How to Protect Your Wi-Fi Network
The best way to protect your Wi-Fi network is to know what your router, gateway, or mesh system can do. We tend to change a few settings in our router apps and move on with life, but if you look closely, you can probably adjust other settings and your own personal habits to make your Wi-Fi network even safer than before.
We walk you through nine suggestions that should help make your Wi-Fi network safer to use—but not before we highlight a few refresher suggestions you’ve probably read a billion times over. We’ll be quick about it. We promise.
Before we begin: The settings you probably already changed (or didn’t need to)
Many how-tos you find (including some of ours) tell you to do this, to do that, and to do that too. But based on the dozens of routers we’ve set up and tested, we can guarantee that you’ve already completed most of the blanket suggestions during the initial setup. Let’s take a quick look.
Settings you changed during setup
Set a new administrator and account password
You were asked to create one or two things, depending on the model:
- A password or passcode containing letters, numbers, and symbols to access the router locally.
- A cloud account, like TP-Link ID and MyNETGEAR, using a password or passcode containing letters, numbers, and symbols to access the router or system locally or remotely.
This step is unavoidable. Hopefully, you created strong ones. If not, log back in and do so now. Like, pronto.
Set the Wi-Fi network name(s) and password(s)
This step is usually next. Here you were supposed to change the network name and password—two or three times if you disabled Smart Connect (a.k.a. band steering). If you’re still using the defaults, load up the web interface or app and change them now.
Settings you didn’t need to change during setup
Here are a few more features that were automatically enabled when you set up your router or mesh system.
Routers and mesh systems enable encryption by default, so you had nothing to do during the setup. WPA3 is the latest version, although many still default to WPA2 Personal. Never, ever turn off encryption. Never. Ever. It can leave you vulnerable to a host of problems, like hackers.
Routers and mesh systems automatically enable the firewall by default. In many cases, you can’t even disable it. Your computers have firewalls enabled by default, too, but you can always ensure they’re active by following our guide on enabling or disabling a firewall.
Routers and mesh systems automatically update their firmware by default. Based on our testing, ASUS is the only company requiring you to enable automatic updates manually. If it’s not already, you should enable this feature or manually update the firmware.
Read our guide on how to update your router’s firmware for more information.
How to secure your home Wi-Fi network
Now, with the setup settings out of the way, we can jump into our nine suggestions for increasing the security of your Wi-Fi network. Some you may have read before, so consider them as Refresher Wi-Fi 101.
Suggestion #1—Use the built-in security features
Security features are a hit or miss in terms of what you get for free on a router, gateway, or mesh system. For example, TP-Link’s HomeCare suite for its standalone Archer-branded routers includes content filtering, website blocking, and antivirus. In contrast, HomeShield on its other routers and mesh systems locks antivirus and some parental controls behind a subscription.
Still, in both cases, you can manually block specific websites and services network-wide for free to keep friends and family safe. You can also block apps and websites on a per-profile basis using routers and mesh systems that support them.
The website and service-blocking function isn’t just a TP-Link thing, either. It’s typical across nearly every router and system we’ve tested to date.
Suggestion #2—Use QR codes to share Wi-Fi login info
Using QR codes should be your next step in protecting your Wi-Fi network. You worked hard to create a unique password or passphrase, right? The last thing you want is for someone to text, write down, or blurt it out to everyone entering your home—especially if you’re running an Airbnb or renting a room.
To prevent your password from ending up on a napkin, share it using a QR code. All routers and mesh systems have this capability in their mobile apps. Be sure to check out our guide on how to share your Wi-Fi password from your phone for more information.
Suggestion #3—Use profiles
Profiles are usually associated with parental controls, but they’re a good way to identify devices and lock them down to specific individuals accessing your Wi-Fi network, not just kids.
As previously mentioned, you can block specific users from accessing a website, app, or content type, like a troublesome teen who refuses to stop streaming those “free” movies still playing in theaters. This tool is essential in preventing them from downloading suspicious apps that can unleash malware across your network.
What’s also useful is you can pause their internet access indefinitely or just block every device they own. However, not all standalone routers support profiles and those that do may lock features behind a subscription. All mesh systems use profiles with some paid and premium features.
Suggestion #4—Enable connection alerts
Technically, this feature doesn’t secure your Wi-Fi network. Instead, it presents a notification on your screen whenever a wired or wireless device joins your network. If it’s a device you don’t recognize, you can quickly jump into the mobile app or web interface and block it. Case closed, and ask questions later.
Let’s look at an example of how this works. Suppose you didn’t use a QR code to share the Wi-Fi password with a family member. You created a profile and assigned their devices to that profile.
Soon you discovered the family member was downloading pirated movies, so you used the profile to block all their devices. The sneaky sneak then connects a new device to the network using the password you previously provided.
When the device connects for the first time, you receive an alert on your screen. You either block the device immediately or add it to the profile (which we recommend) and block it. Can you tell we deal with teens? It feels like a second job. Seriously.
Of course, connection alerts apply to any strange device that accesses your Wi-Fi, like a hacker who managed to figure out your easy-to-guess password.
Suggestion #5—Create a separate network for guests and IoT devices
Allowing friends and family to access your Wi-Fi network is okay. They’re people you can trust to use your internet connection responsibly—well, usually. If they get out of hand, you can always pause their internet or block their devices if you follow our previous suggestions to create profiles and enable connection alerts.
But for people you don’t really know, we suggest creating a guest network to separate their devices from yours. Technically, you’re all still on the same Wi-Fi network, but your guests use a virtual one that prevents their devices from accessing your devices, like a computer with shared folders or a network printer. Some routers and mesh systems allow you to give the guest network access to your local devices, but we suggest you keep the network isolated to prevent possible malware infections.
IoT devices should be on a separate network, too. Some routers allow you to create a third network specifically for IoT device use. If your router doesn’t, create a second “guest” network even if you never plan to provide Wi-Fi access to strangers (who can always use their mobile data). This virtual network helps keep your devices safe from a possible attack carried out by hackers infiltrating your IoT devices.
Read our guide on how to set up a guest Wi-Fi network for more information.
Suggestion #6—Disable remote management
Web-based remote management really isn’t a thing anymore, but some routers still offer it. In short, you can access the router’s web interface and change the settings from anywhere, but it can be an easy entry point for hackers—especially on older routers with their original login credentials still intact. Toggle this feature off if it’s not already.
However, don’t confuse web-based remote management with the cloud-based one. Most routers and all mesh systems now support remote management through cloud accounts and mobile apps. You can also disable this feature on standalone routers if you never intend to use it outside your Wi-Fi network.
Here are a few examples of where you can find the remote management setting:
|ASUS ROG Rapture GT-AX11000||Advanced Settings > Administration > System Settings|
|TP-Link Archer AX5400 Pro||Advanced > System > Remote Management|
Suggestion #7—Disable Universal Plug and Play (UPnP)
Universal Plug and Play (UPnP) was initially designed to connect and use devices on a wired network without manually installing drivers or configuring settings. Now, many moons later, nearly all Wi-Fi routers support UPnP and enable it by default.
The problem is there are no means to authenticate and authorize UPnP devices, so they all essentially “trust” each other. They’re also now exposed to the internet, so a hacker can fool your router by posing as a UPnP device and march right in to infect every device you own with malware.
To keep hackers out, we suggest disabling UPnP. The drawback is UPnP devices use virtual connections (ports) to communicate, which are opened automatically with UPnP enabled. You’ll need to manually configure these ports on the router for your UPnP devices to work.
Here are a few examples of where you can find the UPnP setting based on the routers we’ve tested:
|ASUS ROG Rapture GT-AX11000||Advanced Settings > WAN > Internet Settings > Basic Config|
|NETGEAR Nighthawk RAX80||Advanced > Advanced Setup > UPnP|
|TP-Link Archer AX5400 Pro||Advanced > NAT Forwarding|
Suggestion #8—Disable Wi-Fi Protected Setup (WPS)
Wi-Fi Protected Setup (WPS) is supposed to be an easy way to connect any wireless device to your Wi-Fi network. You don’t need the password to do so, either—simply press the WPS button on the router, or enter the supplied eight-digit PIN. Easy, right?
The security issue lies with the PIN. Hackers can use software in a brute-force attack to uncover and use that PIN to take control of your Wi-Fi router and network. Why leave it on if you never plan to use the WPS function?
|ASUS ROG Rapture GT-AX11000||Advanced Settings > Wireless > WPS|
|Linksys EA8300||Router Settings > Wi-Fi Settings > WPS|
|TP-Link Archer AX5400 Pro||Advanced > Wireless > WPS|
Suggestion #9—Schedule a reboot
Your standalone router, gateway, or mesh system router has two addresses: a private one that faces your devices and a public one assigned by your internet provider. The second address is viewable by all internet devices—including those controlled by hackers. It’s usually refreshed every 14 days, but you should reboot your router weekly to keep the target off your back. A reboot also clears any junk in the router’s memory that could reduce your speeds.
Unfortunately, some routers don’t have the means to schedule a reboot, so you’ll need a smart plug you can schedule to cut the power for a minute once a month (which may or may not work, depending on the router) or set yourself a reminder.
Here are a few examples of where you can find the setting based on the routers we’ve tested:
|ASUS ROG Rapture GT-AX11000||Advanced Settings > Administration > System > Basic Config|
|ExpressVPN Aircove||Advanced Settings > Router Settings|
|TP-Link Archer AX5400 Pro||Advanced > System > Reboot|
Read more about how often you should reboot your router for more information.
Add a firewall router
Want to really secure your Wi-Fi network? Get a wired firewall router. It sits between your modem or ONT and your Wi-Fi router or mesh system. Its sole purpose is to thoroughly examine every bit of data that flows to and from your modem or ONT, so your speeds will be slower than usual.
The Cisco Meraki Go GX50 is a good example. You can create up to four virtual networks and assign each to an Ethernet port. So, in theory, your Wi-Fi router can be on one network and your wired devices on another. You can isolate these networks or let them mingle—whatever works best for you.
But the GX50’s biggest selling point is how it thoroughly inspects all traffic, giving you an extra layer of security at the cost of reduced speeds. Some routers have a similar “stateful” firewall you can toggle on, but again, you’ll see a speed reduction since the deep inspection takes longer to process.
Hide your network name
Changing your Wi-Fi network’s name is smart. The default ones usually include the manufacturer’s name, which you want to avoid broadcasting to every hacker in the vicinity. Even if they see you have a NETGEAR router, your chances of getting hacked are slimmer now that manufacturers use random passphrases for setting up routers instead of static passwords. Still, you’d like to be as anonymous as possible. No sense in baiting the nefarious, right?
That’s probably why you’ll see suggestions to hide your network name altogether—even after you created something so unique and cool that you hoped would be applauded each time your neighbors saw it on the Wi-Fi list. But with your network name broadcast disabled, anyone searching for a Wi-Fi network will see “Hidden” instead of the name you painstakingly chose.
But keep this in mind: You’re hiding the Wi-Fi network from your neighbors, but hackers can see your network’s name by using software to eavesdrop on your devices’ unencrypted requests before they fully connect to Wi-Fi. In other words, your “hidden” network isn’t completely hidden, so disabling your network name broadcast is kinda pointless in terms of hiding from hackers.
Use a Virtual Private Network (VPN)
Virtual Private Networks (VPNs) don’t protect your Wi-Fi network as a whole—they protect individual connections, so this suggestion isn’t part of our main list.
For example, you may subscribe to ExpressVPN, but the only way to use it with your Xbox or PlayStation is to add the console’s IP address to your ExpressVPN account. After that, you enter the provided ExpressVPN DNS server IP address into the console’s settings. If anything, you’d use the router to create a static IP address for the console so it doesn’t change.
The only exception is if a router includes a VPN client. In this case, you’d enter your ExpressVPN login credentials directly into the router’s web interface. Now, every device connected to the router is redirected to the ExpressVPN network, including your devices that don’t support VPN software (like the Xbox).
Not all routers, gateways, and mesh systems have built-in VPN clients.
Our verdict: Know your router’s capabilities
Based on all the routers and mesh systems we’ve tested, you must set a new admin password, Wi-Fi name, and Wi-Fi password before you can even use your new network. There’s no getting around it, and hopefully, you made the right choices to keep your Wi-Fi network, devices, and people safe. Other features are automatically selected for you, so we didn’t zero in on those suggestions.
Overall, routers, gateways, and mesh systems have some free security you can utilize, like blocking websites and services, but you may have to dig into the web interface to use them. Most now also support QR codes and connection alerts, so you can safely share your Wi-Fi credentials and see who connects in real time.
Protecting your Wi-Fi network isn’t difficult, but you must be proactive. Block websites. Set filters. Create profiles. Disable unused features. Take the time to really dig into what your router or mesh system can do so everyone in your home can safely use the internet.
Author - Kevin Parrish
Kevin Parrish has more than a decade of experience working as a writer, editor, and product tester. He began writing about computer hardware and soon branched out to other devices and services such as networking equipment, phones and tablets, game consoles, and other internet-connected devices. His work has appeared in Tom’s Hardware, Tom's Guide, Maximum PC, Digital Trends, Android Authority, How-To Geek, Lifewire, and others. At HighSpeedInternet.com, he focuses on network equipment testing and review.