Secure Your Home Router in 2026: A 10-Minute Checklist

Your router is the single most important security device in your home, it sits between every phone, laptop, TV, and smart bulb and the open internet. Yet most routers run with factory defaults for years, quietly exposing known, automatically exploited vulnerabilities. Here is a practical checklist to lock yours down, starting with the four changes that matter most.

Key takeaways

• The four highest-impact changes, admin password, WPA3, firmware update, and disabling WPS, take under ten minutes and close the gaps attackers probe first.
• WPS uses an 8-digit PIN that can be brute-forced in hours, so a strong Wi-Fi password does not protect you while WPS is on.
• Encrypting your DNS stops your ISP and anyone on the path from seeing every domain you visit.
• Putting IoT devices on a separate guest or VLAN network limits the damage when one of them is inevitably compromised.
• Turning off remote management keeps your router's login page off the public internet, where botnets scan for it constantly.

The four changes that matter most

If you do nothing else, do these four. They take under ten minutes and close the gaps attackers probe first.

Change	Why it matters	Time	Priority
Admin password	Default logins are public for every model	2 min	Critical
WPA3 encryption	Resists offline password cracking	2 min	High
Firmware update	Patches actively exploited flaws	3 min	Critical
Disable WPS	8-digit PIN brute-forced in hours	1 min	High
Encrypt DNS	Hides every domain you visit	3 min	Medium
Segment IoT	Stops a hacked bulb reaching your laptop	5 min	Medium
Disable remote admin	Keeps login page off the public internet	1 min	High

1. Change the default admin password

Log into your router's admin panel, usually at 192.168.1.1 or 192.168.0.1 (check the label on the bottom of the unit). Go to the administration or password section and set a strong, unique password of 16 or more characters. Store it in your password manager. Default admin credentials are published online for every model; leaving them in place is an open invitation.

2. Enable WPA3 encryption

In your wireless security settings, switch to WPA3 if your router and devices support it. WPA3, standard on routers made after 2020, uses Simultaneous Authentication of Equals (SAE) instead of WPA2's pre-shared key model, which protects against offline password-guessing attacks and adds forward secrecy. WPA2 is an acceptable fallback if some devices are too old for WPA3. Avoid WEP and the original WPA entirely, they are trivially broken. While you are there, set a strong Wi-Fi passphrase.

3. Update the firmware

Firmware is your router's operating system, and manufacturers ship updates that patch real, actively exploited vulnerabilities, attackers scan the internet for specific vulnerable firmware versions and exploit them automatically. Check for a firmware update in the admin panel and apply it. If your router supports automatic updates, turn them on.

4. Disable WPS

Wi-Fi Protected Setup (WPS) lets devices join with an 8-digit PIN, a PIN that can be brute-forced in hours, handing over your whole network regardless of how strong your Wi-Fi password is. Most routers still ship with WPS enabled. Turn it off. Some routers have separate toggles for PIN-based and push-button WPS, disable both.

Encrypt your DNS

By default, your DNS lookups travel unencrypted, so your ISP (and anyone on the path) can see every domain you visit. Many routers now support encrypted DNS via DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT), point yours at a privacy-respecting resolver:

• Cloudflare (1.1.1.1), fast and privacy-focused.
• Quad9 (9.9.9.9), blocks known malware domains.
• NextDNS, customizable filtering for ads and trackers.

Set this once in the router's DNS settings and it applies to every device on the network instantly. You can confirm it is working from a computer on the network:

# Check which resolver your network is using
nslookup example.com

Segment your smart-home devices

IoT gadgets, smart bulbs, cameras, plugs, are notoriously insecure and rarely patched. Put them on a separate network so a compromised device cannot reach your laptop or banking session. The easy version: enable a guest network with client isolation and connect your IoT devices there. If your router supports VLANs, that is even better. This same isolation also helps with the everyday annoyance of a crowded network, if your devices keep dropping, our guide on Wi-Fi that keeps disconnecting covers band steering and channel fixes.

Turn off remote management

Unless you specifically need it, disable remote administration (sometimes called "remote management" or "WAN access to the admin panel"). This stops anyone on the internet from even reaching your router's login page. Remote management left on is how many home routers get drafted into botnets.

A few more worthwhile steps

• Disable UPnP if you do not need it. It lets devices silently open ports through your firewall, which malware abuses.
• Rename your network (SSID) to something that does not reveal your name, address, or router model.
• Review connected devices periodically in the admin panel and remove anything you do not recognize.
• Reboot occasionally to clear transient malware that lives only in memory.
• Enable the router's firewall if it is not already on, and turn off any services you do not use (Telnet, FTP).

Strong network hygiene pairs well with strong account hygiene, many attacks that start with a phished login could be stopped by phishing-resistant sign-in, which we cover in our guide to setting up passkeys.

Consider open-source firmware (advanced)

If you are comfortable tinkering, projects like OpenWrt turn a capable router into a security powerhouse with built-in encrypted DNS, VPN, and ad blocking. pfSense (on dedicated hardware) adds a full firewall, VPN, and intrusion detection. These are not for everyone, but they offer control and longevity that stock firmware rarely matches, especially valuable when a manufacturer stops shipping updates for an otherwise working router.

Frequently asked questions

How often should I update my router firmware?

Check at least monthly, and enable automatic updates if your router offers them. Critical vulnerabilities are patched on no fixed schedule, and unpatched routers are scanned and exploited within days of a flaw becoming public. If your manufacturer has stopped issuing updates entirely, it is time to replace the device.

Is WPA2 still safe to use?

WPA2 is acceptable as a fallback for older devices, but WPA3 is meaningfully stronger because it resists offline dictionary attacks and adds forward secrecy. Many routers offer a "WPA2/WPA3 mixed" mode so newer devices use WPA3 while older ones fall back to WPA2, a reasonable compromise.

Do I really need a separate network for smart devices?

Yes, if you can. IoT devices are a common entry point because they are rarely patched. Isolating them on a guest network or VLAN means a compromised camera or bulb cannot pivot to your laptop, phone, or financial accounts. It is one of the highest-value steps after the core four.

What is the single most important setting to change?

Changing the default admin password. Default credentials for nearly every router model are publicly listed, and leaving them in place lets anyone who reaches your admin panel take full control, reconfiguring DNS, opening ports, or installing malicious firmware.

The bottom line

You do not need to be a network engineer to dramatically improve your home security. Change the admin password, enable WPA3, update firmware, kill WPS, encrypt DNS, segment your IoT devices, and disable remote management. Block out ten minutes this week, your router has been waiting.