When you buy through affiliate links in our content, we may earn a commission at no extra cost to you. Learn 
You know that thing connected to your broadband master socket? It has the Wi-Fi key printed on it, and you reboot it when your broadband dies.
Your router is the most important electronic device in your home, controlling what can pass in and out of your home network.
It’s the gatekeeper between your safe-haven internal network environment and the Wild West of the unregulated internet — and it’s often neglected and extremely insecure.
Your Humble Home Router
Regrettably, most routers supplied by Internet Service Providers (ISPs) as part of your contract are designed and provisioned with a focus on budget, not efficacy and safety. Even devices that could do a decent job are likely to have insecure default configurations?or even service back doors and buggy firmware.
All modern routers include firewall functionality. How easy it is for the user to get access to the firewall and change the settings varies from manufacturer to manufacturer. In some cases, the user cannot even see the firewall settings. They are supplied black-box, configured in a one-size-fits-all format.
Those allowing changes to the configuration rarely tell their end users it’s possible. Even in the rare instances where the user is informed how to access the firewall settings, domestic users rarely take advantage of that.
If the unregulated internet is the Wild West, your firewall is the sheriff. It must be properly equipped and empowered to perform its role correctly. Otherwise, anyone or anything can stroll into your network.
And that can include your employer.
Read the Small Print
Many organizations include a section in employment contracts, their Acceptable Usage Policy, or their IT Security Policy that they reserve the right to scan anything that’s connected to the corporate network. That sounds fair enough. It’s their network, and they need to keep it secure. Of course, they’ll check out what connects to it.
But with the widespread move to homeworking driven by the COVID-19 pandemic, more employees are connecting to the corporate network from their home networks than ever before. Organizations use port scanning software and penetration testing software to probe your network, looking for vulnerabilities precisely like threat actors do.
Of course, if your employers detect vulnerabilities in your domestic router and network, they won’t infect you with ransomware. But knowing that anyone has been testing your router’s defenses — the digital equivalent of rattling your doors, trying the windows, and looking under the mat for the key — can still leave you feeling uncomfortable and resentful.
The first question you’ll probably ask is, are they allowed to do that? If it’s written into a policy or contract document that you are governed by, and you were introduced to the relevant policy during your induction and whenever it was amended and re-issued, then yes, they can. Without such a declaration, then no, they cannot. It is illegal to carry out port scanning and penetration testing on anyone’s network without their prior agreement, even if your intentions are good.
That’s why we say read the small print. Such a declaration might be tucked away in a policy document that applies to you. But even if it’s the case that your organization can do this, it would only be polite and respectful for them to alert you first.
A short communiqué explaining that benign remote scan is going to be carried out on homeworkers’ networks to ensure they are secure enough to connect to the corporate network isn’t difficult to put together. And it makes a huge difference to morale. But sadly, such an explanation is often not made at all.
How to Make Your Router More Secure
Regardless of who’s trying to get in, what can you do to strengthen your defenses and make your router as impregnable as can be? What you can do depends on the manufacturer and the model of your router, but there should be at least something on this list for everyone.
The administrative interface, menus, and settings vary from make to make and model to model, so we can’t give you a step-by-step guide. But finding the appropriate settings in your router for the items in our list shouldn’t be too tricky — if you’re allowed to get at them. If your ISP has locked down the device and prevented you from accessing the critical settings, see item 1.
1. Is Your ISP Router Rubbish?
In general, ISP-provided routers are less secure than those that are sold—often by the same manufacturers—directly to consumers. Hard-coded back doors are common, and security patches and firmware upgrades often appear much later than the fixes and patches for the direct-to-consumer models. This is because the firmware in ISP-provided routers is customized for that ISP, and they need customized patches.
Nothing is preventing you from purchasing your own router and using that instead. Keep the one your ISP sent you and use it as a hot spare. If you have an issue with your broadband and you’re wondering whether it is an issue with the router or a problem in the external broadband infrastructure, you can drop in the ISP router and see if the problem goes away. If it does, the issue is with your router; if it doesn’t, the problem is external.
2. Change the Default Admin Password
Because many routers leave the factory with default administrator passwords, it’s an open door for threat actors. Their scanning software will try to identify the router make and model — by examining the metadata in your router’s responses to their probing — and look up the default administrator credentials.
The first time you connect your router to configure it, change the administrator password to a secure and robust password. Or, even better, to a passphrase such as three words connected by punctuation. And while you’re at it, ensure the administrator web interface isn’t accessible from the internet. You’re not going to be doing remote administration on your router, so don’t give anybody else the chance.
3. Use a Router That Supports VPN
If you really, really need to have remote access to your router, use a router that supports virtual private network (VPN) connections. Restrict VPN connections to those on a list of approved IP addresses or to an IP address range. So, if you know you might need to VPN into your router from your office, add your office to the whitelisted IP addresses.
4. Go Incognito Even At Home
Even when connecting to your router from inside your network, it is good practice to use anonymous browsing, incognito mode, or whatever name your browser uses for amnesiac browsing. That way, your browser won’t cache any credentials or IP addresses that others can use on your computer to get to your router.
Never let your browser remember the credentials for the router. It’s up to you to remember them and enter them each time. Or use a password-protected password manager.
5. Only Accept Connections From a Specific IP Address
You can bind some routers to accept administrator connections from a single local IP address and to reject connections from anywhere else. If you’re going to do this, use an IP address that is not part of the Dynamic Host Configuration Protocol?(DHCP) pool. If your computer loses its IP address, lease and is allocated a new IP address — by your router! — you won’t be able to access the router.
6. Use a Robust Wi-Fi Password
Choose a robust Wi-Fi password and use your device’s strongest encryption setting. The newest routers might support Wi-Fi Protected Access 3 (WPA3), but most will be limited to Wi-Fi Protected Access 2 (WPA2).
7. Turn Off WPS
Turn off?Wi-Fi Protected Setup (WPS). The premise of WPS was to simplify setting up Wi-Fi and connecting to Wi-Fi networks for non-technical users. It was rarely used and carried a vulnerability that allowed threat actors to compromise Wi-Fi networks.
Patches and fixes were rolled out, but not all models were patched, and not all manufacturers responded to the issue. It is safest to turn it off and use a wired connection for configuration.
8. Turn Off Services You Don’t Use
Routers support all sorts of protocols and connection types. You almost certainly don’t need them, so shut them down. The fewer doors and windows a building has, the harder it is for a burglar to get in. Same with your router. Close all ports and only open the ones you use. The fewer connection types it accepts, the safer you’ll be.
You can turn off services such as?Ping,?Telnet,?Universal Plug and Play?(UPnP),?Secure Shell?(SSH), and?Home Network Administration Protocol?(HNAP).
9. Don’t Use Cloud-Based Router Management
If your router supports this, turn it off. You don’t want your router to talk to the manufacturer’s cloud. That places another layer between you and the router that you have to trust. You’re going to administer your router locally, so turn this off.
10. Patch Your Router Regularly
You’re used to getting updates for your computer, and your smartphone gets patches and fixes as vulnerabilities are detected and addressed. The exact same process happens with your router, too. It is a manual process with most routers, but some can be set to “phone home” periodically and check for updates.
If you will be doing manual updates, check the manufacturer’s support webpage for your router. Once a month is probably enough.
11. Control Wi-Fi Access
Many routers allow you to configure a list of device identities called Media Access Control (MAC) addresses. These are unique to each networked device. That means only recognized and authorized devices can connect to your Wi-Fi.
Set up a guest Wi-Fi for visitors if your router allows that. That gives visitors Wi-Fi access to the internet without revealing or exposing any other device on your network.
12. Segment Your Network
Some consumer-grade routers have the ability to configure Virtual Local Area Networks (VLANs) inside other networks. For example, you could isolate Internet of Things?devices (IoT) from the rest of your network.
IoT devices are notoriously insecure. Many of them violate the most basic security measures, like exposing themselves to the internet with unprotected protocols and unchangeable administrator passwords. Keeping them segregated in their own VLAN is a great way to contain them.
13. Change Your DNS Settings
Change your Domain Name System settings so that they don’t use the default values provided by your ISP.
Well-respected services you can use are:
- OpenDNS: 208.67.220.220 or 208.67.222.222
- Google DNS: 8.8.8.8 or 8.8.4.4
- Cloudflare: 1.1.1.1 or 1.0.0.1
14. Consider Custom Firmware For Your Router
Advanced users might consider completely flushing out the manufacturer’s firmware and replacing it with a free, open-source alternative. Typically, these are based on Linux or Berkeley Software Distribution (BSD) distributions. They can be more secure, fully featured, and configurable than the manufacturer’s default firmware, often supporting VPN protocols natively.
Two of the better-known offerings are?OpenWRT?and?DD-WRT, but there are?many alternatives available. These community-supported projects often beat the manufacturers in releasing patches and fixes.
Let’s be clear. “Flashing” the firmware requires technical expertise to get right. If you do it to a router within its support cycle, it will void your warranty. And, if the absolute worst happens, you’ll “brick” your device, rendering it totally inoperable. Ensure you know what you are doing before you proceed or seek technical assistance.
The Bottom Line
Your router is the nexus point between you and the outside world — attention in this area is crucial to web safety!
Depending on your network and connectivity needs, the make of the router, the flexibility of the router and firewall settings, and your level of technical comfort apply as many of these steps as you can and lock down your home from digital attacks.
And snooping from your employers!
