Secure your Wi-Fi and router

To implement the guidance on this page you will need to connect to your router’s network then log in to your router’s settings. You will use two different sets of credentials to do this.

1. Connect your phone or computer to your router by joining your router’s Wi-Fi network or establishing a physical cable connection. To join your router’s Wi-Fi network, open your phone or computer’s Wi-Fi settings, select the name of your Wi-Fi network (also known as an SSID) and enter your Wi-Fi password. You may have chosen a custom SSID and password when you set up your router or you may be using your router’s default SSID and password. The default SSID and password can usually be found on a sticker on your router or in its user manual.
2. Open a web browser.
3. Type your router’s IP address into the address bar. You can typically find your router’s IP address on a sticker on your router, or in its user manual. It is usually a group of numbers, like 192.168.0.1 or 10.0.0.1.
4. Enter your router’s username and password when prompted. You can usually find your router’s default username and password on a sticker on the device or in its user manual. The username and password you use to log in to your router are different to the SSID and password you use to connect to Wi-Fi.
5. Select login to access your router’s settings.

If you have forgotten your username or password

If you have forgotten your username or password If you have forgotten your username or password, check your router’s manual for recovery advice. Routers can often be reset to restore their default credentials. If you restore your router’s default credentials, after you log in to your router, follow the steps below to change its default credentials.

It is important that you change the default username and password that you use to log in to your router and access its settings. Your router’s default username and password may be published online for anyone to see.

To change the default username and password that you use to log in to your router:

1. Complete the steps in the “before you begin” section above to access your router’s settings. In your router’s settings, navigate to the router’s username and password page. The location of this page will vary between routers; it is often on labelled “admin settings” or “account management”. You may need to check your user manual for detailed instructions.
2. Locate the router username.
3. Change the router username from the default.
4. Locate the router password.
5. Change the router password from the default. ASD’s ACSC has published guidance on using password managers or passphrases to set strong passwords.
6. Save the changes.
7. Verify that the settings have taken effect by logging out of your router and logging in again with your new username and password.

Note: this section addresses the username and password you use to log in to your router and access its settings. A different section below outlines how to change the SSID and password you use to connect to Wi-Fi

Remote management allows you to change your router’s settings by logging into your router from outside your home.

Consider disabling remote management in your router’s settings. One of the most common ways that routers are compromised is through their remote management features. Routers use several protocols for remote management. Disable any of the following protocols you see in your router’s settings:

• Telnet
• SSH
• SNMP

This includes disabling, if available on your router, the wide area network (WAN) accessible management interface.

Your router requires regular firmware updates, just like your phone and computer. These updates fix security issues and sometimes offer new features.

Some routers update automatically. You can check if your router updates automatically by searching your router model on the manufacturer’s website or checking the user manual. If your router updates automatically you can skip this section.

There are two common processes to update routers. Both processes are outlined below. Before you begin, check if there are any important steps that are specific to your router in its user manual. To update your router:

Router update process – via router settings

1. Complete the steps in the “before you begin” section above to access your router’s settings. In your router’s settings, locate your router’s current firmware version and make a note of it.
2. Navigate through your router’s settings to the firmware settings or update page. The location of this page will vary between routers.
3. Follow the prompts on the firmware settings or update page to check for and then install an update, if available.
4. Leave your router on as it downloads and installs the update. Your router will typically automatically restart at the end of this process. If it does not automatically restart, wait until the update is completed then manually restart it.
5. Log in to your router again and compare your current firmware version against the one you noted in step one. If your router updated successfully, the current version number will be different.

Router update process – manual

1. Navigate to the router manufacturer’s website. Ensure you only download update files from the manufacturer’s official website. Do not trust update files you find on third-party websites.
2. Search for your router’s model number.
3. Find the latest firmware update file for your router. Updates can often be found under a “support” or “downloads” heading.
4. If a firmware update is available for your router, download it.
5. Log in to your router (see the steps in the “before you begin” section). Navigate to the firmware settings or update page.
6. Upload the firmware update file you downloaded in step four.
7. Follow the prompts to start the update process.
8. Leave your router on as it downloads and installs the update. Your router will typically automatically restart at the end of this process. If it does not automatically restart, wait until the update is completed then manually restart it.
9. Log in to your router again and navigate back to the firmware settings or update page. If your router updated successfully, the version number will match the one you downloaded in step four.

Please note: There are risks to updating routers. Be careful when installing a router update as a failed update can render your device unusable. Make sure you follow the instructions in your router’s user manual. Do not disconnect the power, unplug any cables or press the reset button during the update.

Check for updates periodically

Some router manufacturers will alert you if an update for your router is available. Check if you can subscribe to alerts from your router manufacturer.

Set a recurring calendar reminder to undertake the router health check below, every 6 months. The router health check includes a prompt to check for router updates.

Routers that no longer receive updates

If your router is old and does not receive updates, it should be considered ‘end of life’ (EOL). Refer to the ‘Replace EOL routers’ section below for EOL router advice.

For more information on updating your device and software, read our Protect Yourself: Updates guide.

Your Wi-Fi network name and password are what you use to connect your devices to your Wi-Fi network and access the internet. The Wi-Fi network name is often referred to as an SSID.

Someone can use your router’s default Wi-Fi network name to determine the make and model of your router. They can then use this information to attempt to gain access to your router.

To change your default Wi-Fi network name and password:

1. Complete the steps in the “before you begin” section above to access your router’s settings. Navigate to the Wi-Fi settings page.
2. Locate the network name. This may be referred to as the “SSID” or “Wi-Fi name”.
3. Change the network name from the default option. Make sure you do not include any personal information in the new name.
4. Locate the Wi-Fi password.
5. Change the Wi-Fi password from the default option. Change it to a long, unique password. If your Wi-Fi network password is weak, it can be trivial for cybercriminals to break. ASD’s ACSC has published guidance on using password managers or passphrases to set strong passwords.
6. Save the changes.
7. Verify that your changes have taken effect by reconnecting your phone or computer to the Wi-Fi network using your new credentials. Note that, after you change your Wi-Fi network name and password, you will need to reconnect all your devices to the network using your new credentials.

Your router may have multiple Wi-Fi networks. For example, many routers have separate networks labelled “2.4 GHz” and “5 GHz”. These labels refer to the wireless frequencies of the network. Follow the steps above for every Wi-Fi network you use and disable any Wi-Fi networks you don’t use.

Check what devices are connected to your Wi-Fi network. You can review connected devices in your router’s settings. If you see any unknown connections during this review, follow the “Change your default Wi-Fi network name and password” advice above. Authorised devices can be re-connected with the new credentials while any unauthorised connections will be severed.

Some of the devices on your network might have names that are difficult to recognise. This is particularly common for ‘internet of things’ devices like smart speakers. Consider renaming devices on your network to make them easier to identify as you review connected devices.

Manufacturers provide security updates for home routers for a limited time, usually 3 to 5 years. When routers no longer receive security updates, they are referred to as EOL.

Once a router reaches EOL, it should be replaced as a priority. EOL routers are particularly vulnerable to exploitation because they are no longer protected with security updates. The use of EOL routers was one of the root causes of compromise in the case study above.

To determine if your router has reached its EOL, start by identifying your router’s model number. This is commonly found on a sticker on the device or in its manual. Once you have found your router’s model number, use it to search for an EOL date on the router manufacturer’s website. Alternatively, reach out directly to your manufacturers' support team for assistance.

You could also see when a firmware update or security patch was last issued for your router. If one has not been issued in more than 12 months, it is likely your router is EOL.

Replace EOL routers as a priority. If you need to replace your router, make sure you choose a replacement that supports automatic updates. Automatic updates play a huge role in securing home and small office routers. Consult with your internet service provider for further advice on compatible replacements.

If you are going on holiday, switch off your router.

Most routers will have a power off button on the top or back of the device. Alternatively, you can power off the device via the wall outlet. Implementing this security precaution prevents unauthorised access in your absence.

Before turning off your router, consider any network dependencies in your home, such as smart security cameras.

Consider enabling the ‘guest’ Wi-Fi feature in your router’s settings.

Placing visitors and untrusted devices on your guest network is a more secure way to provide them with internet access. It provides some separation between untrusted devices and your main network. Guest Wi-Fi is configured with its own, unique, Wi-Fi network name (SSID) and password.

If guests require access to network-connected devices, such as your smart TV, they will need to join the same network that is used by those devices.

Encryption is what protects your activity and information as it travels over Wi-Fi. Outdated encryption algorithms, such as Wireless Encryption Protocol (WEP), or unencrypted Wi-Fi may make it possible for anyone within range of your router to see your activity.

Check the Wi-Fi encryption protocol used by your router. You can view and change your Wi-Fi encryption protocol in your router’s settings.

Set your Wi-Fi encryption protocol to WPA3.

If you encounter issues connecting devices to Wi-Fi with WPA3 enabled, the devices may lack WPA3 compatibility. In this case, set your Wi-Fi encryption protocol to WPA3 transition mode.

If neither WPA3 nor WPA3 transition mode are available, set it to WPA2 (this is sometimes called WPA2-Personal or WPA2-PSK).

If your router does not support WPA2 (as a minimum), consider replacing it.

Disabling insecure and unused services can increase your protection against remote attackers by reducing your router’s potential attack surface. This step follows the principle of least privilege, a cyber-security principle where users and devices are provided with the minimum level of access needed to perform their function. The following non-exhaustive list includes services you should disable, unless required.

Universal plug and play

Universal Plug and Play (UPnP) allows devices on your network to discover and communicate with each other over Wi-Fi and the internet.

Many smart devices such as lighting, speakers and security cameras rely on UPnP. UPnP allows you to connect and control them. Some PC and console games also rely on UPnP to connect online.

UPnP has been identified as a potential security risk due to reports of malware strains leveraging UPnP to compromise routers. Consider disabling UPnP, if you don’t use it.

Consider the devices in your home or business before disabling UPnP in your router's settings. Manual configuration may be required to allow some devices to continue communicating.

File Transfer Protocol

File Transfer Protocol (FTP) is used to transfer files between your router and computer. This transfer of data is not encrypted and is not required in most business and personal use cases.

You can check if FTP is enabled on your router in the router's settings. If FTP is enabled on your router and you don’t need it, disable it via your router’s settings.

Wi-Fi protected setup

Wi-Fi Protected Setup (WPS) was designed to make it easier to connect devices to Wi-Fi via a PIN, however, the PIN is susceptible to brute force attacks (a technique where every combination is trialled until an attempt is successful). Since the WPS feature is designed as a convenience and isn’t a necessary function, it is recommended to disable WPS.

You can check if WPS is enabled in your router’s settings. If WPS is enabled on your router and you do not need it, disable it via your router’s settings.

Port forwarding

Port forwarding is a setting on your router that directs external internet traffic to devices on your network. This service is typically not needed in home and small office networks. It is recommended to disable port forwarding on your router if it is not required, to reduce your attack surface.

You can check if port forwarding is enabled in your router’s settings. If port forwarding is enabled on your router and you don’t need it, disable it via your router’s settings.

Physical router security is often overlooked in home and small office environments. Implementing physical router security practices, particularly for businesses, will help prevent unauthorised access, router tampering, theft or damage. Use the following questions to help assess your router’s physical security:

• Is your router in a secure location?
• Who has access to your router?
• Is your router visible to others? i.e. is it on a shelf where customers can see it as they walk past?
• Is everything that is plugged into your router yours, and does it serve a necessary purpose?