Keeping your home network safe can be daunting, but there are some things you can do without deep knowledge of networking. Your router's starting settings are often set up for user convenience, and some of these decrease your overall security level. And if you've recently upgraded your router from an older model, you probably have a bunch of new settings that you're not familiar with to change. If you're wondering which settings to change, here's where to start.
6 tips to improve your home Wi-Fi security
If you have a home Wi-Fi network, you should follow these tips to improve your security.
6 UPnP and NAT-PMP
Both of these protocols can open their own ports, which makes them a security nightmare
Networking can be complicated to set up, so various protocols and tools have been created to simplify things like network discovery, port forwarding, and moving data between your home network and the wider internet. Two of these are Universal Plug and Play (UPnP) and Network Address Translation Port Mapping Protocol (NAT-PMP), which are similar in that they are both zero-configuration protocols that automatically let services open their own ports to the internet through your router's firewall.
If you can see why it's a bad idea for random services and apps to be able to leverage protocols that have no sort of authentication methods built in, so they can open ports for incoming internet traffic, then you know why you should disable these two options in your router. UPnP is fine if it's limited to your home network, but leaving it open to the internet makes it dangerous. And NAT-PMP was mostly used by Apple devices, although turning it off doesn't seem to affect any of my devices, so it's entirely possible they use different protocols now that are safer.
Turn them both off (although many routers only have an option for UPnP) and see if any of your programs or devices have issues connecting to their servers and the Internet. If you find any that do, it's time to decide between security and convenience and whether you can easily change that device or program for something that is more security-conscious.
4 reasons you should consider disabling UPnP in your router
You probably don't need it anymore, and it's a security nightmare.
4 reasons you should disable NAT-PMP on your router right now
This Apple-centric alternative to UPnP is no longer necessary.
5 Accidentally using the wrong Wi-Fi encryption
WPA2 or WPA3 with AES is the way to goβand turn off WPS
The Wi-Fi signal from your router can be one of the biggest security issues for your home network. That's partly because the wireless signal's range is fairly long, so hackers or other attackers could be out of sight while sniffing through your network traffic. To keep them off, you need to use two things: encryption so that the signal isn't readable by anyone who shouldn't be on your network, and a network key to serve as the encryption and decryption code.
Many ISP routers are set up with WEP encryption by default, with default settings for the network key (which is often created from part of the router's MAC address). The situation isn't better if you have your own router or are using custom router firmware, because those often start with no encryption at all, making an open network with no authentication needed.
Your router's Wi-Fi security page will have a variety of encryption settings that you can choose from. For home networks, there are only two secure options: WPA2+AES or WPA3+AES. That's it. Don't ever leave your wireless network on an open network, WEP, WPA, or any of the TKIP options. Those encryption types give you a false sense of security, because they're all easily crackable in a short time span thanks to how powerful computer hardware is now. Also, set a unique custom password with 20 random characters and use a password manager to store it so you don't have to remember it.
The last authentication setting to change is Wi-Fi Protected Setup or WPS. This was created to make it easy to pair new devices to Wi-Fi networks, but it makes a mockery of wireless security, reducing long wireless passwords to a seven-digit pin code that takes no time at all to find out with a brute force attack. Disable this on your router (if your router even has it, as many new devices don't include it as an option).
4 reasons you should turn off Wi-Fi Protected Setup (WPS) right now
WPS used to be a quick way to pair Wi-Fi devices, but you shouldn't use it anymore.
4 Add a guest network
Put insecure devices and ones you don't trust on their own virtual network away from your important stuff
While most consumer routers cannot create multiple VLANs to isolate less-trusted network devices from those with important data on them, most recent routers have a single VLAN that can be used for the same purpose. It's called the guest network, and you'll find it in the Wi-Fi settings pages. It's designed for guests in your home, so they can get onto the internet without being able to see your networked devices, but it can do much more.
For example, putting all your IoT devices on the guest network makes the rest of your network safer. These devices often get infrequent firmware updates to fix security issues and other bugs. You can even use a simpler password for the guest network, which makes it easier to connect IoT devices or for your guests, but doesn't compromise the security of your main home network. Depending on the router, you might also be able to limit the bandwidth available to devices on the guest network, making it so they can't hog all the connection bandwidth from your other devices.
4 reasons you need to set up a guest network on your Wi-Fi
Add guest Wi-Fi with no new hardware
3 Disable remote access
You don't need administration access to your router outside your home network
The administration pages of your router should only be accessible from a device on your home network. Leaving the admin pages open to the internet at large paints a target on your home network, and the automated scanning tools used by hackers to search for vulnerable devices will eventually find you. Make sure your router admin pages only work from your home network, and change the username and password from the defaults.
If you really need to be able to access your router when outside your home network, use something like WireGuard or OpenVPN to connect to your home network, so your remote device is behaving as if it's at home. It's just safer, and it's also a good networking skill to learn.
6 router settings that power users should change
You might not think to change these settings but you'll be glad you did.
2 Keep on top of updates
Firmware updates fix security issues and other bugs
If you're using an ISP-provided router, the chances are they're in charge of updates and will occasionally push them to your hardware to fix bugs and keep you safer. If you're using your own networking equipment, you'll need to keep on top of updates yourself. Most Wi-Fi routers won't update automatically, so make a habit of checking the manufacturer's help pages periodically to see if there are any update files. The best mesh routers often automatically update, which is a big benefit to the slightly higher price of these networking kits, as they're constantly fixing security issues, bugs, and optimizing the network behavior to keep your network working optimally.
How to update your router firmware
Your router acts as your first line of antivirus defense
1 Use custom DNS servers
The ones your ISP uses by default are tracking you
Every time you browse a website, like xda-developers.com, or any other, the DNS servers on your computer or router translate that human-readable address to the actual IP addresses needed to get the required data into your browser. Think of it as a huge phone book, but for the internet, and you're not far off from understanding the macro view.
The problem with the default DNS servers that your ISP might install on your router is that your ISP controls them. This could mean the ISP is tracking your DNS requests and using the data for targeted advertising, redirecting your requests to websites it controls, or blocking you from parts of the Internet. None of that is okay, even if it's technically legal, so you'll want to change the DNS servers your router sets to those you trust. You don't have to go to the trouble of hosting your own DNS server, but that's an option. It's easier to use a privacy-focused DNS service, like 1.1.1.1 or 9.9.9.9, which blocks malicious sites to keep you safer while browsing.
4 reasons you should use a custom DNS on your PC or router
If you're looking to optimize your internet experience, using a custom DNS can speed up your connection or block unwanted content
With a few tweaked settings, your home network will be more secure
Your home network's security shouldn't be sacrificed for convenience, and that's what many of the settings discussed here do when enabled. Turning them off might mean some manual configuration needed for specific services or programs, but you might find you don't have to configure anything as newer programs use better, more secure ways to connect through your router. Staying safe on the internet doesn't just mean changing a few router settings though, so brushing up on good browsing practices is also worth doing.