Your home router is the gateway between every device you own and the entire internet. Most people set it up once and never touch it again — leaving it with default passwords, outdated firmware, and open to attacks that have been well-documented for years. This guide walks through every practical step to properly secure your home network.
1. Change Your Router’s Default Password
This is the single most important step. Routers ship with default admin credentials (admin/admin, admin/password, or similar) that are publicly known and indexed by search engines. Anyone on your network — or in some cases, anyone on the internet if your router admin page is exposed — can log in with these defaults.
Log in to your router (usually at 192.168.1.1 or 192.168.0.1) and change both the admin password and the Wi-Fi password to long, unique, randomly generated strings. Use a password manager to store them.
2. Update Your Router Firmware
Router firmware contains the software that runs your router. Manufacturers release updates to patch security vulnerabilities, and unpatched routers are a major entry point for attackers.
Check your router manufacturer’s website or the router’s admin panel for firmware updates. Many modern routers (Asus, Netgear, TP-Link) have auto-update options — enable them. ISP-provided routers typically update automatically, but verify this in the admin panel.
3. Use WPA3 or WPA2 Encryption
Your Wi-Fi encryption standard determines how hard it is for nearby attackers to crack your network. Check your router’s wireless settings:
- WPA3: Current best standard, use it if your router and devices support it
- WPA2-AES: Strong and widely supported — acceptable if WPA3 isn’t available
- WPA/TKIP, WEP: Outdated and crackable — disable immediately if you see these
4. Create a Guest Network for IoT Devices
Smart TVs, security cameras, smart speakers, and IoT devices often have poor security and rarely receive updates. Putting them on a separate guest network isolates them from your main network — if a device is compromised, the attacker can’t reach your laptops, phones, or NAS drives.
Most modern routers support multiple SSIDs (Wi-Fi network names). Create a guest network with a different password and connect all IoT devices to it.
5. Disable Remote Management
Remote management allows you to log into your router’s admin panel from outside your home network. Unless you specifically need this, disable it — it’s an attack surface you don’t need.
Look for “Remote Management,” “Remote Access,” or “WAN Access” in your router’s settings and turn it off.
6. Disable UPnP (Universal Plug and Play)
UPnP allows devices on your network to automatically open ports on your router without your knowledge. This is a massive security risk — malware can use UPnP to create its own port forwarding rules. Disable it unless you have a specific need.
7. Check Which Ports Are Open
Use the ExamineIP Port Scanner to scan your public IP and see which ports are visible from the internet. Close any that aren’t intentionally open. Common problematic open ports include:
- Port 23 (Telnet) — disable completely, use SSH instead
- Port 3389 (RDP) — only open if you need remote desktop and have hardened the setup
- Port 22 (SSH) — if exposed, use key-based auth and disable password login
8. Use a Secure DNS Resolver
By default, your DNS queries go to your ISP’s resolver unencrypted. Switch to a privacy-respecting, fast DNS resolver:
- Cloudflare 1.1.1.1 (fastest, privacy-focused)
- Google 8.8.8.8 (fast, reliable)
- Quad9 9.9.9.9 (blocks malicious domains)
You can set this in your router so all devices on the network benefit. Understand why DNS matters for privacy: What is DNS and how does it work?
9. Enable Your Router’s Firewall
Most routers have a built-in firewall — verify it’s enabled in the settings. It should be on by default, but it’s worth confirming. The router firewall blocks unsolicited inbound connections to your network.
10. Use a VPN on Your Router or Devices
A VPN encrypts all traffic leaving your network, preventing your ISP from monitoring your activity and protecting you from man-in-the-middle attacks. You can either:
- Install a VPN app on each device (easier, more flexible)
- Configure a VPN on your router itself (covers all devices, including IoT)
PureVPN and IPVanish both support router-level VPN configuration on compatible firmware.
Related: Cybersecurity tips most people ignore
11. Regularly Review Connected Devices
Log into your router’s admin panel periodically and look at the list of connected devices. Any device you don’t recognize should be investigated — it could be a neighbour on your Wi-Fi or a compromised IoT device.
12. Check Your Public IP Regularly
Know what your network looks like from the outside. Use tools.examineip.com to check your public IP, run the port scanner to see what’s exposed, and use the DNS checker to verify your DNS configuration.
Quick Security Checklist
- ☑ Router admin password changed from default
- ☑ Wi-Fi password is strong and unique
- ☑ Router firmware updated
- ☑ WPA3 or WPA2-AES encryption enabled
- ☑ Guest network for IoT devices
- ☑ Remote management disabled
- ☑ UPnP disabled
- ☑ No unexpected open ports
- ☑ Secure DNS resolver configured
- ☑ Firewall enabled
- ☑ VPN active on sensitive devices