
Summarise this article with:
Your router is the single gateway between every device in your home and the internet. Every laptop, phone, smart TV, and security camera trusts it completely. Yet most routers sit for years on the same insecure factory settings they shipped with.

This checklist is ordered by impact. Fix 1 is your biggest risk. Fix 10 is maintenance. Each step takes under 15 minutes. Together they close the most commonly exploited gaps in home network security.
How to Access Your Router Admin Panel
Before anything else, you need to log in:
- Open a browser and go to your router's IP address, usually
192.168.1.1or192.168.0.1 - If those don't work, find the right address:
- Windows: open Command Prompt and run ipconfig, then look for "Default Gateway"
- macOS: System Settings, then Network, then your connection, then Details, then TCP/IP, then "Router"
- Log in with the credentials printed on the label attached to your router
- If the label credentials don't work, try
admin/adminoradmin/password, which are common factory defaults
If admin/admin works, you have an urgent problem. Fix 1 is your first stop.
The 10-Step Security Checklist
1. Change the Default Admin Password
Default admin credentials are indexed in public databases and can be looked up in seconds. Any attacker who reaches your router's admin panel, whether through your local network or via remote access, can log in immediately.
- Use a password of at least 16 characters with mixed case, numbers, and symbols
- Store it in a password manager (Bitwarden, 1Password) since you rarely need it
- Change the admin username too, if your router allows it
After changing the password, log out and log back in to confirm the new credentials work.
2. Update Your Router's Firmware
Unpatched router firmware is actively scanned and exploited by automated botnets. The Mirai botnet, which attacked major internet infrastructure in 2016 by compromising over 500,000 devices, spread by exploiting default credentials and known firmware vulnerabilities. Similar campaigns have continued ever since, including a December 2024 advisory from Juniper about Mirai targeting network devices with default passwords.
- In your admin panel, find Administration or Firmware Update (the exact location varies by manufacturer)
- Check for available updates and install any found
- Enable automatic updates if the option exists. Netgear and Linksys both support this natively.
- Set a recurring reminder to check manually every three months on routers without auto-update
If your router is more than five or six years old and the manufacturer has stopped releasing firmware, replacing it is a legitimate security decision, not just a performance upgrade.
3. Use WPA3 or WPA2-AES Encryption
The encryption protocol determines how hard it is for a nearby attacker to crack into your network. WPA3, the current standard, uses Simultaneous Authentication of Equals (SAE) instead of the pre-shared key mechanism in WPA2, which makes offline dictionary attacks significantly harder.
| Protocol | Status | Notes |
|---|---|---|
| WEP | Broken, never use | Crackable in minutes with basic tools |
| WPA/TKIP | Deprecated | Multiple practical attacks known |
| WPA2-TKIP | Weak | TKIP-specific vulnerabilities |
| WPA2-AES/CCMP | Acceptable | Patched KRACK vulnerability on modern devices |
| WPA3-Personal | Recommended | Current strongest standard |
| WPA2/WPA3 Transition | Good for compatibility | Slightly weaker than WPA3-only |
Enable WPA3 if your router supports it. If not, use WPA2 with AES (also listed as CCMP), never TKIP. For a deeper look at what changed with WPA3, see the WiFi Security and WPA3 guide.
Find the setting under: Wireless, then Security, then Encryption (exact path varies).
4. Disable WPS
WPS has a mathematical flaw that makes its PIN mode trivially brute-forceable. The 8-digit WPS PIN is validated in two halves: an attacker only needs to try 10,000 combinations for the first half and 1,000 for the second, for a total of roughly 11,000 guesses instead of 100,000,000. CISA issued an advisory on this in 2012, and the vulnerability has never been patched because it is structural. Tools like Reaver still exploit it today.
Even with PIN mode nominally disabled, some routers leave a "push button" WPS mode active, which opens a two-minute enrollment window an attacker can exploit if they time it right.
Disable WPS entirely. The convenience of skipping a password entry one time does not justify a permanent attack surface.
Find it under: Wireless, then WPS or Advanced, then WPS. Set to Disabled.
5. Disable UPnP
Universal Plug and Play (UPnP) lets any device on your network ask your router to open ports to the internet, with no authentication required. Malware running on a compromised device can use UPnP to quietly punch holes in your firewall without triggering any alerts. The Canadian Centre for Cyber Security explicitly recommends disabling UPnP, and the UpGuard security blog as of 2026 still lists it as dangerous.
Gaming consoles and some smart TVs use UPnP for automatic port forwarding. If disabling it breaks something specific, you can re-enable it temporarily or configure static port forwarding manually for just that device.
Find it under: Advanced, then UPnP or NAT, then UPnP. Set to Disabled.
6. Disable Remote Management
Remote management lets anyone on the internet reach your router's admin panel. It is useful for IT professionals managing multiple sites, but for home users it adds a reachable attack surface with no meaningful benefit.
Find it under: Remote Management, WAN Access, or Remote Administration in your admin panel's advanced settings. Set to Disabled.
If you genuinely need remote access to your home network, the correct approach is a VPN, not exposing the router admin panel directly.
7. Create a Separate Network for IoT Devices
Smart TVs, thermostats, cameras, and other IoT devices frequently run years-old unpatched firmware. If one gets compromised, you want it isolated from your laptop and phone. A guest network with AP isolation is the simplest way to achieve this.
- Enable Guest Network in your router settings
- Give it a different name and a strong password
- Enable AP Isolation or Client Isolation, which prevents devices on that network from talking to each other or to your main network
- Move all smart home devices, streaming sticks, and security cameras to this network
| Device Type | Network |
|---|---|
| Laptops, phones, tablets | Main network |
| Smart TVs, streaming sticks | IoT/guest network |
| Smart bulbs, thermostats, plugs | IoT/guest network |
| Security cameras, video doorbells | IoT/guest network |
| Visitors' devices | Guest network |
This does not stop a compromised IoT device from contacting an attacker's server on the internet, but it does stop lateral movement: an attacker who gets into your smart TV cannot reach your laptop directly.
In my testing on a TP-Link Archer and an Eero Pro, enabling AP isolation on the guest network dropped cross-device visibility immediately and required no additional configuration.
8. Enable the Router Firewall
Most consumer routers ship with a Stateful Packet Inspection (SPI) firewall that may be disabled or partially configured. Enable these settings if your router offers them:
- SPI Firewall: inspects packets against known attack patterns
- DoS Protection: rate-limits connection attempts to block flooding
- Block WAN Requests / Stealth Mode: prevents external scanners from detecting that your router is responding to pings
Find it under: Security, then Firewall or Advanced, then Firewall.
These settings reduce automated scanning and opportunistic intrusion attempts. They will not stop a sophisticated targeted attack, but they meaningfully reduce the noise your router has to handle.
9. Configure Secure DNS
By default your router forwards DNS queries to your ISP's servers, which may log every domain your household visits. Switching to a privacy-respecting resolver at the router level protects every device on your network, including IoT devices that cannot be individually configured.
| Provider | Primary | Secondary | Notes |
|---|---|---|---|
| Cloudflare | 1.1.1.1 | 1.0.0.1 | No-log policy, fastest in most regions |
| Cloudflare (malware-blocking) | 1.1.1.2 | 1.0.0.2 | Same privacy, blocks known malware domains |
| Quad9 | 9.9.9.9 | 149.112.112.112 | No-log, blocks malware, Swiss jurisdiction |
| OpenDNS | 208.67.222.222 | 208.67.220.220 | Optional content filtering |
Find the setting under: WAN, then DNS Settings or Internet, then DNS. Replace your ISP's DNS with your chosen provider.
Some routers (Asus with Merlin firmware, Synology, pfSense, Firewalla) also support DNS over HTTPS natively, which encrypts DNS queries so even your ISP cannot see which domains you are resolving. See the DNS over HTTPS guide for setup details.
10. Review Connected Devices Regularly
Once your router is secured, make it a habit to check who is connected. Most routers list connected devices under: DHCP Client List, Connected Devices, Device Manager, or Network Map.
Look for:
- Unfamiliar device names that you cannot account for
- Devices connected at unexpected hours
- Unusually high traffic from a single device
If you find an unauthorized device, change your WiFi password immediately. All legitimate devices will need to reconnect, but the unauthorized device will not.
Quick Reference
| Setting | Risk Level | Time to Fix |
|---|---|---|
| Change admin password | Critical | 2 min |
| Update firmware | Critical | 5-15 min |
| Enable WPA3/WPA2-AES | High | 2 min |
| Disable WPS | High | 1 min |
| Disable UPnP | High | 1 min |
| Disable remote management | High | 1 min |
| Set up IoT guest network | Medium-High | 10 min |
| Enable firewall | High | 2 min |
| Configure secure DNS | Medium | 5 min |
| Review connected devices | Ongoing | 5 min/quarter |
Check What Your Router Is Exposing
After working through this list, use the Port Scanner to scan your own external IP address. Any open ports you did not explicitly configure are worth investigating. A closed router should show almost nothing. If you see unexpected open ports, remote management or UPnP may still be active.
You can also run a DNS Leak Test to confirm your DNS traffic is going to the provider you configured rather than your ISP.
Frequently Asked Questions
Does changing my WiFi password make my router secure?
Changing the WiFi password helps, but it addresses only one exposure. The admin password (used to log into the router itself), firmware version, WPS status, UPnP, and encryption protocol are all separate settings that the WiFi password does not touch. An attacker on your local network can still reach the admin panel using default credentials if you have not changed them.
Is WPA3 backwards compatible with older devices?
Most routers that support WPA3 also offer a WPA2/WPA3 transition mode, which allows older devices to connect using WPA2 while newer devices use WPA3. This is a reasonable middle ground if you have a mix of devices. The slight security trade-off compared to WPA3-only is minimal for most home networks.
Is it safe to leave UPnP enabled for gaming?
UPnP is convenient for gaming consoles because it automates port forwarding for multiplayer connections. The risk is that any software on your network can also use it without your knowledge or consent, including malware. A safer alternative is to disable UPnP and configure static port forwarding only for the specific ports your consoles need. Most gaming console manufacturers publish the exact ports required.
How often should I update my router firmware?
Enable automatic updates if your router supports it. For routers without that option, check manually every three months. Manufacturers typically release firmware when new vulnerabilities are disclosed, so periodic manual checks catch gaps that automated systems miss. If your router has not received a firmware update in two or more years, check the manufacturer's support page to confirm the model is still supported.
What does "AP isolation" actually do on a guest network?
AP isolation (also called client isolation or network isolation) prevents devices connected to the same WiFi network from seeing or communicating with each other directly. On a normal network, devices can discover and talk to each other freely. With AP isolation on, a smart bulb and a security camera on the guest network cannot communicate with each other, and neither can reach devices on your main network. They can still reach the internet. This limits the damage from a compromised device significantly.
Sources
- CISA: Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack
- CISA: Heightened DDoS Threat Posed by Mirai and Other Botnets
- The Hacker News: Juniper Warns of Mirai Botnet Targeting SSR Devices with Default Passwords (December 2024)
- Canadian Centre for Cyber Security: Universal Plug and Play (UPnP)
- UpGuard: What is UPnP? Yes, It's Still Dangerous in 2026
- SecureW2: WPA2 vs WPA3 Key Differences and Security Improvements
WhatIsMyLocation Team
Our team of network engineers and web developers builds and maintains 25+ free networking and location tools used by thousands of users every month. Every article is reviewed for technical accuracy using real-world testing with our own tools.
Related Articles
Try Our Location Tools
Find your IP address, GPS coordinates, and more with our free tools.