Your broadband router is a vital bit of equipment, it grants you access to the internet and provides home networking. However, when it comes to security, that anonymous blinking box in the corner is often overlooked.
Most likely, you use the Wi-Fi router supplied by your internet service provider (ISP). And if you don’t, there’s a good chance it’s a consumer model from a popular brand like Netgear, D-Link, or Asus. This makes a hacker’s job much easier because they only have to exploit the security of a single router to compromise millions of identical ones.
What makes this worse is the fact that many wireless routers still use factory default security settings. So all a hacker might need to access a router is to know the default password for that brand.
A Wi-Fi hub is the gateway between your devices and the wider world. So, if it’s not properly configured, your private data and home network, along with everything attached to it, are at risk. But there are simple steps everyone can take to minimise the risks.
Here are a few easy ways to bolster your home broadband router security.
Accessing the router’s administrative settings
You'll need to access the administrator control panel for your router to change the settings. But as each make and model can have slightly different ways of getting to the administrative tools, it’s not possible for us to give exact instructions for your particular setup.
Typically, the management controls are viewed with a web browser. This will either be through a URL (some Netgear models use routerlogin.net, for example) or an IP address, i.e. https://192.168.1.1.
You’ll then be prompted to enter a username and/or password.
The default login details will be printed on the router itself, or in the manual.
Some routers may offer a software utility, but this can be limited to a few of the most common controls for basic setup, so it’s usually best to go through the web interface.
The options themselves also vary between makes and models. We’ve tried to use fairly generic terms here, but on your router they may be labelled differently, and not every router will offer the same choice of settings. If you get stuck, consult the user manual or search online for a solution specific to your hardware.
Change the administrator login
The admin login grants access to all the router’s settings, so you must have a secure password. However, because the default admin login is often the same for every router of that make or model, it’s critical to change this to something unique as soon as possible.
Some routers will allow you to change both the username and password, but others may only permit the password to be modified. Some might not even ask for a username.
As always, it’s a good idea to use a password manager, so you can have a long and complex code without having to write it down or remember it.
Disable remote administration
Many Wi-Fi routers offer a remote management function that permits access to the admin controls from outside the home.
But this represents a risk as it can be exploited by viruses or used by hackers to get to your router controls. This is especially dangerous if you haven’t changed the admin password. You're unlikely to have much cause to use this feature, so you should save yourself any potential trouble and disable it.
HTTPS is an encrypted web connection. Whenever possible, use HTTPS rather than HTTP to access your router’s web controls to prevent the traffic from being monitored.
This might be an option you have to enable within your router, or you can try adding HTTPS to the beginning of the router's IP address like this, https://xx.xx.xx.xx when logging in.
If you have decided to leave remote administration enabled (see above) then it’s important to ensure your router is using HTTPS for admin access.
Update the router firmware
Firmware is your router's operating system, and keeping it up to date is vital for improving security.
Manufacturers will deploy updates to patch security holes and provide new security features, so you should grab the latest version as soon as possible.
This may require you to manually check for an update, as not all routers will alert the user of an update automatically.
Limit administrative access to wired connections
This isn't a feature every router offers, but if available, it’s a good idea to limit remote access to the router’s configuration settings to wired connections.
This means that anyone who wanted to mess with your network hub would have to be plugged directly in with an ethernet cable, rather than being able to sit outside on the Wi-Fi on a mobile device.
Secure the Wi-Fi network
As well as updating the administrator password, another important step for the initial setup of any network is modifying the Wi-Fi settings.
Out of the box, the wireless network name and password is often on a sticker fixed to the router itself. While the default Wi-Fi password is usually random and reasonably secure, it's still not ideal to have it displayed on the router if you want to prevent kids or guests from jumping on your Wi-Fi whenever they like.
To avoid your broadband connection becoming a free-for-all for anyone who can read, change the Wi-Fi password to something only you know.
When changing the password, use at least 12 characters. If you wish to create a strong password/passphrase that is easy to remember and say, try generating one with Diceware.
Check the Wi-Fi security options and make sure the Wi-Fi uses ‘WPA2’ or 'WPA3' encryption. And if you have the choice, you should select the "AES" encryption protocol instead of "TKIP".
Don’t use the outdated and insecure 'WPA' (Wi-Fi protected access) option or 'WEP' (wired equivalent privacy) option, either. If your router doesn’t offer at least WPA2, it should be replaced with a newer model.
The SSID or Service Set Identifier is the name of your Wi-Fi network.
The SSID can be modified, and you may wish to change this if the current name gives away the make and model of the router. Otherwise, an attacker could easily identify the hardware and attempt to use known vulnerabilities or default passwords.
It can also be useful to change the name if you live in a busy area and many other people have Wi-Fi routers from the same broadband provider as they’ll probably all have similar names.
Wi-Fi Protected Setup or WPS is a seemingly handy feature that allows new devices to quickly connect to the Wi-Fi by pressing a button or entering a PIN.
But WPS is a flawed and insecure standard that can be exploited to hack Wi-Fi passwords.
For this reason, it is best to disable the feature whenever possible.
Some routers may not allow WPS to be switched off completely, but might instead offer the option of disabling the PIN function. That does mitigate the risk of a remote hack though it can still allow WPS to be activated with a button press.
Universal Plug n Play, or UPnP, is a feature designed to allow software and hardware to communicate over a network without user configuration.
But it’s a security risk as it can be exploited by malware or used to access a router over the internet.
Many home broadband users can disable UPnP for greater security without negative impact. However, you may find that certain applications such as Skype and online games no longer work and will require manual port forwarding.
If you don’t mind trading some security for convenience, you might prefer to leave UPnP enabled. But if so, use the ShieldsUP! scanner to check for common vulnerabilities. It should be left disabled if this indicates that your connection is insecure due to UPnP.
Disable PING responses
A simple fix, this one: check your router is set not to respond to ‘PING’ requests over the internet.
If someone on the internet is scanning for active devices by sending out a ‘PING’, your router will stay silent rather than making its presence known.
Change your DNS
When you enter a web address into a browser, it's translated into the server IP address by a Domain Name System or DNS server.
DNS is the internet's address book, and if you ever find that you're unable to access websites, it may be due to problems with DNS servers.
Most routers allow you to change the DNS server and add additional servers for redundancy. This can slightly improve web browsing speed, provide more resiliency against outages, and as a bonus, some DNS services provide web filtering to block harmful sites. Changing the DNS will also prevent ISPs from hijacking DNS to insert adverts.
There are numerous free public DNS services. We recommend the following:
Most routers support two different DNS servers, but some may allow three or four to be entered. Two is plenty, but it won't hurt to set up more if the option is available.
Enable a guest network
A guest network isolates guests and internet-only devices.
The guest network provides broadband but blocks local connections to other hardware on your home network.
If you have any smart home devices such as thermostats, lightbulbs, and smart speakers it’s a good idea to use the guest network for these to make it more difficult for hackers attempting to exploit insecure hardware.
Guest networks have their own SSID and password, so follow the rules above when setting this up.
For more help and information, read our dedicated guide to using guest Wi-Fi.
Monitor attached devices
It’s normal for routers to provide an overview of devices connected to the network. This will typically display the device name, connection type, internal IP address and MAC address.
Check this regularly. If you notice unknown network traffic, it may be a sign the network has been compromised.
This can be particularly helpful if the broadband is running slower than normal and you suspect a neighbour has accessed your Wi-Fi.
Encrypt your internet activity using a VPN
If you’re worried about people getting your IP address and watching what you do online, you should use a VPN for your network security. A VPN is a virtual private network. What that means is your IP address is hidden and instead websites that you’re browsing will think you have a different IP address. They may even think you’re in a different country.
If you need to access websites inaccessible to you due to being in the wrong country, you can use a VPN to overcome that.
Use antivirus software on all your connected devices
If you’re browsing the internet on a device, whether it’s a computer, phone or games console, then you really need an antivirus and a firewall if possible. Some paid software does allow you to access it across multiple devices, so it’s definitely worth looking into.
Commonly used antivirus software includes:
Buy a better router
Switching to a high-end router can provide superior performance, security and features compared to ISP-supplied hardware.
But don't just look at consumer hardware. Entry-level small business equipment from a router manufacturer such as Billion or DrayTek can have more rigorous security and come with vulnerable features like WPS disabled out of the box.
When buying a router, take the time to check the manufacturer's history of firmware updates. Do they regularly issue patches and continue to support older models for a reasonable amount of time? If not, you could find that shiny new router is left exposed to newly discovered exploits.
It’s important that you secure your home broadband as much as you can. Installing antivirus and firewall software is a pretty easy way to do so. As is using a VPN when using the internet when out and about. But you also need to make sure your internet router is safe. Don’t just rely on the default settings from your ISP.
You might worry that you need to be technically savvy to protect your router, but you really don’t. Making sure your passwords are unique and strong and keeping the firmware up to date are simple steps anyone can do to instantly improve security. If you have a lot of visitors, or electronic devices like smart lights or fridges, we also recommend setting up a guest network.
Why do we need your address?
We need your address to show you the broadband deals available at your home. This information is gathered in partnership with thinkbroadband.