Secure Your Router and Wireless Network With These 15 Techniques
A typical router offers a setup wizard that helps you create a wireless network with Internet access in just a few seconds. But just because you can already go online doesn’t mean you shouldn’t bother with the rest of the router’s settings anymore. There are plenty of things left to do to make your router fulfill its role as a line of defense against hackers and malware. Use these 15 router tips to prevent security risks on your network and connected devices.
Before You Get Started
Note that these are general tips, and some of them may or may not apply to your router. Different routers have different settings, feature sets and management interfaces, which means the steps needed to enable/disable a setting or feature vary from router to router. If you’re not sure where to find a feature on your router’s management interface, check your router’s user guide or manual. If one isn’t included in the box, visit the manufacturer’s website and look for online help guides and articles.
Be careful as you experiment with your router’s features and settings. You click one wrong button, and your router could stop functioning altogether. If some of the tips below introduce connection and compatibility problems with your wireless devices, undo the recent changes you’ve made to your router. Find a good balance between accessibility and security as you configure your router. If something goes terribly wrong, you can try hard-resetting your router so it resets to its original factory settings.
Every tip in this guide is an extra step in protecting your wireless router as well as its wireless network and connected devices. The more tips you follow, the better your router’s security.
Download and Install the Latest Firmware
Before you begin changing your router’s default settings, you should visit its manufacturer’s website and look for the latest firmware available. If there’s any, download it from the website and upload it to your router. The most recent firmware typically comes with fixes that improve your router’s stability, performance, and security.
Unlike Windows and software applications, many routers don’t automatically update. You must do it manually. However, things might be different if you own a newer router model. You just need to click a couple of buttons, and your router does most of the work without further assistance.
Installing the latest firmware is the first and foremost step. The router might reset to its default settings after a firmware update, so there would be no point changing other settings beforehand.
Change the Default Administrator Password (and Username if Allowed)
One of the first things hackers try to do is access your router using the default username-password combination. The username is usually “admin”, and the password is usually “1234”, “admin”, or blank. Indeed, these are too easy to guess. Sites like routerpasswords.com even maintain a database of default router passwords that anyone can view. Yikes.
Giving anyone else access to your router’s management interface would be a huge mistake since they could tamper with the settings without your knowledge. That includes changing the passwords to lock you out of your own home network. You need to change the login credentials to something longer and more cryptic.
Enable HTTPS for the Admin Panel
By enabling HTTPS, you can access the router and modify its settings on an encrypted connection. If you use the insecure HTTP, you are susceptible to network sniffers that can capture your username and password for the router’s admin panel.
Change the Default Network Name or SSID
A typical router ships with a default Service Set Identifier (SSID)—the name assigned to the wireless network—that indicates the router’s make and model. If your router broadcasts such an SSID, potential hackers can look up specific vulnerabilities of your router and use attacks that exploit those vulnerabilities to gain unauthorized access.
Change the name of your wireless network to something else, such as random characters that don’t give information about you or your router.
Enable Password for Your Wi-Fi Network With WPA2 Encryption
Setting up a pre-shared key or password for your wireless network not only keeps away Wi-Fi moochers but also ensures that only your devices have access to your router and your network. It helps prevent crooks from snooping on your browsing session because the password encrypts your data that’s traveling over the wireless network. Like you would with your passwords for online accounts, change the wireless network password to something that’s difficult to guess. Make it very long, and use numbers and special characters.
Depending on the router, you may have several protocol options to encrypt your wireless connection: WEP, WPA and WPA-2. Choose WPA2 whenever possible, as it’s currently considered to be the most secure protocol. WEP is unreliable, as it’s very easy to crack using tools you can readily download online. WPA is better than WEP, but not by much. Older devices may not offer WPA2, so, instead, use the other two. Using them is still better than having no encryption whatsoever.
Make a habit of regularly changing your Wi-Fi password to prevent brute-force login attacks from succeeding.
(Optional) Enable MAC Address Filtering
A router, by default, allows any device to connect to the wireless network as long as the device knows the correct password. If media access control (MAC) address filtering is enabled, a router only establishes a connection with a device whose MAC address is included in the approved list. A MAC address is basically an identifier that’s unique to a device’s network interface.
Note that MAC address filtering only stops casual users from connecting to your wireless network. Users with enough know-how to monitor Wi-Fi packets and spoof MAC addresses can easily bypass the security protection that MAC address filtering supposedly offers. Plus, every time you want a new device to join the network, you have to specify its MAC address manually to your router’s MAC address filter. It’s unnecessarily time-consuming and tiresome.
If you’re dealing with casual users, MAC address filtering is a good way to prevent them from connecting. Otherwise, you’re better off using other security measures.
(Optional) Turn off Wireless Broadcasting
Another way to deter casual users from connecting to your wireless network is to hide the SSID. Wireless devices can still connect to the network, but they can’t see the SSID being broadcast. Once again, it doesn’t take a genius to find a hidden wireless network. A simple software for network analysis can easily uncover a hidden SSID.
Hidden SSIDs, along with MAC filtering, only protect you from novice users. Don’t bother using them against experienced users, since these features merely give you a false sense of security.
Establish a Guest Wi-Fi Network
Give access to your home network only to friends and family you trust. If you must share your Internet connection with other people, such as house guests and so-called single-serving friends, you should enable your router’s guest mode. This creates a separate wireless network to help you keep your home network private. It prevents guests from poking around and accessing files and folders you’re sharing over the home network.
You should also encrypt and password-protect your guest wireless network to limit the number of users who can connect. If the feature is available, set the guest network to turn off automatically when not in use.
Lower Transmission Power, or Use the 5-Gigahertz Band
Lowering the transmission power of your device weakens your Wi-Fi’s signal strength. You probably want to adjust the power such that it’s strong enough for your devices to have a stable connection within your home but weak enough to stop your neighbors and outsiders from detecting and connecting to your Wi-Fi. If there’s no feature to adjust transmission power, switching to the 5-GHz band or using 802.11a mode (instead of the 802.11b/g/n/ac protocol) can achieve a similar effect.
Turn off Remote Access (or Web Access from WAN)
The remote access feature basically allows you to access your router’s management interface even when you’re physically away from your home network, as long as you’re connected online. You won’t find much need for this feature on a home network, so just disable it. Remote management exposes your router to the internet, and there have been reports that prove the possibility of remotely accessing the management interface of routers even without entering admin login credentials.
Turn off Administrative Access Over Wi-Fi
Access to the management interface should be restricted to devices that are connected to the router through the Ethernet ports. In other words, you must connect to the router using a network cable if you want to make changes to the router’s settings.
Turn on Router Firewall
Your router should have its firewall enabled so that devices connected to it are protected from unsolicited incoming traffic from the internet. The firewall acts as an extra layer of security that keeps away the dangers lurking on the internet, including malware that scans for vulnerable network services and open ports. You might think that the router firewall is redundant since there’s already a software firewall on your computer, but note that many pieces of malware can disable the functionality of your software firewall.
Turn off Universal Plug and Play (UPnP)
UPnP is a protocol that allows the router and network devices to discover and communicate with each other in the local area network. The feature automatically makes the necessary configurations so that the router administrator no longer has to modify port forwarding and other services manually. Unfortunately, UPnP-enabled routers are susceptible to hacking when there are no implementations applied for authentication purposes. In addition, UPnP allows communication requests from outside the local network. Many pieces of malware look for routers across the internet to access and manipulate their connected devices that use the UPnP protocol.
It’s best that you disable UPnP on your router. If you have peer-to-peer applications, game servers, and other applications that depend on the feature, you can manually set up port forwarding for them to work properly.
Turn off Wi-Fi Protected Setup (WPS)
WPS is designed to allow devices to connect to a wireless network without typing the Wi-Fi password. It makes use of eight-digit PINs entry or push-button configuration to connect devices to the network. But like UPnP, its implementation in many routers is typically not secure. A brute-force attack is possible that allows outsiders to enter a WPS-enabled wireless network using the PIN entry approach. As for the push-button approach, outsiders who have physical access to the router can push the WPS button to connect to the network without permission. Many implementations of WPS are flawed that it can even be used to expose wireless network passwords based on WPA or WPA2 encryption.
If WPS is enabled on your router by default, disable it.
Remember to Log Out, or Enable Automatic Log Out
When you’re done making the necessary configuration changes to your router, remember to log out of the management interface. Threats like cross-site scripting, cross-site request forgery, and session cookie theft can allow an attacker to hijack your logged-in session and modify your router’s settings.
If your router features an idle session timeout, configure it such that you’re automatically logged out after a few minutes of inactivity. Five minutes or less would be best, as it leaves the attacker only a small window to steal your session.
If the router’s management interface does not have an explicit logout button, and there’s no way to shorten the idle session timeout, try deleting your browser cache and cookies.
Place Your Router in a Secure, Physical Location
Many network security problems happen because your router is physically easy to reach. Anyone with physical access can do a lot of damage. For instance, he can restore your router to its factory default settings using the reset button. He can connect to one of your router’s Ethernet ports to execute physical man-in-the-middle attacks.
Make sure your router is positioned at a location that keeps away unauthorized users while also allowing the router to provide a solid wireless connection all over your home. If you’re really paranoid about other people physically tampering with your router, set up surveillance.
Consider Third-Party or Custom Firmware
You don’t realize it, but your router can do so much more. You only need to replace its current firmware with a third-party alternative that unleashes your router’s full potential. Imagine your router being able to cover more areas of your home, set a bandwidth limit per user or application, and give you more options for security. Third-party router firmware projects, such as DD-WRT, OpenWRT and Tomato, introduce new features and capabilities to your router. In fact, some router manufacturers even ship with third-party firmware pre-installed. This gives it so much choice and flexibility than their own firmware.
If you want to give this tip a try, go the websites of the custom firmware projects, and see if your router is compatible. Follow the project instructions on how to download and use the custom firmware. Pay close attention to special instructions for your router. It’s worth pointing out that an improper firmware installation could render your router useless. In addition, installing custom firmware usually means you void your router’s warranty. If you’re not tech-savvy, you might want to ignore to this advanced tip.