How to Make Your Wi-Fi Router As Secure As Possible
While more router manufacturers are making it easy to install and configure routers – even with small, easy-to-use apps instead of pesky web interfaces – most people probably don’t change many settings after buying a new router. They log in, change the name and passwords for their Wi-Fi networks, and stop working.
While this gives you (hopefully) a fast wireless connection, and chances are pretty good that your neighbor or some random evil internet person isn’t trying to hack into your router, there is still much more you can do to improve the security of your router (and home network).
Before we get to our tips, one small caveat: all wireless routers have different interfaces, different names for their settings, and different settings that you can configure. In this article, I will explore the TP-Link Archer C7 interface. You will want to examine the web screen (or application) of your router’s configuration to ensure that you have configured all the correct settings, but you may not be able to do everything we have detailed below.
Accessing your router settings
If your router doesn’t have an easy-to-use app for configuring its settings – like what you usually come across when buying a mesh network system – you can probably access its settings by opening a web browser (on the device that is connected to your router) and enter the IP address of your router:
- On Windows, open a Command Prompt and type
ipconfig
. The IP address listed as the default gateway is most likely the IP address of your router. - If you’re using a Mac, go to System Preferences> Network and click Advanced in the lower-right corner. Click on the TCP / IP option at the top of the next window and find your router’s IP address.
- If you’re using an iPhone, tap Settings, then Wi-Fi, and tap the i icon next to the Wi-Fi network you’re connected to. The IP address of your router should be listed here.
Step 1. Update the firmware
Some routers hide firmware updates deep in their settings menus; some may even notify you of a new firmware update the moment you enter their applications or web user interfaces. However, you will want to make sure your router has the most recent firmware.
If you’re lucky, your router will be able to download new firmware updates directly from the manufacturer. You may have to press a button (or two) to start this process, or it may happen automatically – the routers that do the latter are great because most people don’t really think about “checking if my favorite technical equipment. update the firmware on a regular basis, if ever.
It is also possible that your router will require you to download the new firmware yourself. If so, you will have to download the correct firmware from your router manufacturer – probably from your router’s support page – and manually update your router by looking at that firmware file and running the update process yourself. You will have to do this every time you want to update your router with a new firmware, which means that you will have to check for new firmware quite regularly, perhaps several times a year. This is a time-consuming process that can be easily forgotten, but also important if you want to protect your router from outside threats.
Change the username and password of your router
If you are still using “admin / admin”, “admin / password”, or some variation of common words to log into your router, change that. Even if the manufacturer of your router gave you a more unusual password, which is presumably different for everyone, it is important to use a username and password that are difficult to guess or brute-force .
Even if you get stuck using “admin” as your login username, make your password something hard and no one can find it with a quick internet search.
Use WPA2 to secure your wireless network
This almost goes without saying, but don’t use WEP when you set a password for your Wi-Fi network. Passwords that are “protected” with WEP encryption are much easier to brute-force than passwords encrypted with WPA2. Even if you probably don’t have someone hanging out on your corner and shielding all wireless networks, there’s no reason not to use the stronger WPA2 protocol – unless you have an older device that just can’t handle WPA2, which is unlikely. And whatever you do, don’t run an open (no password) Wi-Fi network.Oh my god .
Disable WPS
On paper, WPS – or Wi-Fi Protected Setup – sounds great. Rather than having to enter a long and rather complex Wi-Fi password on your device, you can simply enter a smaller PIN, probably printed right on your router.
Guess what? These PINs are much easier to guess than a more complex password or passphrase. While some routers time out an attacker after they fail a certain number of password attempts, that hasn’t stopped more ingenious WPS attacks from emerging. The easiest way to prevent this kind of fraud is to completely disable WPS.
Yes, you will need to enter your password. Yes, it will be annoying. This is an extra minute of your life. You will be fine. Or, if you really can’t handle the process, check if your router allows push-button WPS instead of PIN-based WPS . Thus, you will have to physically press buttons on your router and any devices you want to connect, making it much more difficult to use WPS and hack your network.
Use the best DNS
Browse the web a little faster, giving up on your ISP’s DNS and use services such as the Google DNS , Cloudflare’s or OpenDNS . As an added bonus, you will also increase the likelihood that you will actually land on the websites you are trying to visit without any attacker-in-the-middle attacks, pop-ups, redirects, interstitial ads, or annoying “you typed in” your web. -address, so we’re going to redirect you to a web page filled with spam and ads, “your ISP might be using.
If you want to get really tricky, you can opt out of a service like OpenDNS on your kid’s laptop, turn on parental controls so they don’t waste time on time-consuming sites like Tumblr and Reddit, and give yourself a different provider. DNS (like Google DNS) for browsing the Internet without any restrictions. Your kid will hate you, but at least he turns out to be a rocket scientist with 27 inventions, not a Twitch streamer with 3 followers.
Consider using MAC filtering as it can be annoying
While it’s easy for an attacker to spoof your MAC address, you can at least provide yourself with additional security by configuring your router to only connect to whitelisted devices. This filtering is based on the MAC address of each device – a long string of letters and numbers that looks something like “00-11-22-33-44-55”.
While this means you will need to go in and add any new devices you buy whenever you want them to be able to connect to your router, it also means devices that you don’t authorize won’t be able to do squats. … However, as I said, MAC addresses are easy to spoof , so if this advice becomes more annoying than practical, feel free to turn off MAC filtering. Everything will be OK.
Consider scheduling your Wi-Fi
If you work on a fairly regular schedule for a week and have no reason to connect to your home devices remotely, consider using your router’s scheduling mechanism, if you have one, to simply turn off Wi-Fi when you’re not at home.
This is not the most practical advice if you have multiple smart home devices that need the Internet, for example if you want to be able to turn lights on and off to piss off your cat, or if you want to be able to monitor a delivery. the driver will leave the expensive parcel that you ordered. If you live a relatively simple life – there is no harm in it – and nothing requires an internet connection when you are not around, then why turn on Wi-Fi for no reason? It is difficult to hack a non-existent network.
Disable potentially questionable services
You probably don’t need to mess with your router settings if you’re not connected to a wireless network. If your router has a “remote control” or “remote administration” option, make sure it is disabled.
You should also consider disabling UPnP on your router, although it may upset you a little when playing or using BitTorrent – these are two examples. That said, when the entire website is all about the various nefarious uses of UPnP … it might be time to go back to manual port forwarding if necessary.
Some routers also allow you to set up an FTP server so you can transfer files to and from your network. However, we live in an era where it is easy to use any number of cloud storage providers – or file download services – to share files. You probably don’t need to run FTP at home , and it’s much safer to disable this feature entirely (if your router supports it).
You also probably won’t need to access your router via SSH or Telnet – turn either off if prompted – and you probably won’t need to access any USB-connected printers or storage when you’re not at home. In short, if your router allows you to do things from afar, consider turning this feature off (if you can). The fewer ways you can access your home network when you’re not on it, the harder it will be for someone else to exploit the vulnerability and gain access to your router (or your home network).
If you can, consider disabling your router’s cloud functionality. While it can be helpful to be able to edit your router’s settings by logging into the vendor’s cloud service, this is just another open door that an attacker can use to compromise your router (or network). While you don’t have a choice with some routers – usually mesh routers – it is always better and safer to log into the router’s web interface manually from a device connected to your home network, even if it is much less convenient.
Consider a separate Wi-Fi network for guests and smart home devices
I have been playing, testing and testing routers for over ten years and I am yet to meet someone using their router’s guest network feature. Hell, I don’t think I’ve ever connected to a friend’s “guest network” in their house or apartment.
However, the premise of a guest network is great in terms of security: your router automatically sets a second SSID for friends to use, and any device connecting to it is isolated from other devices on your main network, or connected to your router. directly or wirelessly. (Most routers allow you to configure whether you want guests to see everything, each other, or nothing if you need to tweak the setup a bit.)
The guest network also has an added bonus; you can use it for all of your less secure smart home devices . If someone exploits a vulnerability in your smart light bulb and breaks into your network, there will still be some level of protection between the jailbroken device and desktop PC, smartphone and laptop, to name just a few examples. While you can also go crazy and segment your network with separate SSIDs and VLANs , if your router supports this, this is an easier method and won’t give you headaches over the weekend (unless you know what you are doing).