Home Router Security: The 15-Minute Checklist
Your router is the border crossing for everything you do online, and most of them are guarded by a password printed on a sticker, running firmware from years ago, with management features switched on that attackers scan for around the clock. None of the fixes require expertise — they require fifteen minutes and the willingness to log into an admin page you've maybe never seen. Set a timer. Go.
Minute 0–2: Get in the door
☐ Find the router's address: it's the Default Gateway from ipconfig — typically 192.168.1.1 or 192.168.0.1. Open it in a browser.
☐ Log in with the admin credentials from the sticker on the router (or the ISP's documentation). Can't find them and never changed them? Search the model number + "default password" — and let it sink in that anyone else can do the same search.
Minute 2–4: Change the admin password
☐ Administration/System → change the admin password to something long and unique, stored in your password manager. This is the password that controls your entire network's configuration — it deserves better than admin.
☐ While you're in this section: if there's an option for the admin page over HTTPS, enable it.
Why first: malware on any device in your home can reach this page. Router-hijacking that silently swaps your DNS to attacker servers — so every device gets redirected — walks in through this one default credential. I covered what that hijack looks like from the inside in my DNS troubleshooting guide.
Minute 4–6: Firmware
☐ Find the firmware/update section. Check the current version and update if one is offered.
☐ Enable automatic updates if the option exists. This is the single most protective toggle on the device — routers are attacked in bulk through known, already-patched holes.
☐ Note the firmware date. If the newest available firmware is many years old, your router is likely end-of-life: it will never be patched again, no matter what's discovered. Put "replace router" on your list — an unsupported router is a permanent vulnerability with antennas.
Minute 6–9: Wi-Fi encryption done right
☐ Wireless/security settings → set the mode to WPA3, or WPA2/WPA3 transitional if older devices choke on pure WPA3. Never WEP, never WPA(1), never "open."
☐ If only WPA2 is available, ensure it's WPA2-AES (sometimes labeled CCMP) — not TKIP.
☐ Wi-Fi password: long passphrase, different from the admin password. Four random words beats Summer2026!.
☐ Rename the SSID if it still broadcasts the router's brand and model — advertising your exact hardware tells attackers exactly which exploits apply.
Minute 9–11: Kill the convenience features that attackers love
☐ WPS → off. The push-button/PIN pairing feature has a long, sorry vulnerability history (the PIN design is brute-forceable). Nothing you own needs it.
☐ Remote management / management from WAN → off. Your admin page should not be reachable from the internet, full stop. If you need remote access to your network, that's a VPN's job — done properly, the way I described in the RDP guide.
☐ Telnet → off if listed; if you don't use SSH for router admin, that too.
☐ UPnP → consider off. Honest trade-off here: UPnP lets devices open ports through your firewall automatically — convenient for game consoles and some video calling, but it means any compromised gadget can quietly punch holes from the inside. My stance: turn it off, see if anything you care about breaks (you'll know within a week), and forward the specific port manually if something does. If household harmony vetoes that, at least check the UPnP port-mapping table occasionally for entries you can't explain.
Minute 11–14: Build the quarantine wing
☐ Enable the guest network, with its own password, and confirm "client isolation" or "intranet access: deny" is set so guest devices can't reach your main network.
☐ Move every smart device onto it — TVs, plugs, cameras, doorbells, the lot. These are the least-patched, most-compromised devices in any home; a guest network turns a hacked lightbulb from a foothold on your file shares into a hacked lightbulb. (Why that matters, and what else IoT gear deserves, gets a full article of its own.)
☐ Actual guests also go here. Their devices' hygiene is not your project.
Minute 14–15: Two quick verifications
☐ DNS check: in the WAN/Internet settings, the DNS servers should be ones you chose, your ISP's, or blank/automatic — anything else is a red flag worth investigating (see the hijack discussion above).
☐ Client list: skim the attached-devices list. You won't identify everything by name (so much is "ESP_4F2A1B"), but a count wildly above the gadgets you own justifies a deeper look — and changing the Wi-Fi password evicts everyone for a clean re-count.
The standing appointments
Done in fifteen? Two recurring items, and you're genuinely ahead of the curve: check for firmware quarterly if auto-update doesn't exist (calendar reminder — it won't happen otherwise), and re-skim the client list and UPnP table twice a year. And when this router eventually dies or goes EOL: buy the replacement on its update policy, not its antenna count.