Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

8 Steps to Securing Your Router

Your first and most effective defense against internet-based threats.

Your router is your first line of defense against malicious attacks from the internet. Is yours secure?
A Secure Router?
(Image: Adobe)
I’d like to know how to clear the history of my Linksys router. I’d also like to know how I can make it more secure and protect it from hacking.

The topic is an important one: how do you make sure you have a secure router? It’s your first line of defense against automated malware attacks trying to get at your computer from the internet to install more malware.

You want to ensure there aren’t big gaping holes. And sadly, very often and by default, there are.

Here are the most important steps to a more secure router.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Securing your router

  1. Change the administrative password
  2. Disable remote management
  3. Turn off UPnP
  4. Use WPA2 or WPA3 for Wi-Fi
  5. Disable WPS
  6. Turn off logging
  7. Secure it physically
  8. Check for firmware updates

My router versus your router

I must start with a caveat: there are hundreds, if not thousands, of different routers. Different brands and different models have differing capabilities, power, and, of course, differing cost.

Most importantly, they have different administration interfaces.

What that means is, I can’t tell you exactly how to make step-by-step changes to your router. The concepts I’ll cover here apply to almost all consumer-grade routers. I’ll be using an old, popular LinkSys BEFSR81 router and LinkSys WAP54G access point as my examples.

You’ll need to “translate” my examples to the equivalent settings on your own router or access point. Make sure you have access to your router’s documentation, or locate it online.

Here we may encounter a common difference: you may well have a single device that combines both the router and wireless access point. You probably refer to it as your router, but in reality, there are two separate devices — a router that deals with network access and a wireless access point that provides your Wi-Fi connectivity — that are housed in a single box. In my example, they’re in separate boxes.

1. Change the default password

If you do nothing else to secure your router, change the default administration password. Change it to be something long and strong. If your router supports it, a passphrase of three or more words might be ideal.

Password Dialog on LinkSys router
Changing the default password. (Screenshot: askleo.com)

The reason for this is quite simple: it’s a common gaping security hole.

For many years, almost every router and access point from the same manufacturer was shipped with the same default password. For LinkSys, if your login is a blank username and a password of “admin”, as outlined in its manual, then anyone and everyone knows it. Anyone can log in to your router and undo any or all of the rest of the security steps we’re about to take.

Then, any malware that takes advantage of the default passwords on routers can make changes without your knowledge.

Fortunately, in recent years, most — though sadly, not all — router manufacturers have gotten smarter. If the instructions that came with your router included checking a sticker on the actual router for the admin password, and that looks like a strong password, then the security hole is significantly smaller. Now only those people who can walk up to your router and look at that sticker can get in.

I’d change the password anyway.

2. Disable remote management

“Remote Management” is a feature that allows your router to be administered from anywhere on the internet.

LinkSys Filters

LinkSys Remote Management
Disabling remote management. (Screenshot: askleo.com)

While this setting (coupled with a very strong password) might make sense for a handful of people,1 for most folks there’s absolutely no need to administer the router from anywhere but the local machines connected to it.

Make sure the remote management setting is off.

3. Turn off Universal Plug and Play

Universal Plug and Play (UPnP) is a technology that allows software running on your machine to configure services like port forwarding (a way of allowing computers outside your network access your local computers directly) without you having to go in and administer the router manually.

It seems like a good idea, right?

Nope. Turn it off.

LinkSys UPnP setting
Turning off Universal Plug and Play. (Screenshot: askleo.com)

It turns out malware can also be UPnP-aware and can make malicious changes to your router without your involvement or awareness.

(Note: UPnP is unrelated to Windows “Plug and Play” hardware detection; it’s just another unfortunate collision of similar names.)

4. Add a WPA2 key

It’s time for another password, this time to secure and encrypt your wireless connection.

Wireless Encryption Password
Adding a WPA2 key. (Screenshot: askleo.com)

First, use WPA2 or WPA3, not WEP. WEP encryption turns out to be easily crackable,2 and even WPA (without the 2) has been shown to be vulnerable.

Second, just as you did for the router’s administration password, select another good, secure key / password / passphrase (the terms are roughly interchangeable here). You only need to enter it once here and once on each machine allowed to connect to your wireless network.

Having a strong WPA2 key ensures that only machines you allow on your network can see your network, traffic, and router.

5. Disable WPS

WPS, or Wi-Fi Protected Setup, doesn’t live up to its name, it’s not very “protected” at all.

WPS was intended as a way to make setting up a protected Wi-Fi network easy. WPS would, with the push of a button, set up Wi-Fi encryption between the router and clients that supported it.

The problem with WPS is that the protocol is flawed in such a way that it is vulnerable to a brute force attack. A malicious entity within range can force their way onto your network, bypassing any encryption keys you might have set up.

WPS is enabled by default on many routers. Turn it off.

6. Turn off logging

This has less to do with configuring a secure router and more to do with maintaining your privacy.

LinkSys Logging Options
Turning off logging. (Screenshot: askleo.com)

Disable the logging, and no information will be kept on the router or sent to any other machine. This should also clear any log the router has.

It’s worth pointing out that most consumer-grade routers do not have the capacity to keep complete logs themselves. If they keep anything, it will be a shorter, partial log. When enabled, some will offer to send the log to one of the computers on your network for storage. Simply disabling logging will not erase any logs stored elsewhere.

7. Secure your router physically

As we’ve already seen, even if the default administrative password is unique to your device, it’s still visible to anyone with physical access to the router who can see the sticker on which it’s printed.

In fact, your secure router may not be secure at all if anyone can just walk up to it.

All of your router’s security settings can be reset in a flash if someone has physical access to the device. Almost all routers have a “reset to factory defaults” mechanism (typically by holding a reset button for a certain amount of time). If someone can walk up to your router and do that, all the security settings you’ve enabled may be instantly erased.

Only you can judge whether or not you need this extra level of physical security, but do consider it. It might be as simple as keeping the device in a locked room or closet.

8. Check for firmware updates

Routers (and access points) are really just small computers dedicated to a single task: handling network traffic. Normally, the software — referred to as firmware since it’s stored within the device’s hardware — is solid and just works.

Unfortunately, security vulnerabilities are sometimes discovered, requiring you to update your router’s firmware to stay secure. This usually involves downloading a file for your specific router and using its administration interface to install the update. Some routers can fetch and install the update directly. Either way, the update is a manual step you need to take.

Checking to see if there’s a firmware update for your router is also a manual step. Some routers perform the check at the push of a button in the administration interface. If not, you need to visit the manufacturer’s support site, look for information pertaining to your specific model, and determine if a newer version of the firmware is available.

Two steps not to take

Each time I mention this article, folks make two suggestions for Wi-Fi that do not improve security at all. In fact, they may harm security by providing a false sense of added security.

The first is MAC address filtering. I discuss this in more detail in Is MAC Address Filtering a Viable Wireless Security Option?, but the bottom line is that, like a cheap padlock, MAC address filtering only keeps out honest people. If someone wants to access your network, MAC address filtering is easily bypassed.

The second suggestion is to turn off SSID broadcast on wireless networks. Even when not being broadcast, the SSID is still visible and unencrypted in the packets of traffic sent to and from the router. Disabling the broadcast does nothing to prevent someone with the skills from easily discovering it. I discuss this in more detail in Does Changing or Disabling the Broadcast of My Wireless SSID Make Me More Secure?

When it comes to Wi-Fi, putting a WPA2 password on the connection is currently your best security measure.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

5 comments on “8 Steps to Securing Your Router”

    • Yeah, you’re not alone. That can be frustrating. I have Comcast business equipment (same company and policies, different name and target audience), and was able to put the Comcast equipment in “pass through” mode, where it basically just stopped trying to be router, and acted like a hub. Then I added my own router under my own control. No idea if Xfinity will allow you to do that. The good news is that the ISP provisioning is usually pretty secure. (They’re on the hook if it’s not, I would assume.)

      Reply
  1. I use a cable modem/gateway and a separate router. My ISP, Comcast, has specific third -party equipment that can be used. I discovered that in the interest of convenience, Comcast allows control of their gateways via their website. That includes gateway and wireless passwords. No matter how many times I changed the gateway passwords, Comcast was always “helpful” in providing it in plain text.
    Using a separate gateway and modem, Comcast only sees the gateway and not the router. So I can set up the router to be as secure as it can be without worrying that someone in their customer service department tries to be helpful.
    Also, I save a few dollars not renting their equipment.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.