Router configuration - easy security and improvements

This article is a list of best practices for home router and WiFi security.
[Page last reviewed 2019-04-13]

1. What you'll need

First, we need to find your router's management webpage and then log in so you can make changes. You'll need to know your router's manufacturer and model, which should be on a sticker.

With that info, find your router's default admin password here: www.routerpasswords.com

Click each of these common links to router admin pages below, or go here for instructions on finding it.

192.168.0.1   |   192.168.1.1    |   192.168.2.1   |   10.10.10.1   |   10.0.0.1

Why is this so complicated and not standardized? Because nerds valorize deleterious individualism.

2. Upgrade firmware

Routers are in fact small computers running Linux, and they have vulnerabilities and bugs like any computer. Fixes for these are called firmware updates. Often, they will also improve performance and resolve WiFi issues, so you always want to be running the latest version. You don't even have to care about security, these updates can improve your signal and speeds. It’s like buying a new one, but free!

Here are links to the support pages of some popular manufacturers. Note that cable modems can only be updated by the cable company.

• D-Link

• Linksys

• Netgear

• TP-Link (note: TP-Link firmware upgrades may reset all settings on the device)

3. WiFi encryption type and password

There have been multiple generations of WiFi security, and for that reason many people's devices are configured with outdated settings. For years, manufacturers set-up routers with the most lenient configuration to try to avoid any possible customer support calls. Unfortunately, as time has gone on this means many people do not have proper protection, using technology that's over 10 years old and broken.

Coming soon is WPA3, but as of the last update of this post, I have no advice regarding it.

• Encryption type: WPA2 Personal + AES (CCMP)

• Password: Make it 12 characters or more. WiFi passwords can be brute-forced over a long period of time and you should rarely have to type it in, so just make a good password that will last you. It doesn’t have to be super-complicated.

4. Change admin password

It sounds ridiculous, but if you leave the default password on your router, in some cases just clicking a link on the Internet can change the router settings. Or, if one of your computers gets infected, some malware tries the most common router passwords to attempt to hijack the web on every computer in your house. Trust me this happens, but most people have no idea because antivirus doesn't scan routers. It's important you change the password!

Because outsiders can't get to the admin page, you do not need a complex password - it just needs to be something you won't lose when you need it.

Once you change the password, write it on a piece of paper and tape it to your router. You should log out of your router when you're not actively administering it.

5. Change DNS to redundant services for IPv4

When you hear about major home Internet outages on the news, it's often because the servers the ISP was using that operate as the "phonebook of the Internet" were attacked, or were down. Related, the major internet attack on October 2016 against Dyn was against DNS. I personally didn't even notice because the services I use mitigated the issue for me.

Or, how about when you type in a website address incorrectly and a search website from your ISP appears? That's actually not supposed to happen, your ISP is hijacking DNS NXDOMAIN to show you ads.

Change your DNS servers to the following to fix both these issues.

• DNS1: 9.9.9.9

• DNS2: 208.67.222.222

• DNS3 (you may not have this option): 8.8.8.8

• DNS4 (you may not have this option): 1.0.0.1

The first is Quad9 which is run by a consortium of security companies, and the second is OpenDNS.

The third is Google, and the fourth is Cloudflare’s alternate IP address with fewer compatibility issues. (Their main is 1.1.1.1 but there are some equipment makers who intercept it)

6. SSID hiding and MAC filtering: Off

• SSID hiding doesn't do anything against hackers, it wastes your time and makes your laptop constantly yell out the name.

• MAC filtering is a network management feature and is not for security.

These settings have uses, but they are not for normal home users. If you're using either, turn them off since they’ll distract you from other security tasks. The only layer of security that works is a strong WiFi password.

7. WiFi Protected Setup: Off (Probably)

Turn this off, probably. "WPS" is a poorly-implemented security nightmare that's sometimes easily exploited. Turn it off unless you have, or plan to have, a WiFi printer that requires it to set up the system.

8. Remote Management: Off

Turn this off. There's no need for teenagers in another country to scan the Internet and find your router's administration page. That would be bad. This should already be off.

9. Change DNS to redundant services for IPv6

If your IPv6 DNS servers fail, your computer will fall back to IPv4, but changing these may be useful to avoid ISP NXDOMAIN hijacking showing you ads. Be aware: Your router may or may not let you change these settings.

• DNS1: 2620:fe::fe (Quad9)

• DNS2: 2620:119:35::35 (OpenDNS)

• DNS3 (you may not have this option): 2001:4860:4860::8888 (Google)

• DNS4 (you may not have this option): 2606:4700:4700::1111 (Cloudflare)

Extra: Guest network

Use for Internet-only devices that don't need local LAN access to other electronics, enable guest isolation.

Extra: Recommended hardware upgrades

If you're still on an ancient router that's not getting security updates, or renting your modem from your cable company for $10 a month, you might be interested in the below recommendations from WireCutter, which is owned by the New York Times. I do not get any revenue from you clicking these links.

Recommended routers: http://thewirecutter.com/reviews/best-wi-fi-router/

Recommended modems: http://thewirecutter.com/reviews/best-cable-modem/

Article changelog:

2019-04-13: Changed DNS1 to Quad9 after 6 months of testing. Blocks malware other resolvers do not.
2018-11-24: Changed DNS3 to Quad9 and DNS4 to Cloudflare. Added mention of WPA3. Added IPv6 DNS.
2017-05-08: Changed Level3 DNS to OpenNIC since L3 is deprecating the feature.
2017-10-16: Moved WPA2-AES recommendation up to Step 3.

About this website