Skip to main content
LiMP VPN
All posts

How to Secure Your Home Router: Wi-Fi Settings for 2026

How to Secure Your Home Router: Wi-Fi Settings for 2026

In short: your router is the front door to your entire home network, and factory settings are almost never safe. The essentials that close most risks: change the admin password (not the same as your Wi-Fi password), enable WPA3 or WPA2/WPA3 encryption, update the firmware, disable WPS and remote management, and create a separate guest network for visitors and smart gadgets. All of it lives in the router's web panel, takes 15–20 minutes and needs no special skills. A VPN adds one more layer of protection beyond the router — on the road and on other people's Wi-Fi.

Why the router is the weakest point of your home network

Every bit of your traffic passes through the router: banking apps, work email, smart speakers, cameras, kids' tablets. If an attacker takes over the router, they can see which sites your devices talk to, swap the DNS to send you to fake pages, intercept unencrypted data, or make your home network part of a botnet.

The catch is that routers aren't hacked one by one — it's automated. Bots scan the internet for devices with factory passwords, open remote access and outdated firmware with known holes. You don't need to be an interesting target; the router just has to answer to a default login/password pair. That's why basic hardening matters more than any exotic measure: it moves you out of the easy-automatic-victim category.

The good news: almost every risk is closed by built-in settings your router already has. Below is the order of actions, from most important to optional.

Step 1. Change the router's admin password

Don't confuse two different passwords here. The first is the Wi-Fi password you type on your phone to join the network. The second is the admin password that opens the router's control panel (usually at an address like 192.168.0.1 or 192.168.1.1). It's the second one that most often stays at the factory value: "admin/admin", "admin/password" or blank.

As long as the admin password is default, anyone on your network — a neighbour who guessed your Wi-Fi, a guest, an infected device — can open the settings and rewrite the whole configuration: change DNS, open ports, turn off encryption. Set a long, unique admin password that is different from your Wi-Fi password. The easiest way to keep it is in a password manager, so you don't have to memorise it or stick it on a note.

While you're there, change the Wi-Fi password too if it's still the factory one or too short: a long passphrase of several words is stronger than a short jumble of characters and easier to remember.

Step 2. Turn on WPA3 encryption (or WPA2/WPA3)

The encryption standard decides how hard it is for an outsider to eavesdrop on your Wi-Fi or crack the password. Standards have replaced one another over the years, and the old ones are long unsafe. In your wireless settings find "Security Mode" (Authentication) and pick the newest option available.

StandardYearStrengthWhat to do
WEP1999Cracked in minutes, obsoleteNever use
WPA / WPA-TKIP2003Outdated, known vulnerabilitiesDon't use
WPA2-AES2004Still acceptable, but vulnerable to offline password crackingOK as a fallback
WPA3 / WPA3-SAE2018Modern standard: blocks offline password crackingChoose if supported

WPA3 uses a mechanism called SAE (Simultaneous Authentication of Equals) that stops an attacker from capturing the "handshake" and brute-forcing the password on their own machine — which is exactly how WPA2 was broken. If your router and devices were made after 2019–2020, you most likely already have WPA3.

One practical note: older devices (a smart bulb, a cheap tablet, an old laptop) may not understand WPA3 and drop off the network. That's what the transitional WPA2/WPA3 mode (Mixed) is for: new devices get full WPA3, old ones fall back to WPA2. If all your devices are modern, choose pure WPA3 — it's stricter.

Step 3. Update the router firmware

Firmware is the router's operating system. Like any software, it has vulnerabilities, and the manufacturer ships updates that patch them. The trouble is that most people set up a router once and never open it again — and outdated firmware with a publicly known hole is one of the most common ways home networks get hacked remotely.

Open the web panel, find a section like "Firmware Update" or "Administration" and check for updates. Many modern routers can update automatically — if that option exists, turn it on. If the router is very old and the manufacturer stopped releasing updates long ago, that's a reason to consider replacing it: without patches it will keep piling up vulnerabilities.

Step 4. Disable WPS and remote management

Two features create extra doors you almost certainly never use.

WPS (Wi-Fi Protected Setup) is a simplified way to join a network with an eight-digit PIN or a button. The problem is the PIN: it can be brute-forced, and because of how it's verified the attack takes not years but a very manageable amount of time. Find WPS in the wireless settings and turn it off — connecting new devices with the normal password is no harder.

Remote management (Remote Access) lets you reach the router panel from the internet, not just from your home network. Ordinary users don't need this, but bots love it: open remote access plus a weak password gives full control of the device. Make sure remote management is off; you can still administer the router from home over cable or Wi-Fi.

Step 5. Set up a guest network and isolate smart devices

A guest network is a separate Wi-Fi with its own name and password, isolated from your main network. Devices on it can't see your laptop, network drive or other home gadgets. Two benefits at once.

  • You give guests the guest-network password rather than your main one — internet access is enough for them, and your devices stay out of reach.
  • The guest (or a separate) network is a great place for smart devices — bulbs, plugs, speakers, cameras. Cheap IoT gear often gets security updates rarely or never, so isolating it lowers the risk: even if such a device is hacked, it won't become a bridge to your main computer and phone.

How to properly separate the smart home from your working devices, and what to look for when buying gadgets, we covered in the article on what a VPN protects against.

Step 6. Check DNS and stray settings

DNS is the service that turns site addresses into IPs. If an attacker swaps the DNS in your router, they can quietly redirect you to fake bank and service pages. Look into the WAN/DNS settings and make sure the entries there are your provider's or a well-known public DNS, not something unfamiliar. A swapped DNS is one sign of a compromised router; how to check where your requests actually go is described in the piece on testing and fixing DNS leaks.

While you're at it, turn off what you don't use: port forwarding without a clear need, UPnP (which automatically opens ports on apps' request) and DMZ mode. Each of these, if set carelessly, exposes a device to the outside.

The role of a VPN: protection beyond the router

A well-configured router protects your network inside the home. But the moment you step outside — a café, an airport, a hotel — you land in someone else's networks, where router security was handled by someone else (or not at all). This is where a VPN works: it encrypts your traffic between the device and the server, so even on a hacked or fake network an outsider sees only an encrypted stream, not your passwords and messages. Why a rogue network is dangerous and how it can hijack your session is explained in our article on man-in-the-middle attacks.

A VPN and router hardening solve different problems and complement each other well: the router secures your home perimeter, the VPN protects you on the road and on any foreign network. Advanced users install a VPN right on the router to encrypt traffic from all home devices at once, including those with no VPN client of their own (TVs, consoles). If you want to protect your phone, your laptop and the whole trip with one service, take a look at LiMP VPN pricing — it works on iOS and Android with no complex setup.

Checklist: securing your router

Work through the points top to bottom — it takes about 15–20 minutes and closes most of the risk.

  • Open the router's web panel and change the admin password to a long, unique one (different from the Wi-Fi password).
  • Set a strong Wi-Fi password — a long passphrase of several words works best.
  • Enable WPA3, or the transitional WPA2/WPA3 mode.
  • Check for and install a firmware update; turn on auto-update if available.
  • Disable WPS.
  • Disable remote management of the router from the internet.
  • Create a guest network and move guests and smart devices into it.
  • Check DNS settings and turn off unneeded UPnP, DMZ and port forwarding.
  • For protection outside the home, install a VPN on your devices or on the router itself.

Frequently asked questions

How often should I check my router settings?

Every few months, open the panel and check for firmware updates — and always after a factory reset of the router, since a reset returns passwords and the encryption mode to their unsafe defaults.

Should I hide my network name (SSID)?

Hiding the network name gives more of an illusion of security: dedicated tools still detect such networks, while connecting your own devices becomes more awkward. A strong password and WPA3 matter far more than a hidden SSID.

What is MAC address filtering and is it worth enabling?

It restricts access by device "fingerprints". For an ordinary home it's not very effective: a MAC address is easy to spoof, and you'll have to add each new gadget by hand. Spend the time on the admin password, WPA3 and firmware updates instead.

Can I trust my ISP's router?

A rented ISP router is set up the same way as one you bought: still change the admin password, check the encryption mode and disable WPS. If the ISP locks part of the settings, it makes sense to put your own router behind their device.

Does a VPN help if the router is already hacked?

A VPN encrypts traffic from your device, so the contents of the connection can't be eavesdropped through a compromised router. But a VPN doesn't cure the router itself: if it's hacked, the attacker can still disrupt the connection and attack other devices on the network. The router still needs fixing — reset it, update the firmware and reconfigure it from the checklist.

Do I have to buy a new router just for WPA3?

Only if your current router is so old that it doesn't support WPA3 and no longer gets firmware updates — that device is worth replacing. But if WPA3, or at least WPA2 with current firmware, is available, you don't need to buy anything; just configure the existing router properly.

How to Secure Your Home Router: Wi-Fi Settings for 2026 | LiMP VPN