I've used a lot of routers throughout my time on the internet, from ISP routers that have locked-down services to routers I kept way longer than I should have. Still, on every one that I could change settings on, I've always changed the same set of security settings before starting to use the internet. These core settings go a long way toward making your home network more secure and cut off access to botnets, automated hacking, and more.

If you're in the market for a new router, or even if you want to stick with the one you're using now, these security settings are a must. If you've not done any of these, it's never too late to start, as most of these security settings will also cut off access if something has gotten onto your network. They're also not limited to any particular router manufacturer or Wi-Fi version, so don't worry if you don't have a Wi-Fi 7 router; you can still apply these settings and make things more secure.

5 Change the default login

Seriously, don't leave the admin password on the default

Wherever you get your router from, it probably has a terrible, horrible, no good, very bad default password. It's almost guaranteed to be something like admin / 123456 because router manufacturers build their hardware to easy defaults to make the installation process smoother for the user or the technician installing it. That default password and username combination should be treated like a self-destructing message from the IMF, and not as a daily bastion of security.

The first thing I change before I change the Wi-Fi settings, and often before I plug the router into my internet jack, is the default login details. That way, once it is connected to the outside world, it can't be automatically portscanned, logged into, and made to be part of a botnet. If you do nothing else, please change the default login details.

4 Update the firmware

Fix any security holes with a quick upgrade

Once I have unique login details, the next step is to update the firmware. You don't know how long that router has been sitting on a shelf, and there could have been any number of severe security bugs that got fixed in the meantime. If your router uses an app, the process will be straightforward, and often it'll notify you and start the process with a few taps. If not, find the support pages for your router on the manufacturer's website and download the latest firmware.

You'll probably have to log into the web GUI and navigate to the update section, then upload the file, let it update, and reboot. This will guard against zero-day attacks and possibly fix some bugs with features or even add new features.

3 Change the SSID and Wi-Fi password

The defaults are either terrible or easy to figure out

Up next is changing the default SSID and Wi-Fi password to something more secure. This is one of the most important settings inside your router, as the defaults are either generated from the SSID or MAC address, or something even easier to guess. Use a unique SSID name, so your neighbors don't mistakenly try to connect to it, and I don't suggest trying to be amusing with it, but you can if you like. Many routers can hide the SSID, but I don't recommend using this. It's a pain when you try to connect to your own devices, and anyone scanning for Wi-Fi networks can find it easily.

Most routers combine their 2.4GHz, 5GHz (and 6GHz if you have it) bands into one SSID nowadays, but if not there will be an option called something like Smart Connect to do that. And use a long Wi-Fi password, because that's always more secure. It doesn't have to use capital letters, numbers, or special characters, and in fact, don't use special characters in either the SSID or the password because it can can cause issues.

2 Set the strongest encryption available

For most new routers, this is WPA3 but older ones might be WPA2-AES

While changing the SSID and password away from the defaults, using the strongest available security protocol is crucial. Most modern routers will be set up for WPA3, although you can use WPA2-AES or WPA3+WPA2 if you need compatibility with other devices. Whichever of those options you choose, don't use WEP or WPA-TKIP, because those are easily cracked in minutes, and you might as well not have any password on your Wi-Fi.

1 Disable remote management, UPnP, and WPS

Don't let all your other security fixes be in vain

If my router has remote access for management, aka WAN administration, that's also part of the first wave of things to change. I don't know about you, but the number of times I've needed to change router settings when I'm not home is very low, and even if I have to I'd rather VPN into the network and log in like I'm at home. It's an unnecessary security hole in the name of convenience that I feel is left on by default so that ISP techs can log in, and you don't need that to happen most of the time.

Some routers I've had, like my Eero mesh kit, only lets me change things via the app, and then WAN administration is left on because there's no place to turn it off. I do hope that Eero has a secured tunnel back to the router in that case.

The last settings I change on any router depends on whether they exist or not. WPS has a button on the router that makes it simple to connect to Wi-Fi, as it uses a short PIN instead of your carefully chosen Wi-Fi password. That means it takes no effort at all to crack through, and what was designed as a convenience feature is a gaping security hole that you should plug.

If your router has UPnP or NAT-PMP enabled, it can also be turned off. Again, these were useful tools, but then the router manufacturers decided to enable them at the WAN level, allowing badly configured or malicious devices to open ports through your firewall and allow traffic to come in. You're safer not using them, and modern networking doesn't rely on them like older devices used to.

Every new router I use gets these changes before I do anything else

Whether I'm using prosumer networking equipment, a DIY OPNsense router with plenty of plugin power, or a mesh network, changing these settings before I do anything else gives me a solid security foothold to build on. Not every router will have every one of these options, as WPS and NAT-PMP are mostly phased out, and app-based administration of others means that WAN administration is less dangerous. But if you start with this list and either change or disable as many as you can, your home network will be that little bit safer to begin with.