In a home network, everything goes through the router. As a result, when your home Wi-Fi router's security is compromised or neglected, many things can go wrong without you even being aware.
And that's often the case if you use yours, especially an ISP-provided gateway, at its default security settings.
But security is also a matter of degree. On the one hand, keeping tabs on everything that keeps your network safe is a must-do. On the other, it's as important to know when not to be concerned.
This post will explain all that -- it supplements the router primer write-up. Let's start with your router.
Home Wi-Fi router security: How to keep your network secure
Each network needs one, and no more than one, router.
Routers are not created equally and come in many different shapes and sizes. But they differentiate mostly by their firmware, which determines the router's settings and features.
Right off the bat, it's best to get a router from a reputable networking vendor that offers long-term support. After that, regarding security, there are two main types of routers to consider when it comes to home routers.
- Vendor-dependent routers: Those that must always connect to the vendor to work.
- Vendor-agnostic routers: Those that can run independently without being connected to a third party.
Due to in-depth technical levels or features, many, if not most, business routers need to connect to the vendor or at least have the option to do so to work at their full potential. But this post is mostly about home routers.
Generally, this type of router offers limited access to its inner working. The vendor manages all aspects of its settings, features, and security and allows users to access only a portion of that.
The answer is that it depends. One thing is certain: using this type of router means you trade your privacy for convenience. And if your account is hacked -- at the fault of the vendor or otherwise -- your network is compromised, and there's little you can do about it.
In most cases, these routers also don't have a web user interface, limiting users' access to its features and settings.
On the other hand, a router with a web user interface tends to give you more, if not complete, control over all aspects of your home network, including security.
Generally, these require a bit more work. For example, if you want remote management, you must properly set up Dynamic DNS and remote access.
In return, you can also rest assured to a greater extent that there is no third-party prying on you. So this type of router is much better for your security and privacy.
But they're slowly becoming a rare commodity since more and more vendors want to exert control over their products after a sale.
In recent years, Netgear has removed the web-based remote management from its Orbi and Nighthawk routers -- citing security reasons -- to force users into using its mobile app, which requires a login account.
When logging into a router's or any local device's web interface, you'll likely run into a privacy/security error notice where the browser suggests the webpage is potentially unsafe, as shown in the screenshot below.
The reason is that the device's built-in web server doesn't have a mechanism to prove that it supports the now-required HTTPs protocol. For that, among other things, it needs to be signed by an external party.
It's safe to ignore this notice and proceed to the interface when using your local device.
Different browsers have slightly different warnings and ways to bypass them, but they all require clicking a few extra times. Pay a bit of attention, and you'll find out.
Common security items for home Wi-Fi router security
No matter which type of router you use, there are things you can do with them to better your network security, including
- The admin password.
- The Wi-Fi password.
- The Guest network.
- The firmware.
The admin password
The admin password allows for changing the settings of the router. A person with this password has complete control over the network.
Imagine if your Wi-Fi network is your home, and the admin password is the key to your locker (like a safe), where you store important documents.
You might invite your guests to all the rooms in your home, but you'd never reveal your safe's combo to them.
Most routers have a known default admin password, and it would be best to change that password as soon as you start using a router. Even better, when possible, turn the username into something other than "admin" or "administrator."
As a security practice, most routers' initial setup process includes a step for you to change this password. In any case, make this password hard to guess and, most importantly, different from the Wi-Fi password.
Some routers have a built-in CAPTCHA -- an acronym for completely automated public Turing test to tell computers and humans apart -- to ensure only a real person can log in. If yours support this feature, turn it on.
The Wi-Fi password
A Wi-Fi network includes the network name (a.k.a SSID), which you can see on the device -- it's not a secret. The part that is not seen and keeps the network secure is the password.
Back to the home analogy, the Wi-Fi password is like the key to the front door.
A person with access to the front door can enter your home and use different rooms. Whether or not they also gain access to all parts of your home, including your safe, depends on whether you have extra locks in other places.
This password allows a device to connect to your Wi-Fi network. Knowing the Wi-Fi password, among other things, a person can:
- Use your internet connection.
- See your network resources, such as a file server, a printer, or a media streamer. It doesn't necessarily mean they can access these resources, however. For example, if your server requires a separate login, they cannot view its content until they have that login.
- See your router's address, access its settings, and control your network if they know its admin password. For this reason, again, you need to ensure the admin password differs from the Wi-Fi password.
Think of that before giving your Wi-Fi password away. Generally, only give it to trusted individuals and, when possible, offer to enter the password on the device yourself instead of giving out the actual password.
Tips on Wi-Fi passwords
When it comes to passwords, it's always about keeping it a secret that matters. Don't associate complexity with security.
The goal is to make your password hard to guess but easy to remember and use.
A Wi-Fi password that includes letters, numbers, UPPER case/lower case, and special characters can be a real pain, especially when you need to enter it into an IoT device, such as a printer or a media streamer -- even a modern one like the Fire TV.
Generally, it's best to use a digit-only password. Here's a way to make a password effective and easy to remember:
Pick a long sentence and use each word's letter count to form the password.
If you use that previous sentence, the password would be 414833545652438 -- pick your own!
If you want to offer somebody access to the Internet and nothing else, a Guest Wi-Fi network comes into play.
The Guest Wi-Fi network
There's a way to share your Internet connection without potentially compromising your entire system. It's called a Guest Wi-Fi network, a fancy name for a virtual network isolated from your main one.
By default, the Guest network allows access to the Internet but not your local resources. That's the gist of it. If you want to know more, I detailed this type of Wi-Fi access in this piece about Guest networks.
The Guest Wi-Fi network is similar to limiting your guests to only certain parts of your home, such as the living room or the guest house.
Most routers include the Wi-Fi Guest network feature; you can turn it on via its web interface or mobile app.
A few things about setting up a Guest network:
- Make its password different from the primary Wi-Fi network and the admin password.
- Keep the default setting that makes the guest network isolated. This setting generally tends to be "Access Intranet" (set to disabled) or "AP isolation" (enabled).
- You don't need to name your guest network with the word "guest" in it. Nobody needs to know it's a guest network.
A Guest network also comes in handy when you want to isolate specific devices from the rest of the main network, including those of your own.
Firmware is the operating system of a router. It decides how well a router works and how secure it is.
Networking vendors often release new firmware versions to improve the router's performance and security.
It's a good idea to check for new firmware and update your router at least a few times a year, especially when there's a security bulletin about your router or the networking vendor.
While it's generally best to use a router with its latest firmware, turning on the auto firmware update feature is generally not a good idea. Sometimes new firmware can cause issues.
Signs that show your router has been hacked
When targeting a router, hackers generally don't intend to destroy it. Instead, they want to manipulate it to steal your information -- such as usernames and passwords for a website or service you use.
That said, if your router has been compromised, chances it still works like normal. But some things won't work right. Here are the telltale signs that your router has been hacked:
- Your browser (Chrome, Firefox, Safari, etc.) often goes to unwanted websites, sometimes without you doing anything.
- You get unrelated, irrelevant, or spam results when doing an online search. Sometimes, it seems a different search engine than the one you pick (Google, Bing, etc.) is being used.
- When accessing your router's web interface or mobile app, the admin password you created no longer works.
- The router's DNS settings are different from "Auto" or what you have entered.
- There are settings you didn't create, like a new Wi-Fi network or port-forwarding entries.
How to rectify a compromised router
If your router has been hacked, the best and possibly the only way to fully repair it is a hard reset -- follow the link for the steps. (Consequently, you won't know what the hackers have done to the router's settings.)
After that, update its firmware to the latest and set up your network from scratch, in that order. Check off all the items above to keep your router secure when you're at it.
To summarize, to keep a tab on your home Wi-Fi router security, you first need a router that allows you to do so to a great degree. That usually means getting one without a required login account with the vendor.
After that, change the admin password and, when possible, even the login username. Ensure the admin password differs from the Wi-Fi password and keep both secure.
And finally, when applicable, enable remote management only if you know how to use it safely. And keep your router patched with the latest firmware.
Security is nuanced. By default, every device connected to the Internet is vulnerable, much like as long as you live, you're at risk of dying, to a degree. The only way to be absolutely secure is to turn that device off or when something ceases to exist.
As long as you follow these best practices mentioned here, you can consider your router, and hence your home network, safe to the reasonable degree applicable to most homes.
Dong's note: I originally published this post on April 17, 2018, and last updated it on August 18, 2023, to add up-to-date, relevant information.