Router Security Setup: 10 Settings to Change Right Now

Why Router Security Is Critical

Your router is the single most important security device in your home. Every piece of data flowing between your devices and the internet passes through it. Despite this critical role, most people never change their router's default settings, effectively leaving the front door to their digital life wide open.

A compromised router gives an attacker the ability to intercept all your internet traffic, redirect you to malicious websites, inject malware into downloads, monitor your browsing activity, and use your network for illegal purposes. Worse, router compromises are often invisible to the user because the device continues to function normally while silently serving the attacker's purposes.

The following ten settings should be changed immediately after setting up any new router, and verified on existing routers to ensure they are properly configured.

1. Change Default Admin Credentials

Every router ships with default administrator credentials, often "admin/admin" or "admin/password." These defaults are publicly documented and are the first thing an attacker will try. Log into your router's administration panel, usually accessible at 192.168.1.1 or 192.168.0.1, and change both the username and password immediately.

Use our password generator to create a strong, unique admin password that is at least 16 characters long with a mix of letters, numbers, and symbols. Store this password in a password manager so you do not lose it.

2. Update Router Firmware

Router manufacturers regularly release firmware updates that fix security vulnerabilities and improve performance. Many routers do not update automatically, leaving known vulnerabilities unpatched for months or years.

Check your router manufacturer's website or the router's administration panel for firmware updates. Some modern routers support automatic firmware updates, which you should enable if available. If your router has not received a firmware update in over a year, consider replacing it with a model that receives active security support.

3. Use WPA3 Encryption

Wi-Fi Protected Access 3 (WPA3) is the latest and most secure wireless encryption standard. It provides stronger encryption, better protection against brute-force password attacks, and improved security for open networks. If your router supports WPA3, enable it immediately.

If your router only supports WPA2, ensure WPA2-AES is selected rather than WPA2-TKIP, which has known weaknesses. Avoid WPA and WEP entirely, as both have been thoroughly broken and provide negligible security. If your router does not support at least WPA2-AES, it is time to replace it.

4. Disable WPS

Wi-Fi Protected Setup (WPS) was designed to make it easy to connect devices to your network by pressing a button or entering a PIN. Unfortunately, the WPS PIN method has a serious vulnerability that allows attackers to brute-force the PIN in a matter of hours, regardless of your Wi-Fi password strength.

Disable WPS entirely in your router settings. The convenience it provides is not worth the security risk. Connecting devices by entering your Wi-Fi password manually takes only a few seconds longer and does not create a vulnerability.

5. Change Your Network Name (SSID)

Your router's default network name often reveals the manufacturer and model, information that helps attackers identify known vulnerabilities specific to your hardware. Change the SSID to something that does not identify you personally or reveal your router model.

Avoid using your name, address, apartment number, or any other personally identifying information in your network name. A generic or creative name works perfectly fine. While hiding your SSID entirely is sometimes recommended, it provides minimal security benefit because the network name can still be detected by anyone using readily available tools.

6. Enable the Built-In Firewall

Most routers include a built-in firewall that filters incoming traffic from the internet. Verify that this feature is enabled in your router's security settings. The default configuration typically blocks unsolicited incoming connections, which prevents external attackers from directly accessing devices on your network.

Review the firewall settings to ensure no unnecessary ports are open. If you previously set up port forwarding for a game or application you no longer use, remove those rules. Each open port is a potential entry point for an attacker.

7. Disable Remote Management

Remote management allows the router's administration panel to be accessed from the internet, outside your home network. Unless you have a specific need for this feature and understand the security implications, disable it entirely.

With remote management enabled, attackers anywhere in the world can attempt to access your router's settings. Even with a strong admin password, this expands your attack surface unnecessarily. If you need to manage your router remotely, use a VPN to connect to your home network first and then access the admin panel locally.

8. Set Up a Guest Network

Create a separate guest network for visitors and IoT devices. The guest network should have its own password, and client isolation should be enabled so devices on the guest network cannot communicate with each other or with devices on your main network.

This prevents a guest's potentially compromised device from accessing your computers, NAS drives, or other sensitive devices. Place all smart home devices, smart TVs, and other IoT devices on this guest network as well, since these devices often have weak security and do not need access to your personal devices.

9. Consider MAC Address Filtering

MAC address filtering allows you to create a whitelist of devices permitted to connect to your network based on their unique hardware addresses. While a determined attacker can spoof a MAC address, this adds another layer of defense that deters casual unauthorized access.

This feature is most useful on networks where the set of connected devices rarely changes. For busy households where new devices connect frequently, the management overhead may outweigh the security benefit.

10. Configure DNS Settings

Your router's DNS settings determine which servers translate domain names into IP addresses. By default, your router uses your internet service provider's DNS servers, which may log your queries and can be slower. Consider configuring your router to use privacy-respecting DNS providers.

Cloudflare's 1.1.1.1 DNS service emphasizes privacy and speed. Quad9 (9.9.9.9) provides built-in malware domain blocking. Google's 8.8.8.8 is reliable and fast though not privacy-focused. Setting DNS at the router level applies the protection to every device on your network without needing to configure each one individually.

After making these changes, use our speed test to verify that your network performance has not been negatively affected. A properly secured router should have no noticeable impact on speed while providing dramatically improved protection for every device in your home.