Consumer routers ship with default credentials, remote management enabled, and firmware that often goes unpatched for years. They’re one of the most common entry points for home network attacks. Hardening your router takes less than an hour and covers the majority of real-world threat vectors.
Understand What You’re Working With
Before making changes, note:
- Your router’s make and model (on the label on the back)
- Current firmware version (found in the admin panel)
- Whether your ISP provided the router or you own it
ISP-provided routers (gateway devices) are often locked down and can’t be fully replaced. For those, focus on the settings available in the admin panel. Owned routers can be replaced with OpenWrt firmware for full control.
Access Your Router Admin Panel
Most home routers are at 192.168.1.1 or 192.168.0.1:
# Find your default gateway
ip route | grep default # Linux
netstat -rn | grep default # macOS
route print | findstr "0.0.0.0" # Windows
Open that IP in a browser. Default credentials are often printed on the router label, or check https://www.routerpasswords.com.
First action: change the admin password to something long and unique, stored in your password manager.
Step 1: Update the Firmware
Router firmware updates patch known vulnerabilities, including critical ones like authentication bypass, RCE, and DNS hijacking.
For standard consumer routers:
- In the admin panel, find Administration > Firmware Update or Advanced > Firmware
- Check the manufacturer’s support page for your model
- Download the latest firmware
- Upload via the admin panel and wait for the reboot
Automate firmware checks:
# Check router manufacturer's RSS feed or security advisories
# For ASUS: https://www.asus.com/networking-iot-servers/wifi-routers/
# For TP-Link: https://www.tp-link.com/us/support/download/
# For Netgear: https://www.netgear.com/support/product/
# Set a calendar reminder to check quarterly if no auto-update is available
Some newer routers support automatic firmware updates. Enable this if available — the risk of a router reboot during an update is lower than the risk of running patched firmware.
Step 2: Disable WPS
WPS (Wi-Fi Protected Setup) has known cryptographic vulnerabilities (the Pixie Dust attack and PIN brute-force). Disable it entirely:
- Find: Wireless > WPS or Advanced > WPS Setup
- Set to Disabled
There is no good reason to keep WPS enabled. Manual passphrase entry is fine.
Step 3: Disable UPnP
UPnP lets devices on your network automatically open ports on the router — without your knowledge. Malware on a compromised device can use UPnP to expose it directly to the internet.
- Find: Advanced > UPnP or NAT > UPnP
- Set to Disabled
If an application stops working, you can open specific ports manually via Port Forwarding rather than allowing any device to open any port automatically.
Step 4: Disable Remote Management
Remote management lets someone administer your router from outside your network. Unless you have a specific need for this, disable it.
- Find: Administration > Remote Management or Advanced > Remote Access
- Set to Disabled
If remote management was enabled and you didn’t enable it, treat this as a potential compromise indicator.
Step 5: Set Strong Wi-Fi Credentials
Security protocol:
- Use WPA3 if your devices support it
- WPA2-AES is acceptable if WPA3 is unavailable
- Never use WEP or WPA (original)
- Never use TKIP — AES only
Password:
- Minimum 20 characters
- Generated random string, not a phrase
SSID:
- Don’t include your name, address, or ISP name in the network name
- These help attackers correlate your network with you
- Avoid “hidden” SSIDs — they don’t provide real security and cause connectivity issues
Change settings at: Wireless > Basic Wireless Settings
Step 6: Set Up a Guest Network
A guest network is a separate Wi-Fi network isolated from your main network. Use it for:
- IoT devices (smart TVs, bulbs, speakers, cameras)
- Visitors’ phones and laptops
- Any device you don’t fully trust
Guest network isolation prevents a compromised IoT device from reaching your main computers, NAS, or local services.
Enable at: Wireless > Guest Network — set Client Isolation: Enabled so guest devices can’t talk to each other either.
Step 7: Disable Unnecessary Services
Check these services and disable any you don’t actively use:
| Service | Risk | Disable if |
|---|---|---|
| Remote management | Remote admin exploit | Always, unless needed |
| Telnet | Plaintext admin protocol | Always |
| SSH (router admin) | Brute force if weak password | Unless you need CLI access |
| UPnP | Automatic port opening | Unless required by specific app |
| WPS | PIN brute-force | Always |
| DDNS (Dynamic DNS) | Maps your IP to a hostname | Unless you run self-hosted services |
| IPv6 firewall | Varies by router | Review separately |
Step 8: Enable the Firewall
Most routers have a simple SPI (Stateful Packet Inspection) firewall. Make sure it’s on:
- Find: Security > Firewall or Advanced > Firewall
- Set SPI Firewall to Enabled
Some routers also allow blocking:
- Anonymous internet requests (port scans from internet)
- Multicast from WAN
- IDENT protocol
Enable all of these if available.
Option: Replace Firmware with OpenWrt
OpenWrt is an open source Linux-based router firmware with active security maintenance. It replaces your router’s stock firmware entirely.
Check if your router is supported: https://openwrt.org/toh/start
Benefits:
- Regular security updates (not dependent on manufacturer)
- Full control over firewall rules (nftables)
- Package system — install VPN, ad blocking, traffic shaping
- No vendor telemetry
Installation (general process — read your router’s specific guide):
# Download the firmware image for your exact model+version
# Verify SHA256 checksum
sha256sum openwrt-23.05.2-ath79-generic-YOUR_MODEL-squashfs-sysupgrade.bin
# Upload via router admin panel > Administration > Firmware Upgrade
# OR via U-Boot/TFTP if GUI is unavailable
After installation, access OpenWrt at 192.168.1.1 with username root and no password. Set a password immediately:
# SSH into router
ssh root@192.168.1.1
# Set root password
passwd
# Update package lists and install updates
opkg update
opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade
Verify Your Setup
After hardening:
# Scan your router from inside the network
nmap -sV 192.168.1.1
# Scan from outside (use a cloud instance or VPN exit node)
nmap -sV YOUR_PUBLIC_IP
# Check for open ports — only ports you explicitly opened should be visible externally
Run https://www.grc.com/x/ne.dll?bh0bkyd2 (Shields Up) from a browser to test firewall from outside.
Hardening Checklist
- Admin password changed from default
- Firmware updated to latest version
- WPS disabled
- UPnP disabled
- Remote management disabled
- WPA3 or WPA2-AES configured
- Strong Wi-Fi password set
- Guest network created for IoT devices
- SPI firewall enabled
- Telnet disabled
- Quarterly firmware check scheduled
Related Articles
- How to Set Up VPN on Router Firmware: Complete Guide
- Set Up a Secure Home Server for Self-Hosting Privacy Tools.
- Iot Firmware Update Privacy Risks What Data Devices Send Dur
- Set Up DNS-Based Ad Blocking on Travel Router GL-Inet for
- How To Tell If Your Router Has Been Compromised Check Guide
Built by theluckystrike — More at zovo.one