Sometimes the best thing to say about a wireless router in your house is that once it’s set it, you forget it exists.
As long as the devices that need the Wi-Fi connection can get on and function, that’s all that matters, right?
Maybe, but we also live in the age of leaks, wiki and otherwise.
If you’re worried about the security of your home network, and by extension your personal data—especially from hackers who could casually sit in a car outside and get access to your systems—then you need to put a padlock on that wireless. You may also want to prevent others from using your network, hackers and freeloaders alike.
So what do you do? Follow these tips and you’ll be well ahead of most home Wi-Fi users. Nothing will make you 1,000 percent safe against a truly dedicated hack.
Crafty social engineering schemes are tough to beat.
But don’t make it easy on them; protect yourself with these steps.
Time-Tested Wi-Fi (and All Around) Security
Change Your Router Admin Username and Password Every router comes with a generic username and password—if they come with a password at all. You need it the first time you access the router.
After that, change them both.
The generic usernames are a matter of public record for just about every router in existence; not changing them makes it incredibly easy for someone who gets physical access to your router to mess with the settings.
If you forget the new username/password, you should probably stick to pencil and paper, but you can reset a router to its factory settings to get in with the original admin generic info.
Change the Network NameThe service set identifier (SSID) is the name that’s broadcast from your Wi-Fi to the outside world so people can find the network. While you probably want to make the SSID public, using the generic network name/SSID generally gives it away.
For example, routers from Linksys usually say “Linksys” in the name; some list the maker and model number (“NetgearR6700”).
That makes it easier for others to ID your router type.
Give your network a more personalized moniker.
It’s annoying, but rotating the SSID(s) on the network means that even if someone had previous access—like a noisy neighbor—you can boot them off with regular changes.
It’s usually a moot point if you have encryption in place, but just because you’re paranoid doesn’t mean they’re not out to use your bandwidth. (Just remember, if you change the SSID and don’t broadcast the SSID, it’s on you to remember the new name all the time and reconnect ALL your devices—computers, phones, tablets, game consoles, talking robots, cameras, smart home devices, etc.
Activate Encryption This is the ultimate Wi-Fi no-brainer; no router in the last 10 years has come without encryption.
It’s the single most important thing you must do to lock down your wireless network. Navigate to your router’s settings (here’s how) and look for security options.
Each router brand will likely differ; if you’re stumped, head to your router maker’s support site.
Once there, turn on WPA2 Personal (it may show as WPA2-PSK); if that’s not an option use WPA Personal (but if you can’t get WPA2, be smart: go get a modern router).
Set the encryption type to AES (avoid TKIP if that’s an option). You’ll need to enter a password, also known as a network key, for the encrypted Wi-Fi.
This is NOT the same password you used for the router—this is what you enter on every single device when you connect via Wi-Fi.
So make it a long nonsense word or phrase no one can guess, yet something easy enough to type into every weird device you’ve got that uses wireless. Using a mix of upper- and lowercase letters, numbers, and special characters to make it truly strong, but you have to balance that with ease and memorability.
Double Up on Firewalls The router has a firewall built in that should protect your internal network against outside attacks.
Activate it if it’s not automatic.
It might say SPI (stateful packet inspection) or NAT (network address translation), but either way, turn it on as an extra layer of protection.
For full-bore protection—like making sure your own software doesn’t send stuff out over the network or Internet without your permission—install a firewall software on your PC as well. Our top choice: Check Point ZoneAlarm PRO Firewall 2017; there’s a free version and a $40 pro version, which has extras like phishing and antivirus protection.
At the very least, turn on the firewall that comes with Windows 8 and 10.
Turn Off Guest Networks It’s nice and convenient to provide guests with a network that doesn’t have an encryption password, but what if you can’t trust them? Or the neighbors? Or the people parked out front? If they’re close enough to be on your Wi-Fi, they should be close enough to you that you’d give them the password. (Remember—you can always change your Wi-Fi encryption password later.)
Use a VPN
A virtual private network (VPN) connection makes a tunnel between your device and the Internet through a third-party server—it can help mask your identity or make it look like you’re in another country, preventing snoops from seeing your Internet traffic.
Some even block ads.
A VPN is a smart bet for all Internet users, even if you’re not on Wi-Fi.
As some say, you need a VPN or you’re screwed.
Check our list of the Best VPN services.
Update Router Firmware Just like with your operating system and browsers and other software, people find security holes in routers all the time to exploit. When the router manufacturers know about these exploits, they plug the holes by issuing new software for the router, called firmware.
Go into your router settings every month or so and do a quick check to see if you need an update, then run their upgrade. New firmware may also come with new features for the router, so it’s a win-win.
If you’re feeling particularly techie—and have the right kind of router that supports it—you can upgrade to custom third-party firmware like Tomato, DD-WRT or OpenWrt.
These programs completely erase the manufacturer’s firmware on the router but can provide a slew of new features or even better speeds compared to the original firmware.
Don’t take this step unless you’re feeling pretty secure in your networking knowledge.
Turn Off WPS Wi-Fi Protected Setup, or WPS, is the function by which devices can be easily paired with the router even when encryption is turned on, because you push a button on the router and the device in question.
Voila, they’re talking.
It’s not that hard to crack, however, and means anyone with quick physical access to your router can instantly pair their equipment with it. Unless your router is locked away tight, this is a potential opening to the network you may not have considered.
Many security recommendations floating around the Web don’t pass muster with experts.
That’s because people with the right equipment—such wireless analyzer software like Kismet or mega-tools like the Pwnie Express Pwn Pro—aren’t going to let the following tips stop them.
I include them for completion’s sake because, while they can be a pain in the ass to implement or follow up with, a truly paranoid person who doesn’t yet think the NSA is after them may want to consider their options.
So, while these are far from foolproof, they can’t hurt if you’re worried.
Don’t Broadcast the Network Name
This makes it harder, but not impossible, for friends and family to get on the Wi-Fi; that means it makes it a lot harder for non-friends to get online.
In the router settings for the SSID, check for a “visibility status” or “enable SSID broadcast” and turn it off.
In the future, when someone wants to get on the Wi-Fi, you’ll have to tell them the SSID to type in—so make that network name something simple enough to remember and type. (Anyone with a wireless sniffer, however, can pick the SSID out of the air in very little time.
The SSID is not so much as invisible as it is camouflaged.)
Disable DHCP The Dynamic Host Control Protocol (DHCP) server in your router is what IP addresses are assigned to each device on the network.
For example, if the router has an IP of 192.168.0.1, your router may have a DCHP range of 192.168.0.100 to 192.168.0.125—that’s 26 possible IP addresses it would allow on the network. You can limit the range so (in theory) the DHCP wouldn’t allow more than a certain number of devices—but with everything from appliances to watches using Wi-Fi, that’s hard to justify.
For security you could also just disable DHCP entirely.
That means you have to go into each device—even the appliances and watches—and assign it an IP address that fits with your router. (And all this on top of just signing into the encrypted Wi-Fi as it is.) If that sounds daunting, it can be for the layman.
Again, keep in mind, anyone one with the right Wi-Fi hacking tools and a good guess on your router’s IP address range can probably get on the network even if you do disable the DHCP server.
Filter on MAC AddressesEvery single device that connects to a network has a media access control (MAC) address that serves as a unique ID.
Some with multiple network options—say 2.4GHz Wi-Fi, and 5GHz Wi-Fi, and Ethernet—will have a MAC address for each type. You can go into your router settings and physically type in the MAC address of only the devices you want to allow on the network. You can also find the “Access Control” section of your router to see a list of devices already connected, then select only those you want to allow or block.
If you see items without a name, check its listed MAC addresses against your known products—MAC addresses are typically printed right on the device.
Anything that doesn’t match up may be an interloper. Or it might just be something you forgot about—there is a lot of Wi-Fi out there.
Turn Down the Broadcast PowerGot a fantastic Wi-Fi signal that reaches outdoors, to areas you don’t even roam? That’s giving the neighbors and passers-by easy access. You can, with most routers, turn down the Transmit Power Control a bit, say to 75 percent, to make it harder. Naturally, all the interlopers need is a better antenna on their side to get by this, but why make it easy on them?