How to secure your home WIFI router

Follow the steps below to increase the security of your wireless router. Note: consult your router’s instruction manual or contact your ISP for specific instructions on how to change a particular setting on your device.

• Use the strongest encryption protocol available. CISA recommends using the Wi-Fi Protected Access 3 (WPA3) Personal Advanced Encryption Standard (AES) and Temporary Key Integrity Protocol (TKIP), which is currently the most secure router configuration available for home use. It incorporates AES and is capable of using cryptographic keys of 128, 192, and 256 bits. This standard has been approved by the National Institute of Standards and Technology (NIST).
  
• Change the router’s default administrator password. Change your router’s administrator password to help protect it from an attack using default credentials.
  
• Change the default service set identifier (SSID). Sometimes referred to as the “network name,” an SSID is a unique name that identifies a particular wireless local area network (WLAN). All wireless devices on a Wireless Local Area Network (WLAN) must use the same SSID to communicate with each other. Because the device’s default SSID typically identifies the manufacturer or the actual device, an attacker can use this to identify the device and exploit any of its known vulnerabilities. Make your SSID unique and not tied to your identity or location, which would make it easier for the attacker to identify your home network.
  
• Disable Wi-Fi Protected Setup (WPS). WPS provides simplified mechanisms for a wireless device to join a Wi-Fi network without the need to enter the wireless network password. However, a design flaw in the WPS specification for PIN authentication significantly reduces the time required for a cyberattacker to brute force an entire PIN, because it informs them when the first half of the eight-digit PIN is correct. Many routers lack a proper lockout policy after a certain number of failed attempts to guess the PIN, making a brute-force attack much more likely to occur. See Brute Force Attacks Conducted by Cyber Actors.
  
• Reduce wireless signal strength. Your Wi-Fi signal frequently propagates beyond the perimeters of your home. This extended emission allows eavesdropping by intruders outside your network perimeter. Therefore, carefully consider antenna placement, antenna type, and transmission power levels. By experimenting with your router placement and signal strength levels, you can decrease the transmitting coverage of your Wi-Fi network, thus reducing this risk of compromise. Note: while this reduces your risk, a motivated attacker may still be able to intercept a signal that has limited coverage.
  
• Turn the network off when not in use. While it may be impractical to turn the Wi-Fi signal off and on frequently, consider disabling it during travel or extended periods when you will not need to be online. Additionally, many routers offer the option to configure a wireless schedule that will automatically disable the Wi-Fi at specified times. When your Wi-Fi is disabled, you prevent outside attackers from being able to exploit your home network.
  
• Disable Universal Plug and Play (UPnP) when not needed. UPnP is a handy feature that allows networked devices to seamlessly discover and establish communication with each other on the network. However, though the UPnP feature eases initial network configuration, it is also a security risk. Recent large-scale network attacks prove that malware within your network can use UPnP to bypass your router’s firewall, allow attackers to take control of your devices remotely, and spread malware to other devices. You should therefore disable UPnP unless you have a specific need for it.
  
• Upgrade firmware. Check your router manufacturer’s website to ensure you are running the latest firmware version. Firmware updates enhance product performance, fix flaws, and address security vulnerabilities. Note: some routers have the option to turn on automatic updates.
  
• Disable remote management. Most routers offer the option to view and modify their settings over the internet. Turn this feature off to guard against unauthorized individuals accessing and changing your router’s configuration.
  
• Monitor for unknown device connections. Use your router manufacturer’s website to monitor for unauthorized devices joining or attempting to join your network. Also see the manufacturer’s website for tips on how to prevent unauthorized devices from connecting to your network.