7 Signs Your Router Was Hacked and How to Fix It
See if you have a hacked router and learn how to safeguard your data and devices against future attacks.
You’ll always have internet connection issues, whether it’s due to the weather, problems on your provider’s side, or issues related to the equipment in your home or office. But what if you suspect foul play? What if all your devices load the same website no matter what you type into the address bar? What if you’re sitting at your computer and silently watch a “ghost” seize your mouse and access your bank account?
Those scenarios are good signs that someone has hacked your router. But don’t worry: we’ll clue you in on how to recognize a hacked router, how to fix it, and how to make sure it never happens again.
Are you troubleshooting speed issues? You may not have a hacked router but a slow internet plan. Enter your zip code below to find a faster plan in your area.
Signs that someone hacked your router
There are many signs of a possible router hack that can throw up a red flag. Some are general and could apply to other router-related issues. Others are a sure sign that someone other than you has taken control of your router.
You can’t log in to your router
You should worry about a possible hack if you can’t log in to your router or wireless gateway. Typically, routers ship with default login credentials you can use to access the settings. You’re supposed to change these credentials during the initial setup process (but not everyone does).
However, if you can’t log in to your router using the credentials you created, there’s a possibility that it’s hacked. Someone may have figured out the credentials, logged in, and changed the password to lock you out. After that, a hacker has free reign to change additional settings and make your life miserable.
Issues with your router’s firmware can cause login problems, too, and if your network is behaving normally but you just can’t log in, it’s probably not compromised. In any case, you’ll need to reset the device to fix it.
Immediate action: Reset your router.
All internet browsers lead to the same site
Browser hijacking is a sure sign that you have a hacked router or wireless gateway.
In this case, a hacker logged in to your router and changed its Domain Name System (DNS) settings—the system that matches numeric IP addresses with their web domains.
By doing so, the hacker can redirect all internet traffic through your router to a malicious DNS server. This server will lock you to specific websites that can steal your information and install malicious software on every internet-connected device you own.
Immediate action: Log in to your router and change the DNS settings and password. If you can’t log in, reset your router. You should also scan every device with antivirus software to make sure there’s nothing on your devices that’s hijacking your browser.
There’s strange software on more than one device
If you see new, unfamiliar software on more than one device—especially if you didn’t download it intentionally—there’s a good chance someone hacked your router and remotely installed malware onto your devices.
Strange, uninvited software includes browser toolbars, fake antivirus clients, and other programs that will generate random popups on your screen or within a browser.
If you have multiple computers, chances are this uninvited software is on all of them. Malware can replicate on a single device and spread across wired and wireless connections, similar to how a virus spreads from person to person.
Immediate action: Log in to your router and change the password. If you can’t log in, reset your router. Afterward, make sure your router has the latest firmware. Be sure to uninstall the strange software from your device(s) and run an antivirus client.
When left unsupervised, kids can download software without fully realizing the possible consequences. This scenario is where parental tools are a great resource—check out our list of the best routers for parental controls for a few upgrade ideas. We also list the best parental control apps and tips on how to keep kids safe online.
You receive a ransomware message
Ransomware messages are a good sign that you have a hacked router. These attackers can seize control of the router and demand money in return for its release. The message may appear in the form of an email, instant message, text, or a popup generated by uninvited software installed on your device.
Immediate action: Reset your router and don’t pay a dime. Be sure that you create a unique password that hackers can’t guess.
Phishing is another email-based way to hack into your router. The message could appear to originate from your internet provider stating that a hacker compromised your router and that you should click the supplied link to resolve the issue. The resulting webpage could then log in to the router using the default credentials if you never changed them. Never click links in emails from unknown sources.
You see unrecognized devices on your network
You can see a list of devices accessing your home or office network using the router’s web interface or a compatible mobile app. For example, the Linksys Smart Wi-Fi interface provides a network map—just click on a device to see its assigned address.
When you look at the map, all local devices have a derivative of the router’s private IP address. If your router’s address is 192.168.1.1, for example, then all device addresses should start with 192.168.1.
However, a device remotely accessing your router won’t have an address that matches the first three numbers of your router’s private address.
Immediate action: Kick the unknown device(s) off your network and change the password. Disable remote access if you never plan to use it.
You can’t control your device
If you’re sitting in front of your computer watching an uninvited, unseen guest move the mouse and access your banking information, you definitely have a hacked router.
In this scenario, the hacker has remote access to your device and can open any file or online account using the passwords you store in the operating system or browser.
Immediate action: Unplug your devices and disconnect your router from your modem. After that, reset your router.
Your internet speeds are slower than snails
Slow cable internet speeds are typical at peak times, when multiple devices stream content simultaneously, or when your internet provider has network issues. But if you’re experiencing extremely slow speeds along with other symptoms on this list, chances are you have a hacked router.
Your speeds could be slow because the hacker is using all your bandwidth for botnet activity, distributing malware to other networks, remote connections to your devices, cryptojacking, and general internet piggybacking.
Immediate action: First, use our tips on how to speed up your internet to see if the problem is just a connection issue. If you think that someone hacked your router, try to change the password. If you can’t, reset your router.
Are you experiencing slow internet speeds? Run our speed test multiple times during the day and compare the results with the speeds advertised with your internet plan.
How to fix a hacked router or gateway
The steps to fixing a hacked router are quick and easy. There’s no need to throw it out the window and purchase a new unit.
Step 1: Disconnect the router or wireless gateway
If you have a standalone router, disconnect the Ethernet cord to avoid communicating with the modem. If you have a wireless gateway, disconnect the internet connection instead.
In both cases, disconnect all wired and wireless devices.
Step 2: Power cycle or reset your router or wireless gateway
In some router hacking cases, a simple power cycle works as a quick fix. This method clears the memory of any malicious code and refreshes your public IP address. Just pull the plug, wait 30 seconds, and then plug the cord back into the outlet.
In other cases, you may need to reset your router to its factory settings if an infection persists or you can’t log in. A power cycle cannot remove severe infections like VPNFilter.
To factory reset your router, find its reset button—it’s either surface-mounted or recessed on the back. Press and hold the button—you’ll need a paperclip for a recessed button—for 10 seconds until your router’s LEDs indicate a reboot.
Step 3: Change the password
Once the router reboots or resets, log in using the default credentials and change the password. You can use one of the best password managers to create one and retrieve it from your account when needed.
You could also create a passphrase—a long string of unrelated words—filled with symbols and numbers. Make it something you can remember, but that isn’t easily guessed.
Step 4: Update the firmware
Set your router to update its firmware automatically if it’s not already. And if your router doesn’t give you the option to update automatically, set yourself a reminder to check every month or so.
For example, you’ll find the firmware update section on a Linksys router by clicking on Connectivity listed under Router Settings. You should see a checked box next to Automatic displayed in the Router Firmware Update section. If not, click on the box to enable automatic updates.
Alternatively, you can click on the Check for Updates button or download the latest firmware from the manufacturer and install it by clicking the Choose File button.
Routers from other manufacturers provide similar firmware update tools.
How to prevent a router hack
Use the following suggestion to safeguard your devices and sensitive data against hackers.
Turn on automatic updates
Your router is a miniature computer with a processor, system memory, and storage that houses the operating system (firmware). Unfortunately, firmware is never bulletproof, as there are bugs in the code and security holes that can grant hackers easy access. Manufacturers distribute firmware updates regularly to squash these bugs and patch vulnerabilities.
If automatic updates are toggled off and you never manually install new firmware, hackers will have easy access to your router by utilizing the unpatched flaws in the firmware. Log in to your router and make sure that automatic updates are toggled on.
Use a secure password
All routers ship with default credentials you use to access the interface and adjust the settings. These credentials are typically printed in the paper manual supplied with your router and in a PDF version stored online. If you never changed these credentials during the initial setup, hackers can log in if they have your router’s public IP address.
Never use an easily guessed password with your router or Wi-Fi network. These include names of pets, children, other family members, and anything that links to your interests. Believe it or not, the two most used passwords are still 123456 and 123456789.1
A hacker can use free online tools to carry out a brute-force attack—a trial-and-error method that continuously enters every possible password until one works. Hackers can also use a library attack, which uses words pulled from a dictionary. These attacks can quickly crack an easy eight-character alphanumeric password.
Schedule routine reboots
The first step to hacker prevention is to schedule a monthly reboot. It’s good for the router, as a reboot can clear the system memory and refresh all connections.
Additionally, your internet provider assigns a public IP address to your router. It usually should refresh every 14 days (unless you pay for a permanent “static” address). Still, a reboot gives you an extra refresh if hackers obtained one of your previous addresses.
Disable remote access
Most routers provide the means to log in to their backend interface remotely. It allows users to make changes when they’re off the local network. However, hackers can also use remote access if they can guess the password.
Many routers provide a toggle to switch remote access on and off. Others models require your cloud account’s login credentials to use the remote access feature. Secure that account using a strong passphrase.
Wi-Fi Protected Setup (WPS) has good intentions; it allows users to connect their devices to a wireless network without using a password. Simply press the WPS button on the router, or enter an eight-digit PIN provided by the router.
Unfortunately, hackers can use a brute-force attack to figure out the PIN in 4 to 10 hours—they don’t need access to the physical button. You can easily disable WPS through the router’s backend and instead use our guide on how to share your Wi-Fi network’s password to any device.
If you have a Linksys router, for example, you can disable WPS by doing the following:
Step 1: Select Wi-Fi Settings displayed under Router Settings.
Step 2: Click on the Wi-Fi Protected Setup tab.
Step 3: Click the toggle so that it reads OFF.
Step 4: Click on the Apply button. You must click this button so that WPS and its related PIN are completely disabled—clicking on the toggle without applying the change isn’t enough.
Change the default SSID
The Service Set Identifier (SSID) is the technical term describing your wireless network’s name. Most routers broadcast the manufacturer’s name by default, like Linksys_330324GHz or NETGEAR_Wi-Fi. Anyone within range of your router can see this name, know who built your router, and search the internet for the default login credentials.
“Cheesedoodle” or “Wotulooknat” are a few examples of SSIDs that are unique and non-offending to neighbors. SSIDs can be 32 characters long.
If you want to keep hackers off your network, we suggest one of the best routers for security.
Never click or tap on strange links
Malware you unintentionally downloaded to your computer or mobile device could lead the way to a hacked router. You may have obtained the malware by clicking on a link in a phishing email or chat message, connecting an infected flash drive, accessing a malicious website, or viewing infected ads.
Even mobile devices can grant hackers access to your router. For instance, the Switcher trojan lurked in Android apps and contacted a command-and-control server once the user connected to Wi-Fi. It then began a brute-force attack on the router to hack into its interface and change the default DNS settings to one malicious server address and one Google server address, so the user didn’t grow suspicious.3
- NordPass, “Top 200 Most Common Passwords of the Year 2020,” Accessed August 11, 2021.
- Norton, “VPNFilter Malware Now Targeting Even More Router Brands,” Accessed August 11, 2021.
- Kaspersky Lab, “Switcher Hacks Wi-Fi Routers, Switches DNS,” December 28, 2016. Accessed August 11, 2021.
Author - Kevin Parrish
Kevin Parrish has more than a decade of experience working as a writer, editor, and product tester. He began writing about computer hardware and soon branched out to other devices and services such as networking equipment, phones and tablets, game consoles, and other internet-connected devices. His work has appeared in Tom’s Hardware, Tom's Guide, Maximum PC, Digital Trends, Android Authority, How-To Geek, Lifewire, and others. At HighSpeedInternet.com, he focuses on internet security.
Editor - Cara Haynes
Cara Haynes has been editing and writing in the digital space for seven years, and she's edited all things internet for HighSpeedInternet.com for five years. She graduated with a BA in English and a minor in editing from Brigham Young University. When she's not editing, she makes tech accessible through her freelance writing for brands like Pluralsight. She believes no one should feel lost in internet land and that a good internet connection significantly extends your life span.