Default router settings put your network at risk. Not only could strangers in your vicinity use your Wi-Fi without your permission, their freeloading could subsequently reduce your bandwidth, and exhaust your data allowance.
More worryingly, their actions even get you in trouble if they used your network for illegal activities, whether downloading copyrighted material or hacking into your devices. Default settings could also invite wannabe hackers to log into your network’s admin panel and hijack your settings.
We have summarized the standard router settings that can prevent leeching and unauthorized access to your network.
Basic Router Security Settings
The following are the bare minimum security-related settings. They’re easy to set up. Connect your computer to your router using a LAN cable and log in using the router IP address and – unless you already changed them – the manufacturer-provided administrator username and password.
If your router interface doesn’t immediately reveal the settings listed below or doesn’t look like the example screenshots, I recommend you to consult your router’s manual; you can probably find it online. Many manufacturers, including Linksys and Netgear, also offer detailed support pages.
Change Default Administrator Credentials
The default username and password you use to log into your router are often the same for thousands of other devices and they can be looked up online. Thus log into your router and change both. (How do I change my Wi-Fi password?)
Since you use a browser to log into your router, you can store the new login credentials in a password manager like LastPass. If only you or family members have physical access to your router, there is no harm in putting a sticker with the username and password onto your router.
Sample settings for a Linksys router:
Set a Wireless Password or Passphrase
While you’re logged into your router, make sure you have set a password for your Wi-Fi. As mentioned above, an open Wi-Fi network can have all sorts of negative consequences. However, a password that’s easy to crack is almost as bad as no password at all. To be safe, always use WPA2 encrypted passwords because anything else is too easy to bypass.
Turn Off WPS
Wi-Fi Protected Setup (WPS) is a wireless standard that makes it very easy to set up an encrypted wireless connection. To give a device access to your wireless network, you either press a button on both the router and your device or you enter the 4 to 8 digit number printed on a sticker on your router.
The problem is, this feature is turned on by default and since there are no limits to how many times you can enter a wrong code, WPS is crackable by brute force. With the right tools, which can be found online, it only takes minutes or hours to compromise your wireless network. Once the WPS code is cracked, your Wi-Fi key is revealed, too.
To be safe from this vulnerability, you have to manually turn it off. Find the respective setting in your router admin panel and disable it.
Unfortunately, turning off WPS might not actually do anything. Many manufacturers either don’t offer an option to turn if off, or WPS continues to work despite having been disabled.
Change Default SSID Name
The SSID is the name of your wireless network. Your devices use the SSID to recognize previously used networks and will try to hook up to any matching network that they have stored login data for. With a default SSID, you’re potentially setting your devices up to connect to a lot of strange networks by default.
Moreover, if the default SSID reveals your router, hackers might be able to identify the model, leading them to uncover router-based vulnerabilities in your network.
Don’t be tempted to hide your SSID! Contrary to common recommendations, hiding your SSID is a bad idea because devices trying to connect to your network will essentially try to match with any AP (access point) out there. Now a malicious network could impersonate your network and obtain access to your device. Instead of cloaking your SSID, make sure you follow our recommendation and give it a unique name.
Change Default Router IP
Above we told you to change your default login credentials. That’s a simple and effective way to prevent unsolicited access to your router. To make it even harder for hackers to find your router’s admin panel, change the default internal gateway or comparative IP. If you’re using LastPass to store your login data, update the IP there, too.
Disable Remote Administration or Management
When remote access is enabled, anyone on the Internet can access your router and change its settings. To prevent unsolicited remote access , you need to disable this feature.
Note that this still allows anyone close enough to catch your Wi-Fi to access the admin panel, provided they know the login credentials. If your router offers this option, set it to permit access to the admin panel only with a wired connection to the router. This is a rare feature and you might have to upgrade or change your router firmware to get it.
Advanced Router Security Settings
Those of you confident enough to dive a little deeper into securing your routers might want to consider the following settings. They’re also recommended if your router is located in a high risk environment, e.g. in an apartment building or close to a public space.
Generally, firmware is a kind of software coded onto hardware to help it execute operations and communicate with peripherals. Whenever a router vulnerability is revealed, manufacturers typically release new firmware to close the security hole. That’s why it’s recommended to periodically check and update your router firmware. Most standard routers come with an in-built router update option, typically found under router administration.
Note that updating your firmware could restore default settings, meaning you’d have to re-apply any changes you previously made. If possibly, make a backup of your custom settings prior to updating firmware.
Switch to 5GHz Band
The standard band is 2.4GHz, which travels further. By using the 5GHz band, you reduce the reach of your Wi-Fi network and thus the chance of a bad guy picking it up and trying to break in. It also decreases interference, improves speed, and increases stability of your network.
Unfortunately, not all devices support the 5 GHz band. One solution here, if you wanted to be meticulous, would be to either connect these devices using an Ethernet cable or upgrade your router to 802.11ac and create a dual network setup. You’d have one network for each band ad could move most of your traffic over to the 5 GHz band. Of course that would not actually increase your security because now you’d offer two points to attack your network.
Disable PING, Telnet, SSH, UPnP, and HNAP
Find the respective settings in your router interface and disable them. Rather than closing these ports, use the stealth settings (if available) which will result in attempts to access your network from outside being met with silence, thus hiding the port. An efficient way to hide your router is to prevent it from responding to PING commands.
Enable Router Firewall
If your router has its own firewall, enable it. You shouldn’t rely ONLY on your router firewall, but consider it an extra layer of protection.
Disable Wireless MAC Filter
Briefly, MAC addresses are easy to spoof and thus MAC filtering isn’t worth the effort.
Pro Router Security Settings
Finally, here are the settings for those of you who want to take every last step to secure their network.
Install Alternative Firmware
Third-party router firmware not only adds additional features, but is also more secure than the latest firmware provided the manufacturer of your router. Alternative firmwares are less commonly affected by vulnerabilites. Popular open source firmwares include the Linux based DD-WRT and Tomato.
Before you install new firmware, make sure you find one that is compatible with your router, then review the step-by-step instructions for installing it.
Change Default DNS (Domain Name Server)
Be Careful With Wi-Fi Network for Guests
Again, the recommendations here are contradicting. Some say it’s better to disable guest networks because they come with no login security and default passwords can be found online. If you can, however, create a custom login and make the guest network expire after a given time, then it’s a great option to provide guests with temporary access to your network, while keeping any shared folder or devices in your network private.
Is Your Router Safe?
How many of these router security settings had you made use of already and which ones didn’t you know about before?