How to secure your router and home network

Not all router security issues can be fixed by users, but there are many actions that can be taken to protect them from attacks

Many computer users don't realize it, but for most people their internet router is the most important electronic device in their home. It links most of their other devices together and to the world, so it has a highly privileged position that hackers can exploit.

Unfortunately many consumer and small-business routers come with insecure default configurations, have undocumented backdoor accounts, expose legacy services and have firmware that is riddled with basic flaws. Some of these problems can't be fixed by users, but there are many actions that can be taken to at least protect these devices from large-scale, automated attacks.

Don't let your router be a low-hanging fruit for hackers.

Basic actions

  • Avoid using routers supplied by ISPs. These routers are typically less secure than those sold by manufacturers to consumers. They often have hard-coded remote support credentials that users can't change and patches for their customized firmware versions lag behind patches for the same flaws released by router manufacturers.
  • Change the default admin password. Many routers come with default administrator passwords and attackers constantly try to break into devices using these publicly known credentials. After you connect to the router’s management interface for the first time through your browser — the address should be the router’s default IP address found on its bottom sticker or found in the set-up guide — make sure the first thing you do is change the password.
  • The router's web-based management interface should not be reachable from the internet. For most users, managing the router from outside the LAN (local area network) is not necessary. If remote management is needed, consider using a VPN (virtual private network) solution to establish a secure channel to the local network first and then access the router's interface.
  • Even inside the LAN, it's good to restrict which IP (Internet Protocol) addresses can manage the router. If this option is available, it's best to allow access from a single IP address that is not part of the pool of IP addresses assigned to computers via DHCP (Dynamic Host Configuration Protocol). For example, configure the router's DHCP server to assign IP addresses from to and then configure the web interface to only allow access from The computer should be manually configured to use this address only when you need to connect to the router.
  • Turn on HTTPS access to the router interface, if available, and always log out when done. Use the browser in incognito or private mode when working with the router so that no session cookies are left behind and never allow the browser to save the router's username and password.
  • Change the router's LAN IP address if possible. Most of the time, routers will be assigned the first address in a predefined netblock, for example If offered the option, change this to or something else that's easy to remember and is not part of the DHCP pool. The entire netblock used by the router can also be changed to one of those reserved for private networks. Doing this will protect against cross-site request forgery (CSRF) attacks that try to access routers through users' browsers by using the default IP addresses commonly assigned to such devices.
  • Choose a complex Wi-Fi password and a strong security protocol. WPA2 (Wi-Fi Protected Access II) should be the option of choice, as the older WPA and WEP are susceptible to brute-force attacks. If the router offers the option, create a guest wireless network, also protected with WPA2 and a strong password. Let visitors or friends use this isolated guest network instead of your main one. They might not have malicious intentions, but their devices might be compromised or infected with malware.
  • Disable WPS (Wi-Fi Protected Setup). This is a rarely used feature designed to help users set up Wi-Fi networks easily by using a PIN printed on a sticker. However, a serious vulnerability was found in many vendor implementations of WPS a few years ago that allows hackers to break into networks. Because it's hard to determine which specific router models and firmware versions are vulnerable, it's best to simply turn off this feature on routers that allow it. Instead, you can connect to the router via a wired connection and access its web-based management interface and, for example, configure Wi-Fi with WPA2 and a custom password (no WPS needed).
  • The fewer services your router has exposed to the internet, the better. This is especially true if you haven't enabled those services yourself and don't know what they do. Services like Telnet, UPnP (Universal Plug and Play), SSH (Secure Shell), and HNAP (Home Network Administration Protocol) should not be reachable from the internet as they can pose serious security risks. They should also be turned off on the local network if they're not needed. Online services like Shields UP by Gibson Research Corporation (GRC), can scan your router's public IP address for open ports. Shields Up can also scan for UPnP separately.
  • Keep your router's firmware up to date. Some routers allow checking for firmware updates directly from the interface while others even have an automatic update feature. Sometimes these checks might be broken due to changes to the manufacturer's servers over the years. It's a good idea to regularly check the manufacturer's support website manually for firmware updates for your router model.

More complex stuff

  • Network segmentation can be used to isolate risky devices. Some consumer routers offer the option to create VLANs (virtual local area networks) inside a larger private network. These virtual networks can be used to isolate internet-of-things devices, which researchers have repeatedly shown are full of vulnerabilities. Many IoT devices can be controlled through smartphone apps via external cloud services, so as long as they have Internet access, these devices don't need to be able to communicate with smartphones directly over the local network after the initial set-up. IoT devices often expose unprotected administrative protocols to the local network so an attacker could easily break into such a device from a malware-infected computer, if both are on the same network.
  • MAC address filtering can keep rogue devices off your Wi-Fi network. Many routers allow for restricting which devices are allowed on the Wi-Fi network based on their MAC address -- a unique identifier of their physical network card. Enabling this feature can prevent attackers from connecting to a Wi-Fi network even if they stole its password. The downside is that manually whitelisting legitimate devices can quickly become an administrative burden on larger networks.
  • Port forwarding should be combined with IP filtering. Services running on a computer behind a router cannot be reached from the internet unless port forwarding rules are defined on the router. Many software programs will attempt to open ports in the router automatically via UPnP, which is not always safe. If UPnP is disabled, rules can be added manually and some routers offer the option to specify the source IP address or netblock that can connect on a specific port to reach a certain service inside the network. For example, if you want to access an FTP server on your home computer from work, you can create a port forwarding rule for port 21 (FTP) in your router, but only allow connections from your company's IP netblock.
  • Custom firmware can be more secure than factory firmware. There are several Linux-based, community-maintained firmware projects for a wide range of home routers. OpenWRT, DD-WRT and Asuswrt-Merlin (for Asus routers only) are just some of the most popular ones. These typically offer more advanced features and customizations than factory firmware and their maintainers are quicker to fix flaws when identified than router vendors. Because these firmware packages are aimed at enthusiasts, the number of devices that use them is much lower compared to those that run vendor-supplied firmware. This makes widespread attacks against custom firmware less likely. However, it's very important to keep in mind that loading custom firmware on a router requires a fair amount of technical knowledge, will likely void its warranty and, if done incorrectly, can render the device unusable. You have been warned!

Join the CSO newsletter!

Error: Please check your email address.

More about CustomEnablingGibson ResearchLANLinuxSSHTelnet

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place