How to Boost Your Router Security
Following these tips can help keep your personal data safe
By Nicholas De Leon
When it comes to safeguarding your personal data, there may be no tool more important than the wireless router that powers your home WiFi network.
Because it transmits all the data that flows into and out of your residence via WiFi—everything from emails to credit card numbers—the device has long been a target for hackers.
And with millions of U.S. workers working from home at least a few times per week, according to a recent Gallup survey, there’s potentially even more sensitive data at risk.
Hackers can use malware or software design flaws to hide their identity, steal bandwidth, turn your devices into botnet slaves, or worse. They can be within range of your home WiFi network, or they could be half a world away, launching an automated attack on millions of home networks at once.
In fact, just a few years ago, malware called VPNFilter, believed by the FBI to have been created by hackers affiliated with the Russian government, was devised to disable encryption, allowing cybercriminals to see passwords and other private data during transmission.
However, you can take simple steps right now to boost your router’s security and help safeguard your family’s data on your home WiFi network.
Turn On Automatic Updates
Router manufacturers typically release software updates throughout the year to address security threats, fix bugs, and improve performance.
The easiest way to make sure your router always has the latest, safest software is to activate the automatic firmware update feature available on many of today’s models.
Newer routers make this relatively easy through a companion mobile app.
For other routers, you’ll need to look in the device’s settings. You can do that by opening a web browser and typing in the device’s IP address. Very often, the address is 192.168.0.1 or 192.168.1.1. But this varies by brand. So consult the owner’s manual or do an online search for the customer support pages for your router model.
If your router doesn’t provide automatic updates, you’ll have to periodically download and install the new firmware from the manufacturer’s website yourself.
Richard Fisco, who oversees electronics testing at Consumer Reports, says that to be safe you should check for new updates at least every three months.
You can also see if there’s a way to get security notices via email from the router’s manufacturer when new software is available. Many brands offer that as an option during the online product registration process.
All companies eventually stop releasing new software for old models, though.
“If you find your router is no longer getting updates, it’s too risky to keep using it,” Fisco says. “Verify its status with the manufacturer, and if it has reached the ‘end of life’ stage, buy a new router.”
One smart pick for a relatively inexpensive wireless router that supports automatic firmware updating is the TP-Link Deco W6000, which costs around $150 and supports the latest WiFi standard, known as WiFi 6.
It’s also a mesh router: It comprises two units that work together to spread WiFi more evenly throughout your home.
Other recommended models include the Google Nest WiFi and the Eero Home WiFi.
Turn Off Features You Don't Use
Modern routers come with many handy features that help you manage your WiFi network, but some create weak spots in your defenses.
So when you’re logged in to your router’s settings, take a minute to review applications that could present opportunities for hackers.
If you don’t use Remote Administration (also known as Remote Management or web access from WAN), make sure it’s turned off. This denies access to the router’s control panel from outside your home network. In most routers, the feature is off by default, but you should confirm this by going to the advanced or administration section of the settings menu.
Disable Universal Plug-and-Play (UPnP), which many home routers have enabled by default. UPnP can help devices on your home network connect to each other, but the added convenience isn’t worth the security risk. This feature can make it easier for malware to spread through your network.
To disable UPnP, log in to your router like you would when changing your password (see below). Find the “tools,” “advanced,” or “advanced networks” menu. From there, make sure the “Enable UPnP” box is unchecked.
And last, if you have a guest network without a password, disable it. You don’t want unwanted guests using it without permission.
Use Strong Passwords
If you’ve never done so, you should change two crucial passwords on your router: the one that lets you manage the device’s settings and the one that lets you connect other devices to the wireless network (as in, “What’s the WiFi password?”).
Routers typically ship with default passwords used to set up the device. At times, they’re even printed on a label on the router itself. For convenience, the default passwords for lots of routers also appear online—and a password that’s easy for anyone to find is no help at all.
With a little online sleuthing, a hacker could use a default password to access your network and potentially control your router. If that were to happen, the hacker could change your passwords, spy on you, or access the files on a network-attached hard drive.
The settings and connection passwords can both be changed via the router’s mobile app or the settings page (aka 192.168.1.1).
Make sure the passwords you create are strong and unique—that is, different from one another and from any other password you use. They should have at least a dozen characters, with seemingly random upper- and lowercase letters, numbers, and symbols. To keep track of them, you might also consider using a password manager.
Change the Default SSID
Lastly, you’ll want to change the default name of your WiFi network, also known as the SSID. According to CR’s Fisco, leaving the default in place can reveal your router’s make and model, potentially helping hackers break into it—especially if you haven’t changed the default passwords, too.
You can even tell your router not to broadcast the SSID at all. Once you do that, any device that has never been connected to your WiFi won’t be able to “see” the network.
To connect to the WiFi via a new device, you have to manually input the network name, instead of selecting it from a list of nearby options. But what is at most a minor inconvenience for you—how often do you connect new devices to your WiFi?—essentially makes your network invisible to would-be hackers.
Use WPA3
Security protocols for routers improve over time, which means the old ones get outdated.
Among other things, the latest standard, known as WPA3, encrypts your WiFi connection, making it harder for cybercriminals to guess your WiFi password using hacking tools that automatically cycle through tens of thousands of possibilities, says Kevin Robinson, vice president of marketing at the WiFi Alliance, which oversees the standard.
WPA3 is about 4 years old, and it has been a mandatory inclusion for Wi-Fi Certified devices for about two years. So if your router is reasonably new, it should be supported.
If your router doesn’t support WPA3, you should use the previous standard, known as WPA2-AES.
Routers that can’t use WPA2 should be replaced, according to Fisco, because they’re simply not equipped to handle today’s threats.
Passing the Password Test
What’s your password strategy when it comes to protecting your online accounts? On the “Consumer 101” TV show, a Consumer Reports expert explains what you need to know about password managers.
More from Consumer Reports:
Top pick tires for 2016
Best used cars for $25,000 and less
7 best mattresses for couples
Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2022, Consumer Reports, Inc.
