Most routers leave the factory configured for convenience, not security — default passwords, WPS enabled, and remote management potentially open. This 7-step checklist closes every major attack vector: admin credential hardening, WPA3 encryption, WPS disablement, firmware updates, IoT segmentation, and DNS security. Follow these steps once after setup and your home network will be significantly better protected against automated attacks, malware, and unauthorized access.
Factory-default router configurations prioritize ease of setup over security. Until you change the admin password and disable WPS, your router is vulnerable to automated attacks from any device on your local network. Complete this checklist as your very first post-setup task.
(1) Change the default admin password — admin/admin is known by every malware scanner; (2) Enable WPA3 or WPA2-AES encryption — not TKIP or WEP; (3) Disable WPS entirely — the PIN method has a brute-forceable design flaw. These three steps close the vast majority of home router attack vectors. See our change admin password guide and firmware update guide for detailed steps.
Any device on your network can access and modify all router settings.
An attacker nearby can crack Wi-Fi access in hours using Reaver or Bully.
Router admin panel is accessible from the internet, enabling global brute-force attacks.
Exploits for known vulnerabilities are publicly available and actively used by botnets.
Any infected device on the network can open firewall ports without your knowledge.
Compromised IoT devices can scan and attack computers, NAS, and other devices on the LAN.
Replace admin/admin with 12+ char unique password
Disable TKIP and WEP — use WPA3 or WPA2-AES only
WPS PIN can be brute-forced — disable it entirely
Block WAN-side admin panel access from internet
Apply all security patches and enable auto-updates
Keep smart devices separate from computers and NAS
Use 1.1.1.1 or 8.8.8.8 for privacy and reliability
Factory-default admin credentials are publicly documented and actively targeted by malware scanners.
WPS PIN can be brute-forced in hours using freely available tools, granting Wi-Fi access without the password.
WAN-side admin access exposes the router management panel to internet-based brute-force attacks.
Compromised smart devices can attack other computers and NAS devices if not isolated on a guest network.
Log into your router admin panel (at 192.168.1.1 or your brand's hostname) and navigate to Administration → Password. Replace the factory-default admin password (admin, admin, password, or printed string) with a strong unique password of 12+ characters containing uppercase, lowercase, numbers, and symbols. This is the most critical security step — default credentials are publicly known and actively targeted by automated malware.
Navigate to Wireless → Security Mode in the admin panel. Set encryption to WPA3-Personal if your router supports it — this provides the strongest available wireless security with protection against offline dictionary attacks. If WPA3 is unavailable, use WPA2-Personal with AES (CCMP) encryption only — never TKIP, and never WEP or WPA1 which are completely broken. Also set a strong Wi-Fi password (20+ characters is ideal).
Navigate to Wireless → WPS in the admin panel and disable it completely, including the PIN method. WPS has a known design flaw (the WPS PIN can be brute-forced in hours using publicly available tools like Reaver). Disabling WPS eliminates this attack vector entirely. The WPS button on the router can remain physically present — it just needs to be disabled in software.
Navigate to Administration → Remote Management or Security → Remote Access. Ensure remote administration from the WAN side is completely disabled unless you have a specific, justified need for it. With remote management enabled, anyone on the internet can attempt to access your router admin panel — exposed to password brute-force attacks. If you must enable remote access, restrict it to specific IPs and require HTTPS.
Navigate to Administration → Firmware Upgrade in the admin panel. Enable automatic updates if available. If not, manually check for new firmware every 3 months. Router firmware updates contain critical security patches for vulnerabilities that are actively exploited in the wild. Running outdated firmware with known CVEs is one of the most dangerous configurations for a home network. See our firmware update guide for brand-specific instructions.
Navigate to Wireless → Guest Network and create a separate guest SSID. Place all IoT devices (smart TVs, cameras, doorbells, smart bulbs, thermostats) on the guest network, not the main network. Guest networks are isolated from the LAN — devices on the guest network cannot communicate with computers, NAS drives, or printers on the main network. This 'IoT segmentation' prevents compromised smart devices from attacking your main computers.
Navigate to WAN → DNS Settings in the admin panel. Change the DNS servers from your ISP's default to a security-focused public resolver: Cloudflare (1.1.1.1 and 1.0.0.1) provides fast, privacy-respecting DNS. Cloudflare for Families (1.1.1.3 and 1.0.0.3) adds malware/adult content blocking. Google (8.8.8.8 and 8.8.4.4) is reliable and fast. NextDNS and Quad9 (9.9.9.9) provide DNS-level threat blocking. This protects all devices on your network from ISP DNS snooping and phishing attacks.
If your router is ISP-supplied and you cannot access settings to harden security, contact your ISP. They may have limited your admin panel access or can perform some security configurations remotely.
In order of importance: (1) Change the default admin password — this is the single most critical action; (2) Enable WPA3 or WPA2-AES encryption for Wi-Fi; (3) Disable WPS entirely; (4) Disable remote (WAN) management; (5) Update firmware immediately and enable auto-updates; (6) Isolate IoT devices on a guest network. If you only do the first three, your router will be significantly more secure than a factory-default configuration.
WPS (Wi-Fi Protected Setup) is a feature designed to simplify connecting devices to Wi-Fi using an 8-digit PIN or a button push. The PIN method has a design flaw — the 8-digit PIN is validated in two separate 4-digit halves, reducing the brute-force search space from 100 million combinations to just 11,000. Tools like Reaver and Bully can crack a WPS PIN in as little as 4 hours on unprotected routers. Disabling WPS entirely eliminates this attack vector.
SSID hiding provides only cosmetic security, not real protection. Any wireless scanner (including free mobile apps) can detect hidden SSIDs — the network still broadcasts its presence, just without a name. Hidden SSIDs also cause connection issues with some devices and make troubleshooting harder. Focus on strong WPA3/WPA2-AES encryption and a strong Wi-Fi password instead — these provide real security rather than security theater.
MAC address filtering is not an effective security control in 2026. MAC addresses can be trivially spoofed — an attacker who captures the wireless traffic can see authorized MAC addresses in plain text (even on WPA2 networks) and clone them. MAC filtering creates administrative overhead (you must add every new device manually) without providing meaningful security. Use strong WPA3 encryption and a strong Wi-Fi password instead.
UPnP (Universal Plug and Play) allows devices on your network to automatically open ports in the router's firewall without user approval. This is convenient for gaming, streaming, and video calls, but malware on any infected device can also use UPnP to open ports, bypassing firewall protection. Disable UPnP if your network does not specifically require it. For gaming, use manual port forwarding instead of UPnP — it provides the same connectivity with explicit control over which ports are open.