Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

7 Steps to a Secure Router

//
I’d like to know how to clear the history of my Linksys router. I’d also like to know how I can make it more secure and protect it from hacking.

The topic is an important one: how do you make sure you have a secure router? As your firewall, it’s your first line of defense against malware trying to get at your computer from the internet.

You want to make sure there aren’t big gaping holes. And sadly, very often and by default, there are.

Here are the most important seven eight steps to a more secure router.

(Updated 18-Dec-2016 to include checking for firmware updates after a high-profile vulnerability disclosure by a major router manufacturer.)

Become a Patron of Ask Leo! and go ad-free!

My router versus your router

I have to start with a caveat: there are hundreds, if not thousands, of different routers. Different brands and different models with differing capabilities, power, and, of course, at differing cost.

Most importantly, they have different administration interfaces.

What that means is, I can’t tell you exactly how to make changes to your router, step-by-step. The concepts I’ll cover apply to almost all consumer-grade routers, and I’ll be using an old and popular LinkSys BEFSR81 router and LinkSys WAP54G access point as examples.

You’ll need to “translate” the examples to the equivalent settings on your own router or access point. Make sure you have access to the documentation that came with your router, or locate the user’s manual online.

A Secure Router?Already we see a common difference: you may well have a single device that combines both the router and wireless access point. You probably refer to it as simply your “router”. In reality, there are two separate devices — a router that deals with network access, and a wireless access point that provides your Wi-Fi connectivity — that happen to be housed in a single box. In my case, they’re in separate boxes.

1. Change the default password

If you do nothing else to secure your router, change the default password. Change it to be something long and strong. If your router supports it, a passphrase of three or more words might be ideal.

Password Dialog on LinkSys router
The reason for this is quite simple: it’s a common gaping security hole.

For many years, almost every router and access point from the same manufacturer was shipped with the same default password. For LinkSys, if your login is a blank username and a password of “admin”, as outlined in its manual, then anyone and everyone knows it. And anyone can log in to your router and undo any or all of the rest of the security steps we’re about to take.

Then, any malware that takes advantage of the default passwords on routers can make changes without your knowledge.

Fortunately, in recent years, most — though sadly, not all — router manufacturers have been getting smarter. If the instructions that came with your router included checking a sticker on the actual router for the admin password, and that looks like a strong password, then the security hole is significantly smaller. Now only those people who can walk up to your router and look at that sticker can get in.

I’d change the password anyway.

2. Disable remote management

“Remote Management” is a feature that allows your router to be administered from anywhere on the internet.

LinkSys Filters
LinkSys Remote Management
While this setting (coupled with a very strong password) might make sense for a handful of people1, for most folks there’s absolutely no need to administer the router from anywhere but the local machines connected to it.

Make sure the remote management setting is off.

3. Turn off Universal Plug and Play

Universal Plug and Play (UPnP) is a technology that allows software running on your machine to configure services like port forwarding (a way of allowing computers outside your network access your local computers directly) without you having to go in and administer the router manually.

It seems like a good idea, right?

Nope. Turn it off.

LinkSys UPnP setting
It turns out malware can also be UPnP aware, and can make malicious changes to your router without your involvement or awareness.

(Note: UPnP is unrelated to Windows “Plug and Play” hardware detection; it’s just another unfortunate collision of similar names.)

4. Add a WPA2 key

It’s time for another password, this time to secure and encrypt your wireless connection.

Wireless Encryption Password

First, use WPA2, not WEP. WEP encryption turns out to be easily crackable2, and even WPA (without the 2) has been shown to be vulnerable.

Second, just as you did for the router’s administration password, select another good, secure key / password / passphrase (the terms are roughly interchangeable here).  You only need to enter it once here, and once on each machine allowed to connect to your wireless network.

Having a strong WPA2 key ensures that only machines you allow on your network can see your network, traffic, and router.

5. Disable WPS

WPS, or Wi-Fi Protected Setup, doesn’t live up to its name – it’s not very “protected” at all.

WPS was intended as a way to make setting up a protected Wi-Fi network easy. WPS would, with the push of a button, set up Wi-Fi encryption between the router and clients that supported it.

The problem with WPS is that the protocol is flawed in such a way that it is vulnerable to a brute force attack. A malicious entity within range can force their way onto your network, bypassing any encryption keys you might have set up.

WPS is enabled by default on many routers. Turn it off.

6. Turn off logging

This has less to do with configuring a secure router and more to do with maintaining your privacy.

This is also about making sure logging is still turned off, since if a router supports any kind of logging at all, it’ll likely be off by default.

LinkSys Logging Options
Disable the logging, and no information will be kept on the router or sent to any other machine. This should also clear any log the router has.

It’s worth pointing out that most consumer-grade routers do not have the capacity to actually keep complete logs themselves. If they keep anything, it will only be a shorter, partial log. When enabled, some will offer to send the log to one of the computers on your network for storage. Simply disabling logging will not erase any logs stored elsewhere.

7. Secure your router physically

As we’ve already seen, even if the default administrative password is unique to your device, it’s still visible to anyone with physical access to the router who can see the sticker on which it’s printed.

In fact, your secure router may not be secure at all if anyone can just walk up to it.

All of your router’s security settings can be reset in a flash if someone has physical access to the device. Almost all routers have a “reset to factory defaults” mechanism (typically by holding a reset button for a certain amount of time). If someone can walk up to your router and do that, all the security settings you’ve enabled may be instantly erased.

Only you can judge whether or not you need this extra level of physical security, but do consider it.

8. Check for firmware updates

Routers (and access points) are really just small computers dedicated to a single task: handling network traffic. Normally the software — referred to as “firmware”, since it’s stored within the device’s hardware — is solid and just works.

Unfortunately, security vulnerabilities are sometimes discovered, requiring you to update your router’s firmware to stay secure. This usually involves downloading a file for your specific router and using its administration interface to install the update. Some routers can fetch and install the update directly. Either way, the update is a manual step you need to take.

Checking to see if there’s a firmware update for your router is also a manual step. Some routers perform the check at the push of a button in the administration interface. If not, you need to visit the manufacturer’s support site, look for information pertaining to your specific model, and determine if a newer version of the firmware is available.

Two steps that aren’t steps

Each time I mention this article, folks make two additional suggestions for Wi-Fi specifically that, in fact, do not improve security at all. In fact, they may harm security by providing a false sense of added security.

The first is MAC address filtering. I discuss this in more detail in Is MAC Address Filtering a Viable Wireless Security Option? but the bottom line is that, like a cheap padlock, MAC address filtering only keeps out honest people. If someone wants to access your network, MAC address filtering is easily bypassed.

The second suggestion is to turn off SSID broadcast on wireless networks. Even when not being broadcast, the SSID is still visible, unencrypted, in the packets of traffic sent to and from the router. Disabling the broadcast, once again, does nothing to prevent someone with the skills from easily discovering it. I discuss this in more detail in Does Changing or Disabling the Broadcast of My Wireless SSID Make Me More Secure?

When it comes to Wi-Fi, putting a WPA2 password on the connection is currently your best security measure.

Podcast audio

Play

Footnotes & references

1: Some ISPs will insist on this, but they’ll also prevent you from administering your own router. More common is a scenario where you’re responsible for supporting someone else’s network — say that of a friend or family. Remote administration can be helpful in a case like that. Even so, I’d think twice about setting it up, and would insist on an exceptionally secure password if you do.

2: It’s essentially like having no encryption at all.

136 comments on “7 Steps to a Secure Router”

  1. Hi Leo,

    If you have a wireless router (both router and wireless access point functions built-in to the same device), there’s one more setting you might want to consider.

    On these devices there’s usually an option to disable wireless administration. This means that you can only make configuration changes while connected via ethernet cable. That way, even if someone gains access to your wireless network, all attempts to gain access to the router will be ignored.

  2. Hi Leo,
    I don’t know how to configure my settings so the encryption is WPA. if says my encryption is wep right now. This means that it is easier to hack correct? I had no choice on encryption options when I set up the router. I was wondering how to change the settings of the router (if it is via installation disk or something else)?

    Not something I can answer. It depends on the specific model of router you have. Normally it’s done with a browser interface, but you’ll need to check your router’s documentation.

    – Leo
    09-Mar-2009
    • Also, visit the router manufacturer’s website to see if an upgrade to the firmware is available. Getting such an upgrade and installing it can sometimes add WPA2 capability.

  3. if this is a wireless router, you may also want to enable Wireless MAC filtering.

    As I understand it, MAC filtering is kinda pointless. For one thing, MAC addresses are not part of the encrypted data, so they’re sent in the clear, and they’re also very easy to spoof. Someone could sniff your traffic, find a MAC address that you’ve allowed through, start spoofing that address and get on your network. Using WPA with a strong passphrase is much more secure.

    – Leo
    10-Mar-2009
  4. Wireless MAC filtering is the only way to go as both WEP and WPA encryption have been hacked. MAC address filtering ensures that only computers with the MAC address you specify in the router can connect to it.

    WPA has not been cracked – that’s a misunderstanding of something else. As mentioned above, MAC addresses are easily seen and spoofable.

    – Leo
    10-Mar-2009
  5. Forgot to mention that it’s also good practice to stop broadcasting your SSID.

    There’s not much value in hiding the SSID. As I understand it, the SSID is still visible within packet traffic and sniffable. Once WPA with a strong passphrase is by far your best protection – with that it doesn’t matter if your SSID is broadcast or not.

    – Leo
    10-Mar-2009
    • As I understand it, it’s in fact a very bad practice.
      If your router is hiden by not broadcasting your SSID, then ALL devices connecting to it need to anounce themselves. That anounce is something like this: deviceName.password@networkName or something similar.
      That call is NEVER encrypted. In fact, it’s impossible to ancrypt that. All devices set to connect to that network must call the hotspot periodicaly, typicaly, every 2 minutes or so. The call always contain a list of every network to whitch that device ever connected to.
      This open you to the so called “evil twin” attack where someone simulate one of the trusted networks.
      It also open another attack vector: A sniffer may catch your call and replicate it. This may allow an attacker to connect to your network masquarading as you…

    • MajorDad, you obviously didn’t even read the full article as Leo addressed both your points specifically. The point of Leo’s articles are to inform and dispel misinformation. After doing so, the misinformation continues.

      • Reid. This article was from 2009, as were major dad’s comments. The article was updated recently (5/16) apparently incorporating the info into the article.

        • Please help me. I am a single mother and my teen is not doing as needed and I need help. Her device is what I need to get operator control through router. Please help

  6. Regarding the original question on CISCO, they do make a home-level router: Zonealarm Z100G which has antivirus, antispyware and a robust firewall BUILT-IN to the hardware. The AV and Antispyware is updated automatically like that on your computer. I have been using the Z100G for a year and it has cut 99% of the spyware and viruses off that I used to get at my computer. Further, it blocks hack attempts at the router rather than letting them flow to my computer for software blocking. (I can see the IP addresses of these hack attempts in the log.) This router acts much like the Enterprise Cisco router most of us are used to using at work.

  7. Leo,

    I have two Linksys routers, one a standard W54 wireless and one that a Verizon or Sprint aircard plugs into for remote site internet access. From the standpoint to who can access either wirelessly, am I wrong to rely only on router mac address filtering? Logic would suggest the router will only talk to the two laptops whose mac id’s are entered into the router table. Greatly appreciate your newletter and expertise…mike

    MAC address filtering is not reliable. MAC addresses are easily spoofed.

    – Leo
    12-Mar-2009
  8. I has a belkin fsd7230-4 model type
    and it stopped working after some time
    so i got a new router which is cisco wrt54g but how do i know when i search for devices.. which one my new router really is? right now i dont know if im using my routers route or some other routers route.
    i just want to use mine and secure it
    please inform me what im doing

    If the old one has been removed, and the new one installed, and your internet now works, it seems like it must be working.

    – Leo
    13-Mar-2009
  9. Verizon FiOS’s wireless router uses the WEP type key. Within the “Advanced” settings there appears to be a means to select WPA rather than WEP. Has anyone using FiOS done this successfully? Any glitches or warning? Curious before I go there.

  10. The Physical security of routers becomes more
    stronger than now if that resetting button
    is removed completely and instead one small electronic Item is added to the hardware of the router and that Items job is to reset the router when it receives a special signal from a key
    provided with each router, when key is pressed it sends the required reset signal just as
    that used for cars to open and close the doors.
    then no one can do resetting unless he has the
    key. I don’t know why the manufacturers has not
    though of that yet.
    thanks for your articles.
    mohamad ahmad

  11. Using Dlink wireless 615 can I set up router to ask for passphrase each time a client wishes to connect, like after reboot? my laptop see’s the router and connects automatically, But I’d like to discourage clients that have had access in past, just being to log on use bandwidth in a conference envirnment.

  12. How do I secure my Verizon FIOS router/modem from other users within my network? I’m hardwired to it but the others in my household use it wirelessly. I would like to know if they can still “tap” into my computer. Thanks.

    • They just can’t “tap” into your computer. They, and you, can’t do it even if they are hardwhired to your router.
      ONLY if you explicitely set some folders as shared, then, they can see and access those, but absolutely nothing else. Even in this case, you may only grant read access, impose per user quotas (if allowed write privileges) and some other limits.
      There is no way for them to even see anything else on your computer, or for you to see anything else on theirs. If it’s not explicitely shared, it’s not accessible.

  13. Maybe I’m starting from a few steps behind, but what this doesn’t tell me, and I don’t know, is how to access my router settings.

    That varys greatly depending on exactly what router you have. Check the manual that came with it, it should all be explained there. Here’s an example walkthrough that works for some LinkSys equipment: How do I change my router’s password?

    Leo
    25-Jun-2010

  14. hi i got a question.
    i changed the password like you told me to but i didn’t change the username. now i login to my router because i don’t know the username. what should i do??

  15. Here’s a nice writeup on logging on Netgear routers:

    http://kb.netgear.com/app/answers/detail/a_id/1014/~/using-netgear-router-logs

    They start out: “Router log features vary by model. Advanced, business-oriented routers such as the FVS328 have extensive logging features, such as monitoring for specific types of attack, and reporting to a security monitoring program. Home routers such as the WGR614 and WGT624 only have only basic features such as router reboots, and reporting when people go to sites that you blocked.”

  16. I had a Linksys router too, but recently got a Netgear router. What I liked about this router is that besides the security wpa2 password security, it blocks also any other connections except those that have an approved Max address. Together both those items blocks all the non authorized connections. It also is far easier to setup.

  17. A good tip to add to this is to only access the router via https – I have a Cradlepoint and a Linksis and both have the setting for that, usually under admin. That way when you send your password over the internet it is secured. In the case of the craddlepoint I have to physically type https in the browser – the linksys pulls it up automatically…

  18. where do i find these screens?

    Check the documentation that came with your router. It’s different for each, but typically starts with a special “url” (like http://192.168.1.1 – but it may be different) that you enter into your browser. The router documentation will have the specifics.

    Leo
    13-Oct-2011

  19. Leo, I would be interested in your views on WPS (WiFi Protected Setup), what the risks are with it, and so whether it should be turned off (if possible!!). Thanks

    I never use it and turn it off when possible. A decision I don’t regret after hearing that there are apparently design problems with it that render it basically unsecure.

    Leo
    09-Jun-2012
  20. I really appreciate this article, changed from WEP to WPA. This is a Verizon DSL router, an Actiontek. You just go into the wireless section, choose WPA, and add a password.

    While in the router, even though NAT was enabled, noticed that the firewall was indicating not on. Never have noticed that before nor had a problem. Elsewhere Leo mentioned routers having built in firewalls, but maybe people need to check and see if it says the firewall is on?

    Or conversely, is there an additional firewall of some sort plus the one you can enable? And if you have the Windows firewall enabled, is that too much? So far, no problems, but I am a bit confused, any help would be appreciated.

    Some routers have an additional firewall – that’s not what I’m talking about. I’m simply talking about DHCP and NAT routing that as a side effect of what the router does works as an effective incoming router. No idea what the firewall option on any particular router would add to that mix and I’d probably leave it off myself. Turning on the Windows firewall is redundant protection against internet threats if you’re behind a router, but it is additional protection from other machines on your own network. If things work it’s typically benign to leave on.

    Leo
    14-Jul-2012
  21. @Aung Naing
    If many people know your wireless key, you could change it. You can find out how to to this either by reading the documentation that came with your router or on the manufacturer’s website.

  22. Hey Leo. if logging was on is there any way to delete the logs? Could people still view the logs even if there off?
    Please respond asap

    No way to know – it depends on the router. Check the documentation for the router, or the support site of the router’s manufacturer.

    Leo
    09-Oct-2012
  23. Hi leo i have a router/ EMTA from comcast any way to lock it down more than it is? the model is Arris tg862 its there most commonly used one.

    • You’ll have to check the documentation that came with that router, or ask Comcast. IF they allow you to configure it (sometimes ISPs that provide the router don’t) then there should be a way to access the configuration screens for it via your browser. Exactly how that works differs for every router, so I can’t really get you details.

  24. Thank you for this article. I have a Linksys WRT54G Router (which is
    what you mentioned in your article, I believe….). I was able to verify MOST of
    the settings that you had mentioned (which were already set that as you suggested). HOWEVER, I could not find a setting for WPS. I *did* find a setting for “SecureEasySetup” (which is enabled by default). However, I could not figure out what that setting is (and the online help does not seem to mention this setting. Can you clarify this? Thank you!!

      • Thank you… I thought that the WAP54G that you use would be similar enough to the WRT54G that you might have been more definitive… but I took your advice here…

  25. I have D-Link. I don’t even know how to access all these settings??? and where I can change password. Years back when I bought it, I just plugged it in I think.

    • My DLink is at 192.168.0.1 I think that might be the default IP address. So try typing that into your internet browser and see if you get in to the log in screen. Failing that, go to a command prompt (Start Menu, Run, CMD) and type ipconfig. Look for Default Gateway. That should be the IP address of the router.

      The default log in for my router is “admin” with no password. Try that. If you get in, it’s time to start securing it, like Leo suggests.

  26. Any router that is DD-WRT or Tomato firmware supported should have its firmware flashed with those. If you’re concerned about security. Search the net for router backdoors. Most have them built in from the factory. My routers- Dlink are not supported. And Dlink is made in China and known to have the backdoor. But flashing with DD-WRT or Tomato should make your router more secure and remove the factory backdoor.

  27. Hello, I use Comcast and I would like to know how to do the above step to secure my router. I have tried but cannot locate any of the places to change the password. Also Comcast provides Norton, that I use and they do remotely connect to my system to help me keep secure. PLEASE help. I want to secure all things on router, especially the password that I cannot find.

    Thank you

    • Unfortunately I can’t. For one thing you haven’t told me what router you have (there could be many different makes and models provided by Comcast, and how you do this could be different for each one). It’s also possible that you can’t – some ISPs lock access to the routers they provide. I’m not saying this is the case, but when a company like Comcast provides the router it’s something that would not surprise me.

      First go to Comcast and get information on how to access your router’s configuration, if it’s allowed. Then look up that model on the internet for a users guide to the settings. Then look for the settings that mirror what you see in this article.

    • WPA2 uses the strongest encryption algorithm of the choices listed. The PSK version is a simplified version for home use which is slightly less secure. Some home routers only work with the PSK version. So you might want to experiment. Try WPA2 straight, and if that works great. If not, you can switch to WPA2-PSK and still be safe. Although, in your case, the message says your router can handle straight WPA2.

      • Sounds good, thanks. Just enabled WPA2 and disabled WPS. I didn’t find anywhere to turn off logging, so hopefully it was off by default as mentioned.

        • Rats. I was not able to change to WPA2…I guess I had forgotten to click Apply, and now when I try to switch from WPA2-PSK to WPA2 I get this message: “RADIUS Server IP address is invalid.” On my settings it shows: “RADIUS Server 0.0.0.0, RADIUS Port 182, RADIUS Key [blank] ” So maybe, like you said, I can’t use straight WPA2. At least I was allowed to disable WPS.

  28. Hello Leo, i read some article and some tips doing router backdoor, My question is how to know that my router can backdoor?

  29. Leo, I’ve been using WPA2-PSK for ages on a router bought deliberately to handle the security upgrade. No problems.

    Now I’m trying to assist a 71 year old lady connect her new/reconditioned Apple Pro to her USB Router. The Apple Pro appears to have inserted a layer between the router name and the ordinary password and demands a WSP2 password. Am I correct in suspecting that the older USB modem cannot handle a WPA2 password or is there something more cryptic about the Apple Pro. She can connect with random modems at cafes etc, but not with her own.

    I’ve suggested a 10 to 20 character password of upper and lower case and numerals, one that is not listed in the dictionary, is that description characteristic of a WPA2 password? If not could you suggest a typical example please? Thanks, Reg.

    • That’s a fine password approach. As to why it’s not working – it’s hard to say. Open WiFi hotspots don’t use a password at all, so those would work easily. It’s possible her USB modem doesn’t support WPA2 (older ones may not). Try just plain old WPA.

  30. an AT&T router can most likely be configured through http://192.168.1.254
    If this is incorrect, look for a printed IP address on the box.

    2-Wire AT&T routers used to support the local-only domain name gateway.2wire.net. However, a recent software update removed this.

  31. My router has these protocols as options.

    HTTP
    HTTPS
    FTP
    Telnet
    SMTP
    DNS
    NetBIOS
    POP3
    IMAP
    NNTP
    IRC
    H323
    All Other Protocols

    NETBIOS was already disabled, and I disabled telnet, IMAP and POP3 on my own. What else should I disable?

    • For internet-side incoming connections? None of those should be needed. For outgoing connections, none of those should be blocked.

      • I Didn’t even realize these checkboxes were underneath a horizontal line titled “Outbound Protocol Control”. Thank you for clarification.

  32. Hi Leo.

    I’ve been able to do almost everything you recommended, so I’m mostly happy. But I can’t find any way to disable logging on my Belkin N300 router. Is it possible that it can’t be done?

    No info on the subject through Belkin that I can find. I’ve had the router over 30 days so I have to pay them for info now. If I just forget about it, how serious is that? Also, is it always advisable to disable logging? What if someone does something unpleasant with the router? How would I find out about it with logging disabled?

    Regards.

    Robert

  33. I heard Sysco was one of the safest routers to use….Is this true?
    And if some one was hacking in it would record the IP address is this true?
    Could u please list the top 5 routers that would be safest ones to purchase.

    Thanks,
    Lily

  34. Clearly WPA2 is best, but even if Mac filtering isn’t full proof_isn’t it wise to use all enforcements available. It shouldn’t really be a matter of comparison between the two unless there is a reason you cannot have both enabled at the same time it seems kind of a no brainer_ Do both, and every other misc security measure setting avail to help, as long as they don’t conflict or cancel out the other.

    • MAC filtering is similar to adding a small padlock closing the door over the heavy lock, or adding a “Don’t pass” sign in front of your driveway. It’s a small additional hurdle that will dissuade the casual snoop.

  35. OK, all settings fixed. And thanks. Now my Samsung 2165w wants to become a “cloud printer” and to do that needs to join my wi-fi network. No control panel, so entering the password isn’t possible. It has a WPS button and that’s what Samsung recommends (there’s really no choice!). So if I go ahead and link the printer into the network using WPS, does that destroy the connections of all the computers that log in to wi-fi using the password?

    I know you can toss of the answer, and I truly am thankful. But can you teach me to fish a bit by referring a couple of references that will take me from total ignorance to being able to ask more clear questions in this area?

    Regards,

    Carls

  36. What are your thoughts on choosing “Mixed WPA-PSK/WPA2-PSK” for wireless security? This was the default for my modem router. I’m wondering if I should leave it at that setting. Thanks.

  37. all my equipment comes from charter internet. i have a little black rectangular box with 4 green lights and one red light on it. is that my router and can i change the password? or should i?

  38. Do you recommend the Windows Utility “Who Is On My WiFi?” If yes, is the free version enough? The story of why I’m looking for something like that is below. I do not have a technological background so I’m learning as I go. I’ve made mistakes with freeware, so before I download anything, I check AskLeo. I didn’t find it through a search on your webpage.
    =================
    We live in Hong Kong. We changed routers a month ago after our router was infected with the “Moon Worm.”

    I had reset the router (which had come with our apartment). But WiFi access had become very slow.

    Then I tried to re-load the firmware. It wasn’t available for that model on the router website. When we called the company, they hung up on us. (We tried both Cantonese and English.)

    So we got a new router. We continued to have the same problems — wildly intermittent WiFi. Speed tests showed it to be normal 1/2 the time and then download access would plunge so that websites took a minute to load, if they did. Speed tests would time out.

    We began to suspect that the internet provider had added a lot of users to this area and that it had been a coincidence that access speed had plunged at the same time I was dealing with the Moon Worm.

    We called in the provider, who said it was our router and my laptop. I ran diagnostics on my laptop, and it was fine. I have no trouble accessing the Internet at my husband’s office or in our house in the States.

    Faced with the speed tests, the company finally agreed to switch our service to coaxial cable at a minimal cost, which took place yesterday. The speed is incredible most of the time. EXCEPT, there are still times when we cannot download websites and the speed tests time out. We do not have our TV connected to the cable. In our apartment, only two laptops and one phone are using the WiFi.

    The technician told us yesterday that we should buy a better router.

    But before we do anything else, we want to rule out that anyone or anything is using our WiFi account. It looks like the utility “Who Is On My WiFi?” will log who and when someone is accessing our WiFi account. Do you recommend it and will the free version be enough?

  39. I’m on Comcast and they will not let me change the wireless Wi Fi Password. They supply it! It’s been a thorn from day one. I’ve considered an additional router, and did have an extra which died (a refurb, slightly out of warranty!). However that would seem to be moot, because if Comcast passes through then any Wireless would as well.

    • Looking at the configuration guide, I have as connected devices, under DHCP/Reserved IP, a computer which has both Wi Fi and eternet enabled. I can disable either. If I disable WiFi, which won’t be a problem for me, will that decrease the ability for it to be hacked via WiFI?

      • A second router is probably as safe as you can get. It would be essentially as safe as changing the password on your Comcast router.

  40. On my sorta-new Netgear N600 Wireless Dual Band Gigabit Router, Netgear explicitly advises AGAINST changing the preset WiFi network name (SSID) and the network key (password). “The default SSID and password are uniquely generated for every device (like a serial number), to protect and maximize your wireless security.” And “NETGEAR recommends that you do not change the preset SSID or password.” They do provide the ability to change those items if you do not agree.

    Your thoughts, Leo?

    • I think they’re concerned that after setting up what is presumably a secure random password, most people would change it to be something less secure.

  41. HI Leo,

    Thanks for all of your great advice. I have two questions concerning router security for which I cannot find answers. I would appreciate any thoughts you or your readers might have.

    I have a ZyXEL PK5001Z wireless router provided through my DSL provider (CenturyLink). I have contacted both ZyXEL and CenturyLink for a user’s guide or router documentation to help me answer the questions, which I’ve discovered doesn’t exist, with both companies saying the other should provide. Here are my questions:

    1) For both IPv4 and IPv6, I have the option to set the firewall at “low,” “medium,” or “high.” The default setting for both IPv4 and IPv6 is “low.” Do you think I should increase the firewall security setting? Neither ZyXEL nor CenturyLink can tell me more about these settings. The router is NAT enabled so maybe this is not that important? Any thoughts you have would be appreciated, this router is used in a small business with customer-sensitive data.

    2) It does not seem that my DSL provider (CenturyLink) provides support for for IPv6, however the firewall for this option is enabled, and I think this is the default. However, the CenturyLink technical adviser told me that I should only have the IPv6 firewall enabled if my “IT person” had a very good reason for it (we are a small business, no IT person except me). Is there any reason to disable the IPv6 firewall? Having it enabled does not seem to be harming anything.

    Thanks again for your thoughts!

    Best,
    Corey

    • 1) No idea. Really silly that they can’t provide a manual. With NAT on, though, I’d not worry.
      2) I’d leave IPv6 settings alone. They shouldn’t interfere with anything.

  42. I have Verizon FiOS. To have full functionality of the guide for TV, one has to use the Verizon-supplied router (mine’s an Actiontec, but I think they use more than one kind, perhaps depending on the part of the country). I’ve set mine to WPA2 and changed the default password to a very long convoluted one. Unfortunately there seems to be a back-door that allows Verizon to see the password the user sets on the router. It’s possible that it’s usable only from the LAN side of the router (and not the WAN side), which would be much less worrisome.

    My evidence for this back-door is that there’s a Verizon utility called the In-Home Agent that they encourage people to install on computer on the LAN. I installed the utility long after setting up the router and one doesn’t have to enter any credentials into the utility, yet that utility displays the current setting of the router password. If the ability to query the router for its password works from the WAN side too, then this is a huge security hole. I’m considering cascading my own router (with a separate, distinct password) off the Verizon-supplied Actiontec, and connecting my wired LAN to that, but that would be overkill if the router can’t be polled for its password from the WAN side. Do you have any idea what’s necessary?

  43. This guide is okay. Just forget about turning off the logging part please (Leo?) , you’ll need that information to see if there are any prolonged “attacks” on your wan-nodes. If there is you’d wanna know about it because those attacks can cause bad latency and slow reaction times from your router. The example in the above-picture in the routers web interface is a function where you’ll send the logs to a so-called syslog server, which collects logs over the network, basically. It’s not that complicated. Just download a simple syslog-server, there’s one on sourceforge. Set it up on your client (just install it, thats it..) and set the ip in the router to point to you client (client being your normal computer..) And then you can read the logs there as the list filsl up instead and take appropriate action if necessary. It’s as simple as 123, I promise! have fun!

  44. Dear Leo,
    thanks for the work.
    i have set my router password to AES,
    how can i ensure that when my computer is connected to that network, the user is unable t
    o copy the password through wifi properties?

    • The password is not stored on the router. When you create the password, it generates a code on the router which cannot be used to recreate the password. When the password is entered upon login, it generates that code again. If it matches the original password, it logs you on.

  45. Hi Leo,

    After changing to https and desabling the wireless web access, iĀ“having problems to enter again to my linksys administration web page having a wired conection. Can you give me any ideas on this?

    Thanks in advance.

    • Aircards contain flash memory which is capable of storing data. As to what information is stored, I don’t believe mobile providers make that information available to the public. They would have some connection information related to connection such as connection times and possible some IP addresses visited. Sprint would have all that and more, so you wouldn’t have to worry about them. I would expect they clean the card before giving it to someone else if for no other reason than to protect them from privacy violation lawsuits.

  46. While looking to obtain a Gigabit Speed Router.. I have noticed many routers use “Web Based” configuration setups.. (I found one major manufacturer the other day where the ability to disable this “Feature” although originally designed into the Wireless Router had been disabled at the Factory…

    So, my Login and Keys are then in fact either routed thru or sitting on some Companies Server.. which then configures my router remotely as a part of how I set the data..(Passwords, Encryption Keys etc…

    Doesn’t this mean all one need do is access the Web Server where the data may or may not be retained or sniff as the data is set to obtain my Security Data.?

    Am I misunderstanding something? because to me.. that’s not security.. just Security Theater.

    NS

    • My understanding of “web based” configuration is that the device provides a web page that’s accessible only on your local network. For example you might connect to http://192.168.1.1 (or something similar) in your browser to configure your router. That’s local to you only. Many routers then have the option to enable configuration access across the internet, which is something I strongly recommend you disable since that could be a way for someone somewhere else to gain access to your network.

      I’ve not heard of the scenario that you describe – where you configure your router by going to a site on the internet. It’s always something local to the router itself.

      Now, that being said, I do know of some ISPs that prevent local administrative access to the router – only they can configure it, and by definition that means they do it remotely. Presumably they have appropriate security in place to keep that access safe.

  47. I live in Mexico and use Telmex DSL internet.
    My router has a preconfigured password that is different on their different units. The password is pasted on the router itself so anyone wanting to get it would need to be physically present as far as I can tell. I have given that only to my daughter when she was visiting me here. Looking at the wireless connection it is WPA2-PSK so not too bad, huh?

    I do turn off everything connected to my laptop every night so even if I do get hacked. they cannot get access then and it saves electricity.

    Their service is generally good and I have been pretty happy with it.

  48. Hi, Leo the problem is, If your router is affected, then frequent resetting and re configuring would not make the modem unsuable? Even if i re configure the router, i am having dns server connection problem often. I do not find any settings in my router page about, the solutions you give on disabling in some settings. Only configuring the router form is there. Where i could find upnp and remote settings.
    which page would have it in my router. when i frequently visiting the page without doing nothing and saving, i also had access problem in getting to my gateway page, ie , router page. I get object protected. Rom pager is protected messages. I again had to reset and reconfigure. This has been going on for the past 20 days.
    Is there any wifi virus scanners, so that i could get rid of any virus in router.
    hoping to get a response to my problem.

  49. I am securing my network and noticed that you suggest turning off UPnP, but before I do this I have to ask do I need UPnP to play the online game Words With Friends? I have users on my home network that play games like WWF and Candy Crush, in this case will I need UPnP enabled?

  50. Hi, very good article as has always been.
    But after i changed the admin to some strong coded pw, and stored the same in the computer, and forgetting to back up the cfg file,suddenly the hdd went to deep sleep never to return.
    the files including the pw files of bb and wifi gone. I could retrive the wireless pw, thro accessing the wifi, but could not remember the coded pw. If i reset , i had to reconfigure.
    Is there any other idea of retrieving the router admin pw, of dlink router.
    I would also recommend to use avast av for it has a provision to check your router also. If you get the tool separately well and good. But avast when scans report whether a router is vulnerable like rom O vulnerability etc and will advise.
    changing the pw of admin is a must, but please do store a printed copy of it in safe place in case the system goes dead. I will also advise you to check with this link. It is free tool and would be useful
    https://www.grc.com/x/ne.dll?bh0bkyd2

  51. For more on the topic see my RouterSecurity.org website. Some other tips: use a Guest network whenever possible, test the firewall in your router, configure the router to give out safer DNS servers than those provided by your ISP and don’t use a common LAN-side IP address for your router.

    Also, talking to a router via web interface may not be the wave of the future. Many routers can be configured via a cloud service and/or smartphone app.

  52. I suggest that the biggest threat to your computer’s security IS from Malware and the like. So yes, changing your default password is undoubtedly the first step to securing your router, closely followed by all the other adjustments you suggested!

    But I think you REALLY threw the cat amongst the pigeons when you said that anyone who has physical access to your router can reset it to its default settings and thereby undo all the changes you made to the router! I’m not sure that’s actually true? Because aren’t all the adjustments you suggest made via your router’s LAN IP address? If so, can this really be undone by anyone physically resetting your router with the rest button? If so, how do you suggest we secure our router’s physically? Put them in cupboards, locked with a configurable padlock??? Isn’t that just a wee bit OTT?

    I changed the default password on my router’s IP address once but I haven’t checked that it is still what I set it to, so I must do that asap.

    • One place I work keeps the router in a locked cupboard specifically designed for networking devices. Of course, it can be broken into, but it would be obvious, so you’d know it was done, and you could easily change it back. If you are concerned, you could do the same thing at home.

      • Yeah, in a business setting – or any environment in which a mix of people may be coming and going – it makes sense to physically secure the router but, as I said, it’s really not something the average home user needs to be too concerned about.

    • Of course anyone with physical access can undo all that you’ve done. Your router’s LAN address has little to do with it. And yes, if physical access is a concern, then locking it up is the only solution I’m aware of.

      • Some third-party firmware such as DD-WRT enables reset functionality to be disabled – but it’s a somewhat extreme solution to something that, for most people, isn’t really a problem.

  53. “Can this really be undone by anyone physically resetting your router with the rest button?” – Yup, resetting it restores the defaults settings, including the default password (which. obviously, comes in quite handy if you’ve forgotten the password).

    While it’s a security weakness, it’s probably not something most people need to be too concerned about.

  54. Regarding UPnP: Is this functionality required if using internet phone, since “outside” requests (calls) need to get in?

    How about WAN ping blocking? My router allows toggling this, but I would imagine one would want to block ping requests in most cases.

    • Depending on how you use your network, you may or may not need UPnP or, alternatively, to manually forward ports if UPnP is disabled – and VoIP is definitely something that may need UPnP/port forwarding.

      I actually leave UPnP enabled. As far as I know, UPnP vulnerabilities are not currently being exploited in the wild and so I consider the convenience/security trade-off to be worthwhile.

        • There’re a number of things – media servers, VoIP phones, mobile printing, etc. – that may not work correctly with UPnP disabled (unless ports are diddled with manually). As I said, I consider the risks of having it enabled to be so small as to be not worth worrying about. Yup, there were a couple of vulnerabilities discovered in older versions of the stack – back in 2011 and 2013, I think – but those were addressed in newer implementations. I think the risks were very much blown out of proportion.

          That said, there’s no reason not to disable it. If something stops working, it can easily be re-enabled or address via port forwarding.

    • UPnP: Typically no. While an outside call appears to come in, it’s typically via a persistent connection initiated by software on your machine (going out).

  55. i have a BEC Technologies router installed by my provider. i used portforward to look up the factory settings and typed in user name and password. it didn`t work. i also left user name blank and typed in only the password. it still didn`t work. factory settings tell me user name and password are the same. i have two routers, when i use the standard IP i get my Belkin router. why can`t i access my BEC Technologies router? could my provider
    have changed the settings? i seem to remember you saying providers don`t change them. if my provider changed the settings and they get hacked won`t that cause me and other customers problems?

  56. I have a Motorola Surfboard SBG 6580 router/wifi. There is a 20 alpha-numeric factory password on the nomenclature sticker on the unit. I’m told this password is unique to my router/wifi. Is this safe to use? Is it sufficiently secure?

    Thanks
    Larry

  57. Very helpful! Just got a new router this past week and had not found my way around it. Thanks!

    One thing, I am unable to find anything about logging or access log on my TP Link router or manual. Is there another term for this?

    Also, a dumb question, under NAT I found Application Layer Gateway (ALG) with 8 things to allow or not allow (pass-throughs, etc.) They are all enabled by default. Have no idea whether to leave it this way. Any help appreciated.

  58. If i once connected my pc to my bfs router when i was at his place can i see all the websites he visited now that i am back at my place and using my own router? Just because i was once connected fo his?

  59. My friend ask for my password to wifi her apple iPhone. I gave it to her. Can she see into all my family’s home computers now ? I also have apple iPhone can she access everything on my iphone?

  60. I have a wireless network. Anyone logged into my network can view my Wifi password when they browse my IP address. How can I prevent them from accessing my router settings? I do have a username and a password but when one browses my IP address, the router settings page displays them all- my username, password and my wireless ID and password. I have a “netis” router.

    • Unfortunately, if you give people access to your network, they can discover your network password, and the only way to prevent them from finding out the password is not to allow them access to your LAN.

  61. I’ve had people tapping into my wifi (by driving past my house). I tried all of the so- called fixes, even tried putting router under the bed to partially block the signal. These culprits even tapped into my tv and was able to change my channels at random. They also destroyed my computer. How do I hardware my dsl modem to my tv and/or is there anything else I can do??

    • Changing the router password to something long and unguessable as suggested in the article should prevent drive-by tapping into your WiFi.

      • I’ve changed the passwords, disabled logging, remote administration, UPnP, and I’ve done everything I could find online that’s supposed to limit if not stop this, to no avail. At the moment I don’t have dsl or wifi because of this problem. I don’t know what else to do.

        • A good router password should keep people out of your network. Are you sure someone is stealing your bandwidth? If so a couple of possibilities come to mind. Perhaps your router is vulnerable and has a backdoor, in which case a different router might fix it. Another is that someone may have surreptitiously connected a cable to your network.

  62. This is an excellent article but I can’t do anything it suggests because although my router works and all my devices are online, suddenly I’m unable to simply access my router settings. The IP is 192.168.1.1 for the Actiontec router; I get a log in pop up (not the normal router login screen) that won’t accept my correct credentials. Tried resetting the router to factory and same thing, I’m connected and online but can’t get into the settings, on various devices with various browsers. The message is “the server is asking for your credentials over an insecure (http) connection” … when I enter the credentials (now simply “admin” and “password” since I tried the reset) nothing happens. When I close the popup there’s a message “401 unauthorized. Authorization required.” This is a router less than 2 years old for which I had previously had no problem accessing the settings but it has been about a year since I needed to. The ISP is notoriously bad, when you call them with any issue the story is that their computer systems are impossible to figure out, and dealing with them is a nightmare. I wonder if anyone else is having a similar issue with accessing their router settings.

  63. Router security is obviously a topic that many worry about. I share all the concerns and since our routers are our front lines of defense-I’m wondering if anyone knows the pro’s and cons of using a router with VPN firmware flashed onto the router would help protect a network, also where would they recommend placing the VPN router in the network- does multiple routers on the network’s internet input improve security? and would the outer most router be the VPN one-I obviously don’t know anything network design and protection but was recently hacked make me very concerned how to improve my network’s security like mentioned in the article but I would like to have as much protection and so the encryption VPN offers seems to add security as possibly the IP address protection seems that it could help.-Any help out there I could use any help.

  64. To secure your router you must always keep your router up to date. Your router should be protected with WPA2 security key which will improve your security more. You should disable auto logging off the router. Your routers default SSID and password must be changed. {misleading URL removed} can help you if you don’t know how to secure your router.

  65. Hi Leo, my landlord has two broadband internet subscriptions. She offers me that I can use one of her broadband connection which is subscribed in her name. Will it be safe to use her broadband internet subscription for business purpose if I buy and use my own router by changing her current router?

    • I’d be shocked if your landlord let you replace her router. Basically it all boils down to this: do you trust your landlord? If not, then the only way to use any connection she supplies is through a VPN.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.