Your first and most effective defense against internet-based threats.
The topic is an important one: how do you make sure you have a secure router? It’s your first line of defense against automated malware attacks trying to get at your computer from the internet to install more malware.
You want to ensure there aren’t big gaping holes. And sadly, very often and by default, there are.
Here are the most important steps to a more secure router.
Become a Patron of Ask Leo! and go ad-free!
Securing your router
- Change the administrative password
- Disable remote management
- Turn off UPnP
- Use WPA2 or WPA3 for Wi-Fi
- Disable WPS
- Turn off logging
- Secure it physically
- Check for firmware updates
My router versus your router
I must start with a caveat: there are hundreds, if not thousands, of different routers. Different brands and different models have differing capabilities, power, and, of course, differing cost.
Most importantly, they have different administration interfaces.
What that means is, I can’t tell you exactly how to make step-by-step changes to your router. The concepts I’ll cover here apply to almost all consumer-grade routers. I’ll be using an old, popular LinkSys BEFSR81 router and LinkSys WAP54G access point as my examples.
You’ll need to “translate” my examples to the equivalent settings on your own router or access point. Make sure you have access to your router’s documentation, or locate it online.
Here we may encounter a common difference: you may well have a single device that combines both the router and wireless access point. You probably refer to it as your router, but in reality, there are two separate devices — a router that deals with network access and a wireless access point that provides your Wi-Fi connectivity — that are housed in a single box. In my example, they’re in separate boxes.
1. Change the default password
If you do nothing else to secure your router, change the default administration password. Change it to be something long and strong. If your router supports it, a passphrase of three or more words might be ideal.
The reason for this is quite simple: it’s a common gaping security hole.
For many years, almost every router and access point from the same manufacturer was shipped with the same default password. For LinkSys, if your login is a blank username and a password of “admin”, as outlined in its manual, then anyone and everyone knows it. Anyone can log in to your router and undo any or all of the rest of the security steps we’re about to take.
Then, any malware that takes advantage of the default passwords on routers can make changes without your knowledge.
Fortunately, in recent years, most — though sadly, not all — router manufacturers have gotten smarter. If the instructions that came with your router included checking a sticker on the actual router for the admin password, and that looks like a strong password, then the security hole is significantly smaller. Now only those people who can walk up to your router and look at that sticker can get in.
I’d change the password anyway.
2. Disable remote management
“Remote Management” is a feature that allows your router to be administered from anywhere on the internet.
While this setting (coupled with a very strong password) might make sense for a handful of people,1 for most folks there’s absolutely no need to administer the router from anywhere but the local machines connected to it.
Make sure the remote management setting is off.
3. Turn off Universal Plug and Play
Universal Plug and Play (UPnP) is a technology that allows software running on your machine to configure services like port forwarding (a way of allowing computers outside your network access your local computers directly) without you having to go in and administer the router manually.
It seems like a good idea, right?
Nope. Turn it off.
It turns out malware can also be UPnP-aware and can make malicious changes to your router without your involvement or awareness.
(Note: UPnP is unrelated to Windows “Plug and Play” hardware detection; it’s just another unfortunate collision of similar names.)
4. Add a WPA2 key
It’s time for another password, this time to secure and encrypt your wireless connection.
First, use WPA2 or WPA3, not WEP. WEP encryption turns out to be easily crackable,2 and even WPA (without the 2) has been shown to be vulnerable.
Second, just as you did for the router’s administration password, select another good, secure key / password / passphrase (the terms are roughly interchangeable here). You only need to enter it once here and once on each machine allowed to connect to your wireless network.
Having a strong WPA2 key ensures that only machines you allow on your network can see your network, traffic, and router.
5. Disable WPS
WPS, or Wi-Fi Protected Setup, doesn’t live up to its name, it’s not very “protected” at all.
WPS was intended as a way to make setting up a protected Wi-Fi network easy. WPS would, with the push of a button, set up Wi-Fi encryption between the router and clients that supported it.
The problem with WPS is that the protocol is flawed in such a way that it is vulnerable to a brute force attack. A malicious entity within range can force their way onto your network, bypassing any encryption keys you might have set up.
WPS is enabled by default on many routers. Turn it off.
6. Turn off logging
This has less to do with configuring a secure router and more to do with maintaining your privacy.
Disable the logging, and no information will be kept on the router or sent to any other machine. This should also clear any log the router has.
It’s worth pointing out that most consumer-grade routers do not have the capacity to keep complete logs themselves. If they keep anything, it will be a shorter, partial log. When enabled, some will offer to send the log to one of the computers on your network for storage. Simply disabling logging will not erase any logs stored elsewhere.
7. Secure your router physically
As we’ve already seen, even if the default administrative password is unique to your device, it’s still visible to anyone with physical access to the router who can see the sticker on which it’s printed.
In fact, your secure router may not be secure at all if anyone can just walk up to it.
All of your router’s security settings can be reset in a flash if someone has physical access to the device. Almost all routers have a “reset to factory defaults” mechanism (typically by holding a reset button for a certain amount of time). If someone can walk up to your router and do that, all the security settings you’ve enabled may be instantly erased.
Only you can judge whether or not you need this extra level of physical security, but do consider it. It might be as simple as keeping the device in a locked room or closet.
8. Check for firmware updates
Routers (and access points) are really just small computers dedicated to a single task: handling network traffic. Normally, the software — referred to as firmware since it’s stored within the device’s hardware — is solid and just works.
Unfortunately, security vulnerabilities are sometimes discovered, requiring you to update your router’s firmware to stay secure. This usually involves downloading a file for your specific router and using its administration interface to install the update. Some routers can fetch and install the update directly. Either way, the update is a manual step you need to take.
Checking to see if there’s a firmware update for your router is also a manual step. Some routers perform the check at the push of a button in the administration interface. If not, you need to visit the manufacturer’s support site, look for information pertaining to your specific model, and determine if a newer version of the firmware is available.
Two steps not to take
Each time I mention this article, folks make two suggestions for Wi-Fi that do not improve security at all. In fact, they may harm security by providing a false sense of added security.
The first is MAC address filtering. I discuss this in more detail in Is MAC Address Filtering a Viable Wireless Security Option?, but the bottom line is that, like a cheap padlock, MAC address filtering only keeps out honest people. If someone wants to access your network, MAC address filtering is easily bypassed.
The second suggestion is to turn off SSID broadcast on wireless networks. Even when not being broadcast, the SSID is still visible and unencrypted in the packets of traffic sent to and from the router. Disabling the broadcast does nothing to prevent someone with the skills from easily discovering it. I discuss this in more detail in Does Changing or Disabling the Broadcast of My Wireless SSID Make Me More Secure?
When it comes to Wi-Fi, putting a WPA2 password on the connection is currently your best security measure.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Related Video
Footnotes & References
Router Security has a much deeper list of steps and issues to consider if you want to pursue this further.
1: Some ISPs insist on this, but they’ll also prevent you from administering your own router. More common is a scenario where you’re responsible for supporting someone else’s network — say that of a friend or family. Remote administration can be helpful in a case like that. Even so, I’d think twice about setting it up, and would insist on an exceptionally secure password if you do.
2: It’s essentially like having no encryption at all.
I’m getting on a bit, but found this informative and easy to understand.
Unfortunately, I have an Xfinity WiFi/Router, and hav NO administrative access whatsoever.
Yeah, you’re not alone. That can be frustrating. I have Comcast business equipment (same company and policies, different name and target audience), and was able to put the Comcast equipment in “pass through” mode, where it basically just stopped trying to be router, and acted like a hub. Then I added my own router under my own control. No idea if Xfinity will allow you to do that. The good news is that the ISP provisioning is usually pretty secure. (They’re on the hook if it’s not, I would assume.)
I use a cable modem/gateway and a separate router. My ISP, Comcast, has specific third -party equipment that can be used. I discovered that in the interest of convenience, Comcast allows control of their gateways via their website. That includes gateway and wireless passwords. No matter how many times I changed the gateway passwords, Comcast was always “helpful” in providing it in plain text.
Using a separate gateway and modem, Comcast only sees the gateway and not the router. So I can set up the router to be as secure as it can be without worrying that someone in their customer service department tries to be helpful.
Also, I save a few dollars not renting their equipment.
I’m using an Arris T25 gateway and a TPLink 1750 router. The Arris T25 is Comcast approved.