π₯
When your home Wi-Fi router security is compromised, among other things, your personal information is at risk. That happens quite often, and if it’s happening to you, you might not be aware of it.
So, it helps to know what keeps your network safe. But it’s also as important to know when to be concerned and when not.
This post will explain all that. Let’s start with how to be safe.
Dong’s note: I originally published this post on April 17, 2018, and last updated it on January 26, 2022, to add up-to-date, relevant information.
Table of Contents
Home Wi-Fi router security: How to keep your network secure
First of all, and quite obviously, it’s the router itself.
You want to get a router from a reputable networking vendor — a company that offers long-term support, such as new firmware updates, for their old equipment.
The type of router management is important, too.
Router (remote) management and security: Vendor assistant vs web-based
Here’s a common question: do routers fully tied to the vendor — such as the eero, Google Wi-Fi/Nest, Ubiquiti Amplifi, TP-Link Deco, etc. — have better security?
These are Wi-Fi machines that must connect to the vendor at all times to work.
Vendor-connected router and security: You’re at the mercy of a third party
I wrote a long post on web interface vs a mobile app in router management. If you read the post, you’ll note that I’m no fan of vendor-dependent routers.
But the gist is that a vendor-connected router doesn’t necessarily give you better security.
Sure they give you a convenient way to control your home network, even when you’re out and about via vendor-assisted remote management. Run an app on your phone, and you can see stuff going on, so on and so forth.
But what if somebody gets a hold of your account or the vendor itself is hacked? That has happened, putting lots of users’ privacy at risk at the same time.
Leaving the security to the vendor gives you the option of having to do nothing on this front, which is nice. In return, though, it can also mean there’s nothing you can do to keep your home network’s admin access safe. You’re at the mercy of the vendor.
That’s not to mention, in the event of hacking, you only know your network is in danger if the vendor chooses to inform you. All the while, the vendor itself might be the party that collects your home network’s information.
So this type of router is a double-edged sword — it’s convenient and easy but can turn the users — you — into a product.
Independently-managed home Wi-Fi router and security: You’re in control
On the other hand, a router with a web user interface tends to give you complete control over all aspects of your home network, including security.
Examples of these routers are those from Asus, the Archer product line of TP-link, or the Nighthawk of Netgear.
Generally, these require a bit more work. For example, if you want remote management, you’d have to properly set up Dynamic DNS and remote access.
In return, you can also rest assured that there’s no third-party prying on you at all times.
Most modern vendor-independent routers come with the remote web-based management feature turned off by default for security reasons.
When turning it on, make sure you pick a different port from the default to keep your connection more secure. Details on this front are available in this post on Dynamic DNS.
So this type of router is much better for your security and privacy.
But they’re slowly becoming more of a rare commodity since more and more vendors want to exert control over their products after a sale.
Netgear has recently removed the web-based remote management from its Orbi and Nighthawk routers — citing security reasons — to force users into using its mobile app, which requires a login account.
Common security items for home Wi-Fi router security
With the question of which router to get out of the way, let’s move on to the more traditional items that keep your router secure.
These are not meant to be all security-related items in a router but the ones that you should pay attention to and can take care of on your own. So do that right away!
They are the admin password, the Wi-Fi password, the Guest network, and the firmware.
By the way, for a network that includes Powerline adapters, check out this post on how to handle them.
The admin password
The admin password allows for changing the settings of the router. A person with this password has complete control over the network.
Imagine if your Wi-Fi network is your home, then the admin password is the key to your locker (like a safe), in which you store important documents.
You might invite your guests to all the rooms in your home, but you’d never reveal your safe’s combo to them. Losing the content of the safe can incur grave consequences.
Most routers have a known default admin password — like most safes come with a default combination.
That said, you need to change that password as soon as you start using a router. Even better, when possible, turn username into something else other than “admin” or “administrator.”
As a security practice, most routers’ initial setup processes include a step for you to change this password. In any case, make sure this password is hard to guess and, most importantly, different from the Wi-Fi password.
By the way, some routers have a built-in CAPTCHA — that’s an acronym for completely automated public Turing test to tell computers and humans apart — to make sure only a real person can log in. If yours support this feature, make sure you turn it on.
The Wi-Fi password
A Wi-Fi network including the network name (a.k.a SSID), which you can see on the device — it’s not a secret. The part that is not seen and keeps the network secure is the password.
Back to the home analogy, the Wi-Fi password is like the key to the front door.
A person, like a guest, with access to the front door, can, for sure, get inside your home and use different rooms. Whether or not they also gain access to all parts of your home, including your locker, depends on if you have extra locks in different places or not.
Segmenting guest access is like having a Guest Wi-Fi network.
This password allows a device to connect to your Wi-Fi network. Knowing the Wi-Fi password, among other things, a person can:
- Use your internet connection.
- See your network resources, such as a file server, a printer, or a media streamer. It doesn’t necessarily mean they can access these resources, however. For example, if your server requires a separate login, they cannot view its content until they have that login, too.
- See your router’s address and also access its settings and control your network if they know the router’s admin password. For this reason, again, you need to make sure the admin password is different from the Wi-Fi password.
Think of that before giving your Wi-Fi password away. Generally, only give it to trusted individuals and, when possible, offer to enter the password on the device yourself instead of giving out the actual password.
Tips on Wi-Fi passwords
When it comes to passwords, it’s always about keeping it a secret that matters. Don’t associate complexity with security.
The goal is to make your password hard to guess but easy for you to remember and use. Your password shouldn’t be so complex that you’d have difficulty using it.
A Wi-Fi password that includes letters, numbers, and special characters, can be a pain, especially when you need to enter it into an IoT device. Consider a digit-only password.
Here’s one of many ways to make a digit-only password random and easy to remember:
Pick a long sentence and use each word’s letter count to form the password.
That’d be 414833545652438 if you pick the previous sentence — use your own!
If you want to offer somebody access to the Internet and nothing else, a Guest Wi-Fi network comes into play.
The Guest Wi-Fi network
There’s a way to share your Internet connection without potentially compromising your entire system. It’s called a Guest Wi-Fi network, a fancy name for a virtual Wi-Fi network that’s isolated from your main one.
By default, the Guest network allows access to the Internet but not your local resources. That’s the gist of it. If you want to know more, I detailed this type of Wi-Fi access in this piece about Guest networks.
Most routers include the Wi-Fi Guest network feature; you can turn it on via its web interface or mobile app.
A few things about setting up a Guest network:
- Make sure its password is different from that of the primary Wi-Fi network and the admin password.
- Keep the default setting that makes the guest network isolated. This setting generally tends to be “Access Intranet” (needs to be disabled) or “AP isolation” (needs to be enabled).
- You don’t need to name your guest network with the word “guest” in it. Nobody needs to know it’s a guest network.
A Guest network also comes in handy when you want to isolate specific devices from the rest of the main network, including those of your own.
The firmware
Firmware is the operating system of a router. It decides how well a router works and how secure it is.
Networking vendors often release new firmware versions to improve the router’s performance and security.
It’s a good idea to check for new firmware and update your router at least a few times a year, especially when there’s a security bulletin about your router or the networking vendor.
Router hacked signs
When your router has been compromised, generally, it still works fine.
Hackers want to steal information, so they don’t want to cause any interruptions. They even go out of their way to ensure your router works well, just with different settings.
That said, it’s a good idea to check to make sure you’re safe. Here are the telltale signs that your router has been hacked:
- Your browser (Chrome, Firefox, Safari, etc.) often goes to unwanted websites, sometimes without you doing anything.
- When doing an online search, you get unrelated, irrelevant, or spam results. In some cases, it seems a different search engine than the one you pick (Google, Bing, etc.) is being used.
- When accessing your router’s web interface or mobile app, the admin password that you have created no longer works.
- The router’s DNS settings are different from “Auto” or what you have entered.
- There are settings that you didn’t create, like a new Wi-Fi network or port-forwarding entries.
Of course, there are also instances where the bad guys want to mess with you, and in this case, nothing works, including your Wi-Fi password.
How to rectify a compromised router
If your router has been hacked, the best and possibly the only way to fully repair it is a hard reset — follow the link for the steps. (Consequently, you won’t be able to find out what’s been done to the router’s setting by the hackers.)
After that, make sure you update its firmware to the latest and set up your network from scratch, in that order. When you’re at it, make sure you check off all the items above to keep your router secure.
The takeaway
To sum up, to keep a tab on your home Wi-Fi router security, you first need a router that allows you to do so. Most of the time, that’s one without a login account with the vendor.
After that, change the admin password and, when possible, even the login username. Ensure the admin password is different from the Wi-Fi password and keep them both secure.
Finally, when applicable, enable remote management only if you know how to use it safely. And keep your router patched with the latest firmware.
Most importantly, take security with nuance. By default, every device connected to the Internet is vulnerable — it’s just like your home is always at risk of being invaded — it’s a matter of degree.
That said, as long as you follow the best practices mentioned here, you can consider your router, and hence your home network, safe to the extent that it should make you comfortable. Like all things in life, it’s never absolutely secure.
Hi Dong,
I noticed that DoS protection is not enabled on my Asus router (XD4) by default. Does this pose a security threat? Should I enable it?
Thanks
Not really, Jerry, and yes, that doesn’t hurt other than using a bit of the router’s processing power.
Generally, DoS attacks apply primarily to a business or a website that can’t shut down. You can restart a home router, which will stop the attacks since your WAN IP will likely change without affecting anything.
Hi Dong
I noticed that you did not mention WPS, UPNP, and Ping. Also no mention of DNS over TLS. While the last one is more of a privacy protocol, the former mentioned have always been an issue with router security. Has something changed to make them more secure?
Regards
Cranky
Most of what you mentioned have been hyped up in terms of security concerns, Cranky. In reality, I don’t think they have caused significant threats, if at all. They are just tools for “security experts” to brag about their “knowledge” or make money from views and clicks. Most new routers have those disabled by default anyway.
Just an FYI -Today’s email has a bad link to this article.
Thanks, Deirdre. I fixed it.
Hey Dong, I recently tried logging into my Netgear Admin page and couldnβt. The information was correct but, i still couldnβt login, so i followed your advice .
A couple of questions if you have the time.
1- If the router had been hacked, how do I check the settings to see if they werenβt changed? i.e., DNS; Port Forwarding.
2- I noticed that the initial Netgear page 192.168.1
was sending the password βUnencrypted β why would Netgear allow this?
Once reset, the router is reverted back to default settings, David. That means all customized settings, including fraudulent ones, are gone. As for the message, that’s normal. More in this post.
Great article as always Dong. Quick question.
I donβt want to put you on the spot by recommending the best router, so, i will ask this, which one do you use?
In the article you mentioned, βKeep tabs on wifi router, if allowed to do soβ- Which wifi routers allows its owners to do this?
Good question, David. After reading your comment, I decided to edit the post a bit to make things more clear. Give it another read.
Good morning Dong, I would like your thoughts on an issue I am having with my Netgear AC 4300 6 Stream router.
When I enter the routerβs interface utilizing the 198.168 format, I am unable to get into the ADVANCED section of the routers interface to make adjustments to the security settings of the router.
The tab is there in the UPPER LEFT CORNER, but nothing occurs.
Your thoughts?
Use a different browser, David.
I’d love to see a post about best Routers for dealing with guest access and security. My 2500 square foot home with an attached AirBnB has a linksys with a guest option, which I thought was going to be great, but the guest option has zero security. Not cool; back on the market, but I have to say this is seldom something reviews mention much about…I have to dig to get a sense of how they handle guests, whether the guest account is only broadcast from the main router in a multi router system, what it’s security is, whether a different LAN is available for it, etc. Perhaps my case is too specific but it’s been a real headache to try to overlay reviews with getting that info.
Check out this post, Kayle. Part of it applies to your case. There’s no such router, by the way, since there’s no such thing as a “guest network”. It’s just a marketing term.
Great read. I’ll tell you a quick story that other first time readers may relate to. I decided to purchase my own Wi-Fi router and return the ISP’s rented one. I bought a Netgear R6300v2. The wife asked If I was setting it up right. I gave her that look, like really! How hard can it be? Within minutes I had downloaded the app and my network name and password was set. See, easy.
A few nights later I turned the router off to annoy the kids (fun to do, even to this day). A few moments later I found them back on their devices stealing the neighbors internet that had an open guest network. A little cheeky, but I was quietly amused by their ingenuity. The next time I saw them I told them what the girls were doing. He laughed and locked it down later that day. I told the wife “I have a password on our guest setup”. That was five years ago.
You know what’s been bothering me, Dong? So, over the years we’ve been adding devices (I think we’re up to 25 now) and every time we always see the same guy at the top of the list of available networks. Sometimes I’d get a little perturbed, I want to be number one, It’s my house. We always thought their Wi-Fi Kung fu was strong. Whoever they were had good taste in routers though. Theirs was a Netgear too. It told everyone who looked what it was. Okay, nice piece of kit I thought, but the owners aren’t very imaginative though. All the others have been given nice names. (I know Dong, you already know where this going).
Years went by. And with the kids now doing distance learning I started thinking of up grading our network. So I began researching all the new stuff – AX, Mesh, all with fancy new acronyms. Wait.. These things are still dual band. I thought I remember seeing dual band on this one when I got it. Anyway, started reading your reviews and finally here. Doh.
So my 5GHz band has never been used. Protected by a default passphrase that comes in every box. And I don’t want to talk about my router login through the web browser, I feel stupid enough. The good news is I found you.
So yesterday I followed your instructions. And sheepishly told the wife. The best way I could explain it was. We didn’t leave the front door wide open. But the key was under the mat.
I really don’t remember seeing a smart setup when I first installed it. And even if I did I would have bypassed it wanting to do it myself.
Dong, as you go about your day today and if you get the chance to read this. I’d like you to know in some small way you have made a difference in someones life. And I’d like to say, thank you.
Thanks for sharing, Scott. Glad you figured it out. π
Hey Dong Ngo, I watched you a lot when you were on CNET. You and Brian Tong were my favorites. I just stumbled upon your site while I was researching networking equipment. I no longer watch CNET and am happy I found you again. Keep up the good work. Thank you for you passion!
Thanks for your support, Ike. BTW, BT has also gone indie and had his own YouTube channel. Check it out https://youtu.be/7J9CbU-BjqA !