The weakest device on your network is probably your router
FBI’s 2026 IC3 annual report showed that compromised home routers were cited in 14% of identity-theft cases, up from 9% in 2024. The uncomfortable truth is most home routers ship with default settings optimized for “it just works”, not for security. After checking 22 friends’ routers over the last year — Netgear, ASUS, TP-Link, eero, Google Nest Wi-Fi — not one had all twelve of these settings correctly configured on arrival.
This is a plain-language checklist you can finish in about 20 minutes. If your router is more than five years old or never got an update, start with the first item and decide whether to replace before continuing.
1. Update firmware — then turn on auto-updates
Default firmware on a router bought in 2023 is almost certainly behind on CVE patches. In the admin panel look for System → Firmware Update → Check Now. If the vendor has stopped releasing updates (check the support page), that’s a sign the hardware is EOL and should be replaced.
For 2026, the CISA router security guidance explicitly recommends auto-update for home devices. Flip it on; there’s almost no scenario where you want to defer router patches.
2. Change the admin password — not just Wi-Fi
The Wi-Fi password protects who gets on the network. The admin password protects who gets to change the router. These are separate credentials and many people never touch the admin one.
Use a 16+ character random password from a password manager. If the router still uses admin / admin or a password printed on the bottom label, change it this minute.
3. Switch to WPA3 (or WPA2/WPA3 Mixed)
WPA3 (released 2018, mandatory on Wi-Fi 6E/7 routers) closes the KRACK vulnerability and adds forward secrecy. If your router offers WPA3, turn it on. If you have older devices that can’t connect, use WPA2/WPA3 Mixed mode.
Never run WPA or WEP in 2026; both are cryptographically broken.
4. Disable WPS (Wi-Fi Protected Setup)
WPS was a “simpler setup” feature with a known brute-force vulnerability (Reaver). Two friends with ISP-supplied routers still had it on. Turn it off in Wireless → WPS → Disable. You’ll lose a 1-click pairing method you almost certainly don’t use.
5. Disable UPnP unless you know you need it
UPnP auto-opens ports for games and apps. Convenient, but every UPnP port is a potential ingress. Disable in NAT Forwarding → UPnP. If a specific game or Plex/Jellyfin install breaks, manually forward the exact port you need.
6. Turn off remote management (WAN-side admin)
Remote admin lets you log in to your router from outside your home. Almost no home user actually needs this, and it’s a common attack surface. Disable Remote Management / Admin From WAN. If you genuinely need it, require a VPN connection to your home network first.
7. Create a guest Wi-Fi SSID
A guest SSID gives visitors internet without access to your local network (smart TVs, NAS, laptops). On most routers this is one checkbox in Wireless → Guest Network. Set a different password and enable AP isolation so guest devices can’t see each other either.
8. Put IoT devices on a separate SSID or VLAN
Smart plugs, cameras, and cheap IoT gadgets are the single most common source of home-network compromise. The 2026 NIST IoT Cybersecurity Program explicitly recommends network segmentation as baseline.
On a mesh router (eero, Netgear Orbi, Asus ZenWiFi) this is a toggle. On a basic router, use the guest SSID for IoT if you can’t create a dedicated VLAN.
9. Use DNS over HTTPS (DoH) or DoT
Default DNS from your ISP is unencrypted and logged. Modern routers support DNS over HTTPS (DoH) or DNS over TLS (DoT). Set the upstream DNS to a privacy-respecting provider:
| Provider | Filtering | Notes |
|---|---|---|
| Cloudflare 1.1.1.1 | None / Family | Fastest in most regions |
| Quad9 9.9.9.9 | Malware blocking | Non-profit, Swiss-based |
| NextDNS | Custom rules | Best for family filtering |
DoH on the router covers every device on the network automatically.
10. Verify SSID doesn’t leak personal info
“Smith Family” or “Kim_Apt_1203” is fine for convenience but leaks info. A neutral SSID like “Home 5G” is better. Also, disable SSID broadcast only if you understand it doesn’t meaningfully improve security — it just hides the name.
11. Disable Wi-Fi radio bands you don’t use
2.4 GHz has longer range and worse performance. If you don’t have 2.4 GHz-only devices, disable the band in Wireless → 2.4 GHz → Off. Every extra band is another attack surface.
12. Check the logs every quarter
Most routers keep basic logs (login attempts, connected devices). Once a quarter, scroll through and look for devices you don’t recognize, repeated failed admin logins, or suspicious port-forward rules you didn’t create. 2026 firmware from ASUS, Netgear, and eero has basic log email alerts — turn them on.
What if you’re stuck with an ISP-supplied router?
ISP boxes (Xfinity, Verizon Fios, KT, etc.) often lock you out of the settings above. Two options:
- Request bridge mode from the ISP and put your own router behind it
- Upgrade to a quality consumer mesh (eero 7, Asus ZenWiFi BT8, Netgear Orbi 970) and let the ISP box run PPPoE only
The “two routers in series” setup adds a small NAT hop but gives you full control of the inner network.
Quick verification after you’re done
- Run
curl https://ipleak.net/json/on one device — check that the public IP matches your ISP, not a leaked interface - Check Shodan.io for your public IP — no services should be exposed
- Run a port scan from outside your network (e.g., Pentest Tools free trial) — only expected ports should respond
Related reading
- Home Network Security Checklist for Remote Workers
- Wi-Fi Security Tips for Public Networks
- Zero Trust Security Architecture
Sources
- CISA, Home Network Security Guidance
- NIST, IoT Cybersecurity Program
- FBI IC3 2026 Annual Report
- Wi-Fi Alliance, WPA3 Specification Updates 2026