WiFi Router Security Checklist: 10 Settings to Change Right Now
Your router is the single gateway between every device in your home and the entire internet. A laptop, a phone, a smart TV, a security camera โ they all trust it completely. Yet most routers sit for years running the same insecure factory defaults they shipped with, and most users never open the admin panel after setup.
This checklist covers the 10 settings that matter most. Each one takes under 15 minutes to change, and together they eliminate the most commonly exploited home network vulnerabilities.
How to Access Your Router Admin Panel
Before starting, you need to log into your router's configuration interface:
- Open a browser and navigate to your router's IP address โ usually
192.168.1.1or192.168.0.1 - If those don't work, find the correct address:
- Windows: run ipconfig in Command Prompt โ look for "Default Gateway"
- macOS: System Settings โ Network โ [connection] โ Details โ TCP/IP โ "Router"
- Log in with the admin credentials printed on the label attached to your router
- If the label credentials don't work, try
admin/adminoradmin/passwordโ common factory defaults
If you can log in with admin/admin, that's already a serious problem. Fix 1 below is your most urgent priority.
The 10-Step Security Checklist
1. Change the Default Admin Password
Risk: Critical
Default admin credentials are published in public databases indexed by Google. Anyone who can reach your router's admin panel โ whether on your network or, if remote access is enabled, from the internet โ can log in within seconds using a lookup table.
- Use a unique password of at least 16 characters combining uppercase, lowercase, numbers, and symbols
- Store it in a password manager (1Password, Bitwarden, etc.) โ you rarely need it
- Change the admin username too if your router allows it (many do)
After changing this, log out and log back in to confirm the new credentials work before closing the tab.
2. Update Your Router's Firmware
Risk: Critical
Router firmware vulnerabilities are actively targeted by automated botnets. The Mirai botnet โ which took down major internet infrastructure in 2016 โ spread by exploiting default credentials and unpatched firmware on home routers. Similar campaigns run constantly.
- In your admin panel, find Administration โ Firmware Update (location varies by manufacturer)
- Check for available updates and install any found
- Enable automatic updates if the option exists
- Mark a reminder to check manually every 3 months for routers without auto-update
Many router manufacturers stop releasing firmware updates for older models. If your router is more than 5โ6 years old and no longer receives updates, replacing it is a legitimate security consideration.
3. Use WPA3 or WPA2-AES Encryption
Risk: High
The encryption protocol your WiFi uses determines how easy it is for a nearby attacker to intercept or crack your network traffic.
| Protocol | Status | Vulnerability |
|---|---|---|
| WEP | Broken โ never use | Crackable in minutes with basic tools |
| WPA/TKIP | Deprecated | Multiple practical attacks known |
| WPA2-TKIP | Weak | TKIP-specific vulnerabilities |
| WPA2-AES/CCMP | Acceptable | KRACK attack (patched on modern devices) |
| WPA3-Personal | Recommended | Current strongest standard |
| WPA2/WPA3 Transition | Good for compatibility | Slightly weaker than WPA3-only |
Enable WPA3 if your router supports it. If not, use WPA2 with AES (also shown as CCMP) โ never TKIP. For a detailed explanation of what changed with WPA3 and why it matters, see our WiFi Security and WPA3 guide.
Find the setting under: Wireless โ Security โ Encryption or similar.
4. Disable WPS
Risk: High
WiFi Protected Setup (WPS) was designed to make it easy to connect devices by pressing a button or entering an 8-digit PIN. The PIN method has a fundamental design flaw: the PIN is validated in two halves, meaning an attacker only needs to brute-force 11,000 combinations instead of 100,000,000. Tools like Reaver can crack WPS PINs in hours.
Even if you disable PIN-based WPS, many routers have a "push button" WPS mode that remains vulnerable to attacks triggered during the 2-minute enrollment window.
Disable WPS entirely. The convenience of not typing a password once does not justify the attack surface it creates.
Find it under: Wireless โ WPS or Advanced โ WPS. Set to Disabled.
5. Change Your WiFi Network Name (SSID)
Risk: Medium
Default SSIDs like NETGEAR47, TP-Link_9823, or XFINITY-1A2B reveal your router manufacturer and sometimes your ISP. Attackers can use this to identify your exact router model and target known vulnerabilities for that specific hardware.
- Choose a name that doesn't identify you (avoid your address, name, or apartment number)
- Don't use something provocative that invites curious neighbors
- Create separate SSIDs for your main devices and IoT devices (see Fix 7)
Changing the SSID has no effect on encryption strength, but it removes a useful reconnaissance data point.
6. Disable Remote Management
Risk: High
Remote management allows access to your router's admin panel from outside your home network โ useful for IT professionals managing client routers, but a significant attack surface for everyone else.
How to find it: Look for Remote Management, WAN Access, or Remote Administration in your admin panel's advanced settings.
Set it to Disabled unless you have a specific reason to need it. If you do need remote access to your home network, the correct approach is setting up a VPN rather than exposing the router admin panel directly to the internet.
7. Create a Separate Guest Network for IoT Devices
Risk: Medium-High
Smart TVs, thermostats, doorbells, security cameras, and other IoT devices are notoriously insecure. Many run outdated embedded Linux with years of unpatched vulnerabilities. Manufacturers frequently stop providing updates after 2โ3 years. If one of these devices gets compromised, you want it isolated from your laptops and phones.
Create a guest network and move all IoT devices to it:
- Enable Guest Network in your router settings
- Give it a different SSID and strong password
- Enable AP Isolation or Client Isolation โ this prevents devices on the guest network from communicating with each other or with devices on the main network
- Connect all smart home devices, streaming sticks, and cameras to this isolated network
| Device Type | Network |
|---|---|
| Laptops, phones, tablets | Main network |
| Smart TVs, streaming sticks | Guest/IoT network |
| Smart bulbs, thermostats, plugs | Guest/IoT network |
| Security cameras, video doorbells | Guest/IoT network (or dedicated VLAN) |
| Visitors' devices | Guest network |
This doesn't prevent a compromised IoT device from phoning home to an attacker-controlled server (it still has internet access), but it prevents lateral movement โ an attacker who compromises your smart TV cannot directly reach your laptop.
8. Enable the Router Firewall
Risk: High
Most consumer routers include a built-in SPI (Stateful Packet Inspection) firewall that filters incoming traffic. Some ship with it disabled or in a partial configuration.
Find it under: Security โ Firewall or Advanced โ Firewall
Enable:
- SPI Firewall โ inspects packets for signs of attack patterns
- DoS Protection โ rate-limits connection attempts to prevent denial of service
- Block WAN Requests / Stealth Mode โ prevents external scanners from seeing your router is present (your IP doesn't respond to pings from the internet)
These settings won't stop sophisticated targeted attacks, but they significantly reduce automated scanning and opportunistic intrusion attempts.
9. Configure Secure DNS on the Router
Risk: Medium
By default, your router uses your ISP's DNS servers, which may be slow, unreliable, or subject to government-mandated content filtering. More importantly, unencrypted DNS queries expose every domain your household visits to your ISP and any network observer.
Configure your router to use a privacy-respecting DNS provider:
| Provider | Primary | Secondary | Privacy |
|---|---|---|---|
| Cloudflare | 1.1.1.1 | 1.0.0.1 | No-log policy |
| Quad9 | 9.9.9.9 | 149.112.112.112 | No-log + blocks malware |
| OpenDNS | 208.67.222.222 | 208.67.220.220 | Optional content filtering |
Find the DNS settings under: WAN โ DNS Settings or Internet โ DNS. Replace your ISP's DNS with your chosen provider's addresses.
For encrypted DNS (DNS over HTTPS), some routers support this natively (Asus with Merlin firmware, Synology, pfSense, Firewalla). If yours does, enabling DoH prevents even your ISP from seeing which domains you're resolving. See our DNS over HTTPS guide for setup details.
10. Review Connected Devices Regularly
Risk: Medium (ongoing)
Once your router is secured, make it a habit to check who's connected. Most routers list connected devices under: DHCP Client List, Connected Devices, Device Manager, or Network Map.
Look for:
- Unfamiliar device names โ could be a neighbor who guessed your password or a device you forgot about
- Devices connected at unexpected hours โ activity at 3am from a device you thought was off
- Unusually high traffic from a single device โ potential sign of malware or unauthorized use
If you find an unauthorized device, change your WiFi password immediately. All legitimate devices will need to reconnect, but the unauthorized device will be removed.
Full Checklist Summary
| Setting | Risk Level | Time to Fix | Where to Find It |
|---|---|---|---|
| Change admin password | Critical | 2 min | Administration โ Password |
| Update firmware | Critical | 5โ15 min | Administration โ Firmware |
| Enable WPA3/WPA2-AES | High | 2 min | Wireless โ Security |
| Disable WPS | High | 1 min | Wireless โ WPS |
| Disable remote management | High | 1 min | Advanced โ Remote Management |
| Enable firewall | High | 2 min | Security โ Firewall |
| Change SSID | Medium | 2 min | Wireless โ General |
| Set up guest/IoT network | Medium-High | 10 min | Wireless โ Guest Network |
| Configure secure DNS | Medium | 5 min | WAN โ DNS Settings |
| Review connected devices | Ongoing | 5 min/quarter | DHCP Client List |
After Completing the Checklist
- Use our Public WiFi Security guide to protect yourself on networks you don't control
- Run a DNS Leak Test to confirm your DNS traffic is going to the provider you configured
- Check what an attacker can do with IP information in our guide on what someone can do with your IP address
Related Articles
WhatIsMyLocation Team
Our team of network engineers and web developers builds and maintains 25+ free networking and location tools used by thousands of users every month. Every article is reviewed for technical accuracy using real-world testing with our own tools.
Related Articles
Try Our Location Tools
Find your IP address, GPS coordinates, and more with our free tools.