Home
My IP
GPS
Find Me
Your Location
4๏ธโƒฃIPv4: โ€”
๐Ÿ“...
6๏ธโƒฃIPv6: โ€”
๐ŸŒ...
๐Ÿข...
๐Ÿ“Œ...
How-To Guides11 min read

WiFi Router Security Checklist: 10 Settings to Fix Right Now

The router security checklist ordered by impact: WPA3, firmware, WPS off, guest network, UPnP honesty, and how to verify.

By WhatIsMyLocation TeamยทUpdated July 2, 2026
WiFi Router Security Checklist: 10 Settings to Fix Right Now

Summarise this article with:

TL;DR
Your router's factory defaults are a known attack surface: default admin passwords are indexed in public lookup tables, WPS has a mathematical flaw that reduces brute-force work from 10 million to 11,000 guesses, and Mirai-style botnets scan for unpatched firmware around the clock. This checklist orders the fixes by actual risk, so you can stop at any step and still have made a meaningful improvement. Most steps take under five minutes.

Your router is the single gateway between every device in your home and the internet. Every laptop, phone, smart TV, and security camera trusts it completely. Yet most routers sit for years on the same insecure factory settings they shipped with.

Scan your public IP to verify nothing unexpected is exposed
Scan your public IP to verify nothing unexpected is exposed

This checklist is ordered by impact. Fix 1 is your biggest risk. Fix 10 is maintenance. Each step takes under 15 minutes. Together they close the most commonly exploited gaps in home network security.

How to Access Your Router Admin Panel

Before anything else, you need to log in:

  1. Open a browser and go to your router's IP address, usually 192.168.1.1 or 192.168.0.1
  2. If those don't work, find the right address:

- Windows: open Command Prompt and run ipconfig, then look for "Default Gateway"

- macOS: System Settings, then Network, then your connection, then Details, then TCP/IP, then "Router"

  1. Log in with the credentials printed on the label attached to your router
  2. If the label credentials don't work, try admin / admin or admin / password, which are common factory defaults

If admin/admin works, you have an urgent problem. Fix 1 is your first stop.

The 10-Step Security Checklist

1. Change the Default Admin Password

Default admin credentials are indexed in public databases and can be looked up in seconds. Any attacker who reaches your router's admin panel, whether through your local network or via remote access, can log in immediately.

  • Use a password of at least 16 characters with mixed case, numbers, and symbols
  • Store it in a password manager (Bitwarden, 1Password) since you rarely need it
  • Change the admin username too, if your router allows it

After changing the password, log out and log back in to confirm the new credentials work.

2. Update Your Router's Firmware

Unpatched router firmware is actively scanned and exploited by automated botnets. The Mirai botnet, which attacked major internet infrastructure in 2016 by compromising over 500,000 devices, spread by exploiting default credentials and known firmware vulnerabilities. Similar campaigns have continued ever since, including a December 2024 advisory from Juniper about Mirai targeting network devices with default passwords.

  1. In your admin panel, find Administration or Firmware Update (the exact location varies by manufacturer)
  2. Check for available updates and install any found
  3. Enable automatic updates if the option exists. Netgear and Linksys both support this natively.
  4. Set a recurring reminder to check manually every three months on routers without auto-update

If your router is more than five or six years old and the manufacturer has stopped releasing firmware, replacing it is a legitimate security decision, not just a performance upgrade.

3. Use WPA3 or WPA2-AES Encryption

The encryption protocol determines how hard it is for a nearby attacker to crack into your network. WPA3, the current standard, uses Simultaneous Authentication of Equals (SAE) instead of the pre-shared key mechanism in WPA2, which makes offline dictionary attacks significantly harder.

ProtocolStatusNotes
WEPBroken, never useCrackable in minutes with basic tools
WPA/TKIPDeprecatedMultiple practical attacks known
WPA2-TKIPWeakTKIP-specific vulnerabilities
WPA2-AES/CCMPAcceptablePatched KRACK vulnerability on modern devices
WPA3-PersonalRecommendedCurrent strongest standard
WPA2/WPA3 TransitionGood for compatibilitySlightly weaker than WPA3-only

Enable WPA3 if your router supports it. If not, use WPA2 with AES (also listed as CCMP), never TKIP. For a deeper look at what changed with WPA3, see the WiFi Security and WPA3 guide.

Find the setting under: Wireless, then Security, then Encryption (exact path varies).

4. Disable WPS

WPS has a mathematical flaw that makes its PIN mode trivially brute-forceable. The 8-digit WPS PIN is validated in two halves: an attacker only needs to try 10,000 combinations for the first half and 1,000 for the second, for a total of roughly 11,000 guesses instead of 100,000,000. CISA issued an advisory on this in 2012, and the vulnerability has never been patched because it is structural. Tools like Reaver still exploit it today.

Even with PIN mode nominally disabled, some routers leave a "push button" WPS mode active, which opens a two-minute enrollment window an attacker can exploit if they time it right.

Disable WPS entirely. The convenience of skipping a password entry one time does not justify a permanent attack surface.

Find it under: Wireless, then WPS or Advanced, then WPS. Set to Disabled.

5. Disable UPnP

Universal Plug and Play (UPnP) lets any device on your network ask your router to open ports to the internet, with no authentication required. Malware running on a compromised device can use UPnP to quietly punch holes in your firewall without triggering any alerts. The Canadian Centre for Cyber Security explicitly recommends disabling UPnP, and the UpGuard security blog as of 2026 still lists it as dangerous.

Gaming consoles and some smart TVs use UPnP for automatic port forwarding. If disabling it breaks something specific, you can re-enable it temporarily or configure static port forwarding manually for just that device.

Find it under: Advanced, then UPnP or NAT, then UPnP. Set to Disabled.

6. Disable Remote Management

Remote management lets anyone on the internet reach your router's admin panel. It is useful for IT professionals managing multiple sites, but for home users it adds a reachable attack surface with no meaningful benefit.

Find it under: Remote Management, WAN Access, or Remote Administration in your admin panel's advanced settings. Set to Disabled.

If you genuinely need remote access to your home network, the correct approach is a VPN, not exposing the router admin panel directly.

7. Create a Separate Network for IoT Devices

Smart TVs, thermostats, cameras, and other IoT devices frequently run years-old unpatched firmware. If one gets compromised, you want it isolated from your laptop and phone. A guest network with AP isolation is the simplest way to achieve this.

  1. Enable Guest Network in your router settings
  2. Give it a different name and a strong password
  3. Enable AP Isolation or Client Isolation, which prevents devices on that network from talking to each other or to your main network
  4. Move all smart home devices, streaming sticks, and security cameras to this network
Device TypeNetwork
Laptops, phones, tabletsMain network
Smart TVs, streaming sticksIoT/guest network
Smart bulbs, thermostats, plugsIoT/guest network
Security cameras, video doorbellsIoT/guest network
Visitors' devicesGuest network

This does not stop a compromised IoT device from contacting an attacker's server on the internet, but it does stop lateral movement: an attacker who gets into your smart TV cannot reach your laptop directly.

In my testing on a TP-Link Archer and an Eero Pro, enabling AP isolation on the guest network dropped cross-device visibility immediately and required no additional configuration.

8. Enable the Router Firewall

Most consumer routers ship with a Stateful Packet Inspection (SPI) firewall that may be disabled or partially configured. Enable these settings if your router offers them:

  • SPI Firewall: inspects packets against known attack patterns
  • DoS Protection: rate-limits connection attempts to block flooding
  • Block WAN Requests / Stealth Mode: prevents external scanners from detecting that your router is responding to pings

Find it under: Security, then Firewall or Advanced, then Firewall.

These settings reduce automated scanning and opportunistic intrusion attempts. They will not stop a sophisticated targeted attack, but they meaningfully reduce the noise your router has to handle.

9. Configure Secure DNS

By default your router forwards DNS queries to your ISP's servers, which may log every domain your household visits. Switching to a privacy-respecting resolver at the router level protects every device on your network, including IoT devices that cannot be individually configured.

ProviderPrimarySecondaryNotes
Cloudflare1.1.1.11.0.0.1No-log policy, fastest in most regions
Cloudflare (malware-blocking)1.1.1.21.0.0.2Same privacy, blocks known malware domains
Quad99.9.9.9149.112.112.112No-log, blocks malware, Swiss jurisdiction
OpenDNS208.67.222.222208.67.220.220Optional content filtering

Find the setting under: WAN, then DNS Settings or Internet, then DNS. Replace your ISP's DNS with your chosen provider.

Some routers (Asus with Merlin firmware, Synology, pfSense, Firewalla) also support DNS over HTTPS natively, which encrypts DNS queries so even your ISP cannot see which domains you are resolving. See the DNS over HTTPS guide for setup details.

10. Review Connected Devices Regularly

Once your router is secured, make it a habit to check who is connected. Most routers list connected devices under: DHCP Client List, Connected Devices, Device Manager, or Network Map.

Look for:

  • Unfamiliar device names that you cannot account for
  • Devices connected at unexpected hours
  • Unusually high traffic from a single device

If you find an unauthorized device, change your WiFi password immediately. All legitimate devices will need to reconnect, but the unauthorized device will not.

Quick Reference

SettingRisk LevelTime to Fix
Change admin passwordCritical2 min
Update firmwareCritical5-15 min
Enable WPA3/WPA2-AESHigh2 min
Disable WPSHigh1 min
Disable UPnPHigh1 min
Disable remote managementHigh1 min
Set up IoT guest networkMedium-High10 min
Enable firewallHigh2 min
Configure secure DNSMedium5 min
Review connected devicesOngoing5 min/quarter

Check What Your Router Is Exposing

After working through this list, use the Port Scanner to scan your own external IP address. Any open ports you did not explicitly configure are worth investigating. A closed router should show almost nothing. If you see unexpected open ports, remote management or UPnP may still be active.

You can also run a DNS Leak Test to confirm your DNS traffic is going to the provider you configured rather than your ISP.

Frequently Asked Questions

Does changing my WiFi password make my router secure?

Changing the WiFi password helps, but it addresses only one exposure. The admin password (used to log into the router itself), firmware version, WPS status, UPnP, and encryption protocol are all separate settings that the WiFi password does not touch. An attacker on your local network can still reach the admin panel using default credentials if you have not changed them.

Is WPA3 backwards compatible with older devices?

Most routers that support WPA3 also offer a WPA2/WPA3 transition mode, which allows older devices to connect using WPA2 while newer devices use WPA3. This is a reasonable middle ground if you have a mix of devices. The slight security trade-off compared to WPA3-only is minimal for most home networks.

Is it safe to leave UPnP enabled for gaming?

UPnP is convenient for gaming consoles because it automates port forwarding for multiplayer connections. The risk is that any software on your network can also use it without your knowledge or consent, including malware. A safer alternative is to disable UPnP and configure static port forwarding only for the specific ports your consoles need. Most gaming console manufacturers publish the exact ports required.

How often should I update my router firmware?

Enable automatic updates if your router supports it. For routers without that option, check manually every three months. Manufacturers typically release firmware when new vulnerabilities are disclosed, so periodic manual checks catch gaps that automated systems miss. If your router has not received a firmware update in two or more years, check the manufacturer's support page to confirm the model is still supported.

What does "AP isolation" actually do on a guest network?

AP isolation (also called client isolation or network isolation) prevents devices connected to the same WiFi network from seeing or communicating with each other directly. On a normal network, devices can discover and talk to each other freely. With AP isolation on, a smart bulb and a security camera on the guest network cannot communicate with each other, and neither can reach devices on your main network. They can still reach the internet. This limits the damage from a compromised device significantly.

Sources

W

WhatIsMyLocation Team

Our team of network engineers and web developers builds and maintains 25+ free networking and location tools used by thousands of users every month. Every article is reviewed for technical accuracy using real-world testing with our own tools.

Related Articles

Try Our Location Tools

Find your IP address, GPS coordinates, and more with our free tools.