How do I secure my home Wi-Fi router?

More context

The home router is the boring centre of your digital life. It connects every device in your home to the internet, it sees the traffic of every device on the network, and it is the first thing an attacker would take over if they wanted lasting access to your household. It is also the device most people set up once and forget for five years.

The five things that actually matter, in order:

1. Change the admin password on day one. The “admin password” is not the Wi-Fi password — it is the password to log into the router’s settings page (192.168.1.1, 192.168.0.1, or via the ISP’s app). Default admin passwords are public knowledge (or printed on a sticker that visitors can see). Change it to a long unique password and write it down. This single step blocks most opportunistic attacks.

2. Use WPA3 (or WPA2-AES) with a strong passphrase. Open your router’s wireless settings, ensure WPA3 or WPA2-AES is selected, and set a passphrase of at least 15-20 characters — a sentence works well. WEP and WPA1 are broken; if you see them, disable them. A long passphrase is more important than complicated character classes.

3. Turn off WPS-PIN, and ideally WPS entirely. WPS-PIN is the 8-digit shortcut that the Reaver attack of 2011 made into a back door. The push-button form is safer but rarely needed; turning the whole thing off is the simplest choice.

4. Update the router firmware — and check that automatic updates are on. Router firmware contains the bugs attackers exploit (TP-Link, Netgear, ASUS, and many ISP routers have all had emergency patches in recent years). ISP-supplied routers usually update themselves; consumer routers often need a manual click in the admin panel; many older ones never get updates at all and should be replaced once support ends.

5. Set up a guest Wi-Fi for visitors and smart-home devices. The guest network broadcasts its own password, gives access to the internet, but cannot reach the main network. Give the guest password to friends, AirBnB renters, and — crucially — to your smart-home devices (smart TV, robot vacuum, security camera, smart bulbs). Many smart-home devices have poor security; isolating them on the guest network keeps a compromised lightbulb from pivoting to your laptop.

Things that sound like security but are mostly theatre:

• Hiding the SSID (“don’t broadcast network name”). Trivially detected by anyone who actually wants to attack you, while breaking the auto-join behaviour of your own devices. Skip.
• MAC-address filtering (“only allow my devices to join”). MAC addresses are visible to any attacker and can be spoofed in seconds. Skip.
• Reducing transmit power (“so the Wi-Fi doesn’t reach the street”). Attackers use directional antennas. The signal you can pick up from your couch is not the signal an attacker can pick up from outside. Skip.
• Buying a “secure router” with marketing claims. A well-configured mainstream router is fine. The premium label is rarely worth the upgrade unless the device adds genuine features like network-wide ad blocking or per-device parental controls.

Things worth doing if you want one more layer:

• DNS over HTTPS / DNS over TLS in your router or in each device. Encrypts the DNS queries that show what sites you visit. Some routers have it built in; otherwise apps like Cloudflare 1.1.1.1, NextDNS, or Quad9 do the same on each device.
• Network-wide ad/tracker blocking (Pi-hole, AdGuard Home, NextDNS) — set at the router level so every device benefits. Modest privacy win; sometimes a noticeable speed-up.
• A separate IoT VLAN if your router supports it — like guest Wi-Fi but more granular.

For most households, the five-step list above is the entire security plan for the home network. It is dull and once-and-done — the opposite of the constant attention email and phones require. Dull is good. Do it once, write the new admin password down, and the router stops being the weakest link.