How and Why to Change Your Router Security Settings (Made Simple)

By SB •  Updated: 07/21/21 •  4 min read
How-To

If someone hacks (or logs into) your home router, they have access to your entire home network and all the devices attached to that network.

Think about that.

Every device connected to that router, depending on the security settings of each device (and most consumer devices have security shields that leave much to be desired), will be compromised.

By taking a few minutes to properly set up and harden your router, you can prevent unauthorized users from taking control of your router and accessing your entire personal collections of IoT devices and data. Securing your router consists of updating the firmware, changing the default admin username and password for your router, changing your WiFi network password once every few months (or more often if you share your WiFi with guests), utilizing a firewall, and following a few simple tasks for maintenance.

Simple tasks are often ignored.

The Risks: An Insecure Router Can Allow Someone To…

  1. Redirect you to a web page that phishes for your credentials or tricks you into installing compromised version of software
  2. Conduct man-in-the-middle attacks (MitM) or send the user to “evil twin” websites masquerading as often-used webmail or online-banking portals.
  3. Be infected with malware to collect your browsing history and all website login credentials
  4. Use your router as part of DDoS attacks against websites or for other devious purposes
  5. Spy on you via your connected Internet-of-Things (IoT) devices that have cameras and microphones and other sensors
  6. Mine for cryptocurrencies using your computer’s resources (cryptojacking)

Things You Can Do to Secure Your Router

First, buy a router that is made for office or small business use. These will be better made, offer more default security options, and will not be as popular as other routers as targets for firmware or security exploits.

To harden your router and prevent accidental or malicious tampering, you will need to access and properly configure the device’s settings.

If you are on a computer or phone connected to your home network, your router’s admin settings can usually be accessed by typing the router’s IP address into any web browser’s URL bar (the IP address is often 192.168.1.1 or 192.168.0.1, but check the label on your device or look up the address). An easier and better way to connect to your router is via an Ethernet cable.

  1. Have separate modem and router devices. Ask your ISP for a simple modem, not a “gateway” modem/router combination device. Add your own low-end commercial-grade router.
  2. Choose a new username and password for your router. The password to access the router’s admin interface is the first thing you should replace with a strong and unique password or passphrase.
  3. Disable WPS! WiFi-Protected Setup is the worst modern router “feature” for security. That 8-digit number bypasses all security your network has, and allows anyone with that number access to your router. If a furnace repairman comes over to your house, turns the router over and snaps a photo of it, he can now get on your network forever. Unless you disable WPS.
  4. Disable Universal Plug and Play. UPnP is a networking protocol originally made for LANs, but is now enabled on internet-facing ports, which exposes those ports to external attack from the Internet.
  5. Port 32764, which French security researcher Eloi Vanderbeken in 2013 discovered had been quietly left open on gateway routers sold by several major brands. Using port 32764, anyone on a local network — which includes a user’s ISP — could take full administrative control of a router, and even perform a factory reset, without a password. Check port 32764 using ShieldsUp! by Gibson Research Corporation.
  6. Change the default network name (SSID) to something that does NOT identify you or your location, and enable WPA2 encryption.
  7. Set up a Guest Network for guests, to prevent their devices from connecting to your devices on the same network.
  8. Disable remote administrative access in your router settings, and if you can or it makes sense, disable administrative access over WiFi, too. 
  9. Change your router’s DNS servers from your default ISP to one provided for free by OpenDNS (208.67.220.220,  208.67.222.222), Google Public DNS (8.8.8.8, 8.8.4.4) or Cloudflare (1.1.1.1, 1.0.0.1). I choose Cloudflare.
  10. Get a VPN router that works by sending all your network traffic through a VPN (subscription sold separately). Protectli Vault is one such product.

SB

I've been practicing OSINT and utilizing Linux as my daily operating system for over twenty years. The tools are always changing and so I'm always learning, but helping you understand the value of protecting your own data remains at the forefront of everything I do.