your Wi-Fi without your permission, their freeloading could subsequently reduce your bandwidth, and exhaust your data allowance.


More worryingly, their actions even get you in trouble if they used your network for illegal activities, whether downloading copyrighted material or hacking into your devices. Default settings could also invite wannabe hackers to log into your network’s admin panel and hijack your settings.

We have summarized the standard router settings that can prevent leeching and unauthorized access to your network.

Basic Router Security Settings

The following are the bare minimum security-related settings. They’re easy to set up. Connect your computer to your router using a LAN cable and log in using the router IP address and – unless you already changed them – the manufacturer-provided administrator username and password.

If your router interface doesn’t immediately reveal the settings listed below or doesn’t look like the example screenshots, I recommend you to consult your router’s manual; you can probably find it online. Many manufacturers, including Linksys and Netgear, also offer detailed support pages.

Change Default Administrator Credentials

The default username and password you use to log into your router are often the same for thousands of other devices and they can be looked up online. Thus log into your router and change both. (How do I change my Wi-Fi password? How to Find and Change Your Wi-Fi Password on Windows 10 Need to find or change your Wi-Fi password? Here's how to change and locate your Wi-Fi password on a Windows computer. Read More )


Since you use a browser to log into your router, you can store the new login credentials in a password manager like LastPass 5 Best LastPass Alternatives to Manage Your Passwords Many people consider LastPass to be the king of password managers; it's packed with features and boasts more users than any of its competitors -- but it's far from being the only option! Read More . If only you or family members have physical access to your router, there is no harm in putting a sticker with the username and password onto your router.

Sample settings for a Linksys router:

Linksys Router Settings

Set a Wireless Password or Passphrase

While you’re logged into your router, make sure you have set a password for your Wi-Fi. As mentioned above, an open Wi-Fi network can have all sorts of negative consequences. However, a password that’s easy to crack is almost as bad as no password at all. To be safe, always use WPA2 encrypted passwords WEP vs. WPA vs. WPA2 vs. WPA3: Wi-Fi Security Types Explained There are many types of wireless security but which should you be using? Which Wi-Fi is most secure: WEP, WPA, WPA2, or WPA3? Read More  because anything else is too easy to bypass.



Turn Off WPS

Wi-Fi Protected Setup (WPS) is a wireless standard that makes it very easy to set up an encrypted wireless connection. To give a device access to your wireless network, you either press a button on both the router and your device or you enter the 4 to 8 digit number printed on a sticker on your router.

The problem is, this feature is turned on by default and since there are no limits to how many times you can enter a wrong code, WPS is crackable by brute force 10 Ways Your Router Isn't as Secure as You Think Here are 10 ways your router could be exploited by hackers and drive-by wireless hijackers. Read More . With the right tools, which can be found online, it only takes minutes or hours to compromise your wireless network How Easy Is It to Crack a Wi-Fi Network? Wi-Fi security is important. You don't want intruders piggybacking on your precious bandwidth -- or worse. There a few misconceptions regarding Wi-Fi security, and we're here to dispel them. Read More . Once the WPS code is cracked, your Wi-Fi key is revealed, too.

To be safe from this vulnerability, you have to manually turn it off. Find the respective setting in your router admin panel and disable it.



Unfortunately, turning off WPS might not actually do anything. Many manufacturers either don’t offer an option to turn if off, or WPS continues to work despite having been disabled.

Change Default SSID Name

The SSID is the name of your wireless network. Your devices use the SSID to recognize previously used networks and will try to hook up to any matching network that they have stored login data for. With a default SSID, you’re potentially setting your devices up to connect to a lot of strange networks by default.

Moreover, if the default SSID reveals your router, hackers might be able to identify the model, leading them to uncover router-based vulnerabilities in your network Open Router Ports & Their Security Implications [Technology Explained] Read More .



Don’t be tempted to hide your SSID! Contrary to common recommendations, hiding your SSID is a bad idea because devices trying to connect to your network will essentially try to match with any AP (access point) out there. Now a malicious network could impersonate your network and obtain access to your device. Instead of cloaking your SSID, make sure you follow our recommendation and give it a unique name.

Change Default Router IP

Above we told you to change your default login credentials. That’s a simple and effective way to prevent unsolicited access to your router. To make it even harder for hackers to find your router’s admin panel, change the default internal gateway or comparative IP. If you’re using LastPass to store your login data, update the IP there, too.

Disable Remote Administration or Management

When remote access is enabled, anyone on the Internet can access your router and change its settings. To prevent unsolicited remote access , you need to disable this feature.

Note that this still allows anyone close enough to catch your Wi-Fi to access the admin panel, provided they know the login credentials. If your router offers this option, set it to permit access to the admin panel only with a wired connection to the router. This is a rare feature and you might have to upgrade or change your router firmware to get it.

Advanced Router Security Settings

Those of you confident enough to dive a little deeper into securing your routers might want to consider the following settings. They’re also recommended if your router is located in a high risk environment, e.g. in an apartment building or close to a public space.

Update Firmware

Generally, firmware is a kind of software coded onto hardware to help it execute operations and communicate with peripherals. Whenever a router vulnerability is revealed, manufacturers typically release new firmware to close the security hole. That’s why it’s recommended to periodically check and update your router firmware. Most standard routers come with an in-built router update option, typically found under router administration.


Note that updating your firmware could restore default settings, meaning you’d have to re-apply any changes you previously made. If possibly, make a backup of your custom settings prior to updating firmware.

Switch to 5GHz Band

The standard band is 2.4GHz, which travels further. By using the 5GHz band 3 Reasons Your Wi-Fi Dongle Speed and Performance Sucks Wi-Fi dongles are great at granting connectivity to a network-free device. But they don't always live up to expectation. Here are 3 reasons your Wi-Fi dongle sucks -- and how to fix them. Read More , you reduce the reach of your Wi-Fi network and thus the chance of a bad guy picking it up and trying to break in. It also decreases interference, improves speed, and increases stability of your network.

Unfortunately, not all devices support the 5 GHz band. One solution here, if you wanted to be meticulous, would be to either connect these devices using an Ethernet cable or upgrade your router to 802.11ac and create a dual network setup. You’d have one network for each band ad could move most of your traffic over to the 5 GHz band. Of course that would not actually increase your security because now you’d offer two points to attack your network.

Disable PING, Telnet, SSH, UPnP, and HNAP

Find the respective settings in your router interface and disable them. Rather than closing these ports, use the stealth settings (if available) which will result in attempts to access your network from outside being met with silence, thus hiding the port. An efficient way to hide your router is to prevent it from responding to PING commands.

Enable Router Firewall

If your router has its own firewall, enable it. You shouldn’t rely ONLY on your router firewall 5 Reasons Why You Should Use a Firewall You've heard of firewalls, but what are they really for? Do they stop viruses? Can you manage without one? We look at five reasons to install and use a firewall on your computer. Read More , but consider it an extra layer of protection.


Disable Wireless MAC Filter

Briefly, MAC addresses are easy to spoof IP and MAC Address: What Are They Good For? The internet isn't so different from the regular postal service. Instead of a home address, we have IP addresses. Instead of names, we have MAC addresses. Together, they get the data to your door. Here's... Read More and thus MAC filtering isn’t worth the effort.

Pro Router Security Settings

Finally, here are the settings for those of you who want to take every last step to secure their network.

Install Alternative Firmware

Third-party router firmware The Top 6 Alternative Firmwares for Your Router Looking for alternative router software like DD-WRT? Custom router firmware can add functionality, but is it safe to use? Read More not only adds additional features, but is also more secure than the latest firmware provided the manufacturer of your router. Alternative firmwares are less commonly affected by vulnerabilites. Popular open source firmwares include the Linux based DD-WRT and Tomato.


Before you install new firmware, make sure you find one that is compatible with your router, then review the step-by-step instructions for installing it.

Change Default DNS (Domain Name Server)

Rather than using your ISP’s default DNS server, pick an OpenDNS or Google Public DNS server. It can improve your Internet speed How to Change Your DNS Settings to Increase Speed Changing your DNS settings is a minor tweak that can have a big impact on day-to-day internet speeds. Here's how to do it. Read More and your network’s security 4 Reasons Why Using Third-Party DNS Servers Is More Secure Why is changing your DNS a good idea? What security benefits does it bring? Can it really make your online activities more secure? Read More .

Be Careful With Wi-Fi Network for Guests

Again, the recommendations here are contradicting. Some say it’s better to disable guest networks because they come with no login security and default passwords can be found online. If you can, however, create a custom login and make the guest network expire after a given time, then it’s a great option to provide guests with temporary access to your network, while keeping any shared folder or devices in your network private.

Is Your Router Safe?

How many of these router security settings had you made use of already and which ones didn’t you know about before? If you’re looking for more tips, check out the book Networking All-in-One For Dummies Download Networking All-in-One For Dummies (Worth $17) For FREE! Grab this free ebook collection and get up to speed on all the latest networking tips, tricks, and troubleshooting steps. Read More for some extra help.

Your router isn’t the only connected device you will want to secure. Check out these 5 tips for securing your smart and Internet of Things devices.

Image Credits: Linksys settings via Linksys, NETGEAR genie via NETGEAR

Explore more about: Online Privacy, Online Security, Router, Wi-Fi.

Whatsapp Pinterest

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. srikanth
    September 4, 2017 at 5:07 pm

    how to secure from the wired connections on my router. when the person gets lan cable from the router he need to authenticated but in real time its not the case how to avoid that problem.??

    • Tina Sieber
      September 4, 2017 at 7:15 pm

      I'm afraid I don't understand the problem.

      • srikanth
        September 5, 2017 at 6:12 am

        Okay lets assume that I have 2 devices (A is router and B is computer ).'A' is primary router B is secondary. now I want to give connection to 'B' (not from ISP. A is having from ISP) from 'A'. So if I do that Computer B is getting Internet directly. But it need to be Authenticated??. That's my problem. So anyone is there to help me.

  2. zia
    November 8, 2016 at 2:04 am

    does anyone know how to always show search criteria with macOS saved searches by making it the default?

    • Tina Sieber
      November 8, 2016 at 9:55 am

      Hi Zia, I think you scrolled too far and left your comment below the wrong article. The above is about router configuration for home networks.

  3. Bruce Epper
    June 6, 2015 at 12:36 pm

    The Remote Admin function of routers is all about accessing it via the WAN (internet) port. WiFi devices can still hit the admin control panel as long as it is connected to the local network; it does not force the use of a wired connection.

    That said, I have also seen some routers that can force the use of a wired connection for administration but the Remote Admin setting is not the one that does it. It has been some time since I have seen one of them, so I don't remember what they call the setting or even what hardware routers support it.

    • Tina Sieber
      June 6, 2015 at 2:41 pm

      Thanks for pointing out that misunderstanding, Bruce!

  4. Anonymous
    June 5, 2015 at 8:14 pm

    Another alternative firmware is OpenWRT.

    To find faster DNS connections download and use the "namehelp" app.

  5. Anonymous
    June 5, 2015 at 5:36 pm

    I have most of them - 5 GHZ has trouble getting to some parts of my house so I leave both on and I hand't thought top change the default DNS. I have Guest network enabled with a password, and I use it to connect things that need internet but not access to the full network - like my thermostat. So if it get hacked (likely, I'm sure it has next to no security) they hopefully can't get to the PCs.

    But I also have something extra that might be controversial. My router is a "Free" router provided by my cable ISP (Cablevision Optimum Online) and it includes an Optimum Hotspot that is wide open to anyone with an Optimum ID. Strangely, I am perfectly OK with this. Partly this is due to the altruistic kick of helping provide "free" internet to others, partly it is because I get a pretty good router (AC1750) at no cost and that I can upgrade anytime I want. There is also the "Plausible Deniability" aspect - if someone on my network downloads a copy of the latest Star wars or something and we get a nasty letter from the MPAA, it might be hard for them to prove it was one of us if we have a wide open hotspot that anyone could have connected to.

    In fact, I have read at least one article by a "security pro" advising people to enable Guest Network with no password for exactly this reason, to provide plausible deniability.

    Of course, I am trusting that there is no way to traverse from the open network to the closed one, and that may be a bad assumption.


    • Anonymous
      June 5, 2015 at 5:47 pm

      I would be extremely surprised if the open WiFi feature of your modem operates on the same IP address as your primary connection, so the plausible deniability value is probably moot. That said, leaving your guest portal open is more likely to protect you, although your router logs might give you away if you don't regularly prune them. If your logs are intact for the period of alleged copyright infringement, and only the MAC addresses of your own devices are listed, you are busted anyway. Of course, you could always wipe your logs when you get an ISP copyright warning notice.

      • Bruce Epper
        June 6, 2015 at 12:22 pm

        I have yet to see any routers that will use 2 IP addresses on the WAN port which is what you are suggesting here (open WiFi not using the same IP as your primary connection).

        • Anonymous
          June 7, 2015 at 2:49 pm

          I looked at the Optimum Online FAQ page and although it isn't clearly stated, the terminology does suggest they your ISP is using simple guest account functionality to implement it, which is definitely not secure and makes any guest activity look like it originated from you. If so, this is not the same thing as the true WiFi hotspot networks implemented by some major carriers. Comcast's Xfinity routers, for instance, definitely isolate hotspot connections from your primary IP address.

          From an arsTechica article on the topic...

          "A Comcast spokesperson told Ars today that this is false, that a customer's private network and the public hotspot 'have separate IP addresses.' A Comcast FAQ says the public hotspots are 'completely separate from your secure Wi-Fi home network.'"

          Here is the full article link...

        • Bruce Epper
          June 7, 2015 at 3:20 pm

          Your home network has its own set of non-internet routable IP addresses. The XFINITYWIFI "public" network (effectively a DMZ) has its own non-internet routable IP addresses for its network separate from your private home network. Both of these are connected to a single WAN port that connects to the web with a single IP address.

          I'll be in a Comcast-served monopoly area at the end of next month and will pull data to show this if you want.

          Or if you are in one of those areas you can try it yourself. Connect to your home WiFi network with a device, then find what your internet IP address is at Now, disconnect from that network and connect to the XFINITYWIFI network on your router. Go back to and look at the same IP address returned from this network as well.

          You still have the same internet-facing IP address regardless of which of your WiFi networks you are connecting to.

          With the exhaustion of IP4 addresses, there is no way Comcast can possibly put 2 IP addresses on every WAN port of the routers they have out there.

        • Anonymous
          June 7, 2015 at 5:04 pm

          I don't know where you are getting your information, but the Xfinity FAQ says you are wrong...

          "Your XFINITY Wireless Gateway broadcasts an additional “xfinitywifi” network signal for use with XFINITY WiFi. This creates AN EXTENSION OF THE XFINITY WIFI NETWORK right in your home that any XFINITY Internet subscriber can use to sign in and connect. This XFINITY WiFi service is COMPLETELY SEPARATE from your secure WiFi home network." (emphasis mine)

          Also, other tech-oriented sites confirm that Xfinity uses a separate IP address for public WiFi connections to you router. This technique has been used in Europe for several years now.

          "With the exhaustion of IP4 [sic] addresses, there is no way Comcast can possibly put 2 IP addresses on every WAN port of the routers they have out there."

          Why not? My cable ISP allows me two distinct public IP address from my modem, as do all the other ISPs in my area. Not only that, but the second address doesn't have to be a public-facing one. When you connect to your own WiFi network your router doesn't assign you a public IP, it gives you a local one and then uses NAT to make sure you get the packets intended for you. Xfinity could easily do the same. Note the important phrase from the FAQ quoted above...

          "an extension of the XFINITY WiFi network"

          It doesn't say it is a direct DMZ connection to the internet. When someone connects to the Xfinity hotspot they get a TEMPORARY IP address which would come from the same pool as the older style ISP hotspots that have been around for a while now. They don't have to reserve any more IP addresses for hotspots than they did the old way, they are just eliminating the expense of installing dedicated hardware all over their coverage areas.

          Also, I don't think you understand the nature of the IPv4 address scarcity problem. The challenge is that there are not enough address blocks left to give to new applicants (which may or may not be existing block holders). Companies like Comcast, however, already own huge blocks of addresses, not all of which are being used by their customers at any given time. As long as they have enough slack in their block allocations they could give each customer TEN IPv4 addresses if they wanted to. Since Comcast doesn't publish stats on how many free IP addresses they have available in the blocks they own (to my knowledge) nobody but they can say if they can afford to give each person connected to an Xfinity, or a traditional, hotspot, their own unique public IP address.

          Comcast, and other tech web sites say that Xfinity hotspot users get an IP separate from the home network. Using your experience with your own ISP, which I have already conceded probably DOES share your IP with hotspot users (based on their ambiguous FAQ language) is not evidence that this is the norm.

        • VanishingMediator
          August 14, 2016 at 10:10 am

          I'm confused as to who is arguing what. These days not many people believe that companies like Comcast or that major media outlets that get paid off by them tell the truth.

          The simple question is, if Comcast gets a copyright infringement notice from RIAA or whoever, does it actually mean that the user in question did the infringement. If RIAA only detects the WAN address of the router, and there is only one, doesn't that mean that RIAA cannot tell the difference between a public hotspot user and the person who owns the property the router is in?

          If so, and as Comcast claims, they really can tell the difference, does that mean they are using their inside knowledge of your network to tell the difference? In which case, they are actually spying on you.

          A further question is if the person logging into the public wifi can then hack the router and find out the password for the home network.

          Xfinity has been known to make all sorts of ridiculous claims and tell lies in the past. They will almost always try to steal your personal modem when you have your own and terminate your account. Most SP's put phony taxes on your bills, or ones they have negotiated with the government to benefit from (Bellsouth was notorious for this back in the day, some of their taxes where property taxes on their own HQ) They have all sorts of scams involving sending techs out to fix problems that are obviously caused by remote problems with BS about signal strength or modem problems. I'm fairly certain they used this to switch out many people's hardware.

  6. Anonymous
    June 5, 2015 at 5:26 pm

    True to that. I wasn't saying to negate the article, so I apologize if that is how it came across. MAC filtering, a super strong password, changed passwords, etc is still a lot easier then some of the steps and still provides for a stronger network. Anything that can be done to increase the strength is better then doing nothing at all.

    Changing your DNS could have issues with certain setups. I run satellite at home (only thing available and it is still 4x better then charter in town., and if I change the DNS in the router all internet traffic ceases. *Sigh*

    • Anonymous
      June 5, 2015 at 5:40 pm

      I assumed you were just adding to the article, not trying to negate it. I did the same thing about an hour before you did, but my post is still awaiting moderation since I included a link in it. I was commenting that the author missed a HUGE security hole by not warning against using WPS, which has been demonstrated to be seriously insecure. On some routers without updated firmware even DISABLING WPS is not enough to protect you against its weaknesses. In any case, one of the most basic and important security protocols for home routers is NEVER NEVER NEVER use WPS, and disable it completely if you can.

  7. Anonymous
    June 5, 2015 at 4:55 pm

    Forgetting the easiest single way to lock down your network from people logging on.
    MAC Based authentication.
    Get the addresses of all your devices that are approved to join, enter it, and turn on the authentication. No devices will be able to join regardless of password.

    • Anonymous
      June 5, 2015 at 5:06 pm

      Hey Zack, I used to do this, but stopped long ago since MAC whitelisting only provides a false sense of security. Any sniffer can detect the MAC address of any devices you use to connect to your network. After that it is a simple matter to spoof one or more of those MAC addresses and your router will happily let them through.

    • Tina Sieber
      June 6, 2015 at 1:57 pm

      I didn't forget about MAC filtering. This is what I wrote: "DISABLE Wireless MAC Filter. Briefly, MAC addresses are easy to spoof and thus MAC filtering isn’t worth the effort."

  8. Anonymous
    June 5, 2015 at 4:18 pm

    I can't believe you missed one of the most important and basic router security practices. DON'T USE WPS. In fact, not only don't use this proven insecure router feature, but completely disable it. Although some routers are still insecure because they have WPS EVEN IF YOU DISABLE IT, most with current firmware will be much more secure if you turn it off completely.

    • Tina Sieber
      June 6, 2015 at 2:39 pm

      Great point, Martin and I'm not sure either how I was able to miss that one. Just added a paragraph to address this vulnerability. Thanks for pointing it out!

      • Anonymous
        June 7, 2015 at 2:37 pm

        Just one comment about your added paragraph. The reason WPS is so easy to crack with brute force is that only the first four digits of the eight digit code need to be deciphered to break into the router. Instead of the roughly one million possible 8bit codes, an attacker only needs to try about 11,000 combinations.

        • BT
          October 22, 2018 at 1:57 am

          I've read online that disabling dhcp will help secure wifi networks as well. Is this true?

        • BT
          October 22, 2018 at 1:59 am

          I've read online that disabling DHCP on routers will secure networks as well n using static IP addresses. Is this true?