The humble broadband router is a vital bit of equipment, granting access to the internet and providing home networking. However, when it comes to security that anonymous blinking box in the corner is often overlooked.
Most likely, you use the Wi-Fi router supplied by an ISP. And if you don’t there’s a good chance it’s a consumer model from a popular brand like Netgear, D-Link, or Asus. This makes a hacker’s job much easier because a single security exploit could be used to compromise millions of identical routers. Compounding this is the fact that many routers still use factory default settings, so accessing a router might be as simple as knowing the default password for that brand.
A Wi-Fi hub is the gateway between your personal devices and the wider world and if it is not properly configured your private data and home network - along with everything attached to it - are at risk. But there are simple steps everyone can take to minimise the risks.
Here are a few easy ways you can bolster your home broadband router security.
Accessing the router’s administrative settings
You'll need to access the administrator control panel for your router in order to change the settings. But as each make and model can have slightly different ways of getting to the administrative tools it’s impossible for us to give exact instructions for your particular setup.
Typically the management controls are viewed with a web browser using either a URL (some Netgear models use routerlogin.net, for example) or an IP address (i.e. https://192.168.1.1). You’ll then be prompted to enter a username and/or password.
The default login details will be printed on the router itself, or in the manual.
Some routers may offer a software utility, but this can be limited to a few of the most common controls for basic setup so it’s usually best to go through the web interface.
The options themselves can also vary wildly. They may be labelled differently and not every router will offer the same choice of settings. If you get stuck, consult the user manual or search online for a solution specific to your hardware.
Change the administrator login
The admin login gives access to all the router’s settings so it's vital you have a secure password. And because the default admin login is often the same for every router of that make or model it’s extremely important to change this to something unique as soon as possible.
Some routers will allow you to change both the username and password, but others may only permit the password to be modified (or may not even ask for a username). As always, it’s a good idea to use a password manager so you can have a long and complex code without having to write it down or remember it.
Disable remote administration
Many Wi-Fi routers offer a remote management function that permits access to the admin controls from outside the home. But this represents a risk as it can be exploited by viruses or used by hackers to get to your router controls (especially dangerous if you haven’t changed the admin password). You're unlikely to have much cause to use this feature, so save yourself any potential trouble and disable it.
Whenever possible, use HTTPS rather than HTTP to access your router’s web controls to prevent the traffic from being monitored. This might be an option you have to enable within your router, or you can try adding HTTPS to the beginning of the router's IP address (https://xx.xx.xx.xx) when logging in.
Update the router firmware
Firmware is your router's operating system and keeping it up to date is vital for improving security. Manufacturers will deploy updates to patch security holes and provide new features so you should grab the latest version as soon as possible. This may require manually checking for an update as not all routers will alert the user of an update automatically.
Limit administrative access to wired connections
This is not a feature every router offers, but if available it’s a good idea to limit access to the router’s configuration settings to wired connections. This means that anyone who wanted to mess with your network hub would have to be plugged directly in with an ethernet cable, rather than being able to sit outside on the Wi-Fi.
Secure the Wi-Fi network
As well as updating the administrator password, another important step for the initial setup of any network is modifying the Wi-Fi settings.
Out of the box, the Wi-Fi network name and password will usually be printed on a sticker fixed to the router itself. While the default Wi-Fi password is usually random and reasonably secure, it's still not ideal to have it displayed on the router if you want to prevent kids or guests jumping on your Wi-Fi whenever they like.
To avoid your broadband connection becoming a free-for-all for anyone who can read, change the Wi-Fi password to something only you know.
When changing the password use at least 12 characters and make it random, don't use a dictionary word or phrase that could be easily guessed.
Check the Wi-Fi security options and make sure the Wi-Fi uses ‘WPA2’ or 'WPA3' encryption. And if you have the choice select the "AES" encryption protocol, instead of "TKIP".
Do not use the outdated and insecure 'WPA' or 'WEP'.
The Wi-Fi network name (or SSID - Service Set Identifier) can also be modified. It is important to do this if the current name gives away the make and model of the router. Otherwise, an attacker could easily identify the hardware and attempt to use known vulnerabilities or default passwords.
Wi-Fi Protected Setup (WPS) is a seemingly handy feature that allows new devices to be quickly connected to the Wi-Fi by pressing a button or entering a PIN. But WPS is a flawed and insecure standard that can be exploited to hack Wi-Fi passwords.
For this reason, it is best to disable the feature whenever possible. Some routers may not allow WPS to be switched off completely, but might instead offer the option of disabling the PIN function. That does mitigate the risk of a remote hack but can still allow WPS to be activated with a button press.
Universal Plug n Play (UPnP) is a protocol designed to allow software and hardware to communicate over a network without user configuration. But it’s a security risk as it can be exploited by malware or used to access a router over the internet.
Many home broadband users can disable UPnP for greater security without negative impact, however, you may find that certain applications such as Skype and online games no longer work and will require manual port forwarding.
If you don’t mind trading some security for convenience you might prefer to leave UPnP enabled. But if so use the ShieldsUP! scanner to check for common vulnerabilities; it should be left disabled if this indicates that your connection is insecure due to UPnP.
Disable PING responses
A simple fix, this one. Check your router is set not to respond to ‘PING’ requests over the internet. That means if someone on the internet is scanning for active devices by sending out a ‘PING’, your router will stay silent rather than making its presence known.
Change your DNS
When you enter a web address into a browser it's translated into the server IP address by a Domain Name System (DNS) server. DNS is the internet's address book, and if you ever find that you're unable to access websites it may be due to problems with DNS servers.
Most routers allow you to change the DNS server and add additional servers for redundancy. This can slightly improve web browsing speed, provide more resiliency against outages, and as a bonus some DNS services provide web filtering to block harmful sites. Changing the DNS will also prevent ISPs from hijacking DNS to insert adverts.
There are numerous free public DNS services. We recommend the following:
Most routers support two different DNS servers, but some may allow three or four to be entered. Two is plenty, but it won't hurt to set up more if the option is available.
Enable a guest network
If the router has a guest network feature you can use this to provide isolated access to guests and internet-only devices. The guest network provides broadband but blocks local connections to other hardware on your home network.
If you have any smart home devices such as thermostats, lightbulbs, and smart speakers it is a good idea to use the guest network for these to make it more difficult for hackers attempting to exploit insecure hardware.
Guest networks have their own SSID and password, so follow the rules above when setting this up.
For more help and information read our dedicated guide to using guest Wi-Fi.
Monitor attached devices
It’s normal for routers to provide an overview of devices connected to the network. This will typically display the device name, connection type, internal IP address and MAC address. Check this regularly — if you notice an unknown device it may be a sign the network has been compromised. This can be particularly helpful if the broadband is running slower than normal and you suspect a neighbour has accessed your Wi-Fi.
Buy a better router
Switching to a high-end router can provide superior performance, security and features compared to ISP supplied hardware.
But don't just look at consumer hardware. An entry-level small business router from a manufacturer such as Billion or DrayTek can have more rigorous security and come with vulnerable features like WPS disabled out of the box.
When buying a router take the time to check the manufacturer's history of firmware updates. Do they regularly issue patches, and continue to support older models for a reasonable amount of time? If not you could find that shiny new router is left exposed to newly discovered exploits.