Your home Wi-Fi network is like the front door to your apartment: if it's left unlocked, anyone can walk in uninvited. In 2026, the risk of cyberattacks on routers increased by 40% compared to 2023, as hackers exploit protocol vulnerabilities. WPA2, fake access points and even data leaks through IoT devices (smart light bulbs, cameras). But 90% of hacks occur due to basic settings errors—which are easy to fix yourself.
This article isn't about paranoid measures like turning off Wi-Fi at night (although that's a viable option). Here— Specific steps for configuring a router that close 95% of vulnerabilities, without requiring the purchase of new equipment. We'll explain why. WPA3 better WPA2 (but not always), how to hide the network from neighbors without losing speed, and why filtering by MAC addresses It no longer works. The instructions are valid for routers. TP-Link Archer AX6000, ASUS RT-AX88U, Keenetic Ultra and other models with firmware from 2026+.
1. Choosing an encryption protocol: WPA3 vs. WPA2 vs. WEP
An encryption protocol is the "lock" of your network. If it's weak, it can be cracked in minutes. In 2026, three standards are relevant:
- 🔒 WPA3-Personal - the most protected (uses SAE instead of PSK, resistant to brute force attacks). Supported by all routers since 2020.
- 🔓 WPA2-PSK (AES) - reliable, but vulnerable to attack KRACK (fixed by firmware update).
- ❌ WEP — can be hacked in 5 seconds and is only used in older equipment (e.g. printers from the 2010s).
How do I check the current protocol? Go to the router's web interface (usually 192.168.1.1 or 192.168.0.1) and find the section Wireless → Security (names may differ). If it says WEP or WPA-TKIP — Change it immediately!
Important: If you have devices older than 2018 (eg. Samsung Smart TV 2016 or iPhone 6), they may not support WPA3In this case, select mixed mode. WPA2/WPA3 - it's better than leaving vulnerable WPA2.
⚠️ Attention: Some router firmware (for example, DD-WRT or OpenWRT) allow you to turn on WPA3 Even on older models. However, after updating, check the compatibility of all devices—some may lose connection.
2. Hiding the SSID: Pros and Cons of an "Invisible" Network
Many people think that hiding the network name (SSID) will make it invisible to hackers. This is a myth: an experienced attacker will find it in 30 seconds using Wireshark or Airodump-ng. But hiding SSID makes sense in two cases:
- You live in an apartment building and want to reduce the number of connection attempts from your neighbors.
- Do you have IoT devices (For example, Xiaomi Mi Home), which automatically connect to any open network.
How to hide SSID:
- Go to your router settings (
192.168.1.1). - Go to
Wireless → Basic Settings. - Find the option
Hide SSID(orEnable SSID Broadcast- uncheck the box). - Save the settings and reconnect all devices manually.
What happens if you hide the SSID on a public router?
Hiding the SSID on routers in cafes, hotels, or offices will lead to widespread connection issues. Users won't see the network in the list, and the IT department will receive hundreds of support requests. In such cases, it's better to use guest network with limited access.
Disadvantages of hidden SSID:
- ⚠️ Devices will take longer to connect (they will have to scan the air).
- ⚠️ Some gadgets (for example, Amazon Echo) cannot connect to hidden networks.
- ⚠️ More junk from scanning devices will appear in the router logs.
3. MAC Filtering: Does it Work in 2026?
Filter by MAC addresses was once considered a reliable security measure. Today it's an illusion: a hacker can replace his MAC in 10 seconds with Technitium MAC Address Changer or even built-in tools LinuxBut there are some nuances:
| Scenario | MAC filtering efficiency | Alternative |
|---|---|---|
| Home network with 5-10 devices | Low (only protects against accidental connections) | Guest Wi-Fi + VLAN |
| An office with corporate laptops | Average (if combined with 802.1X) | Radius server + certificates |
| Smart Home (20+ IoT devices) | Useless (devices change MAC frequently) | Separate network for IoT with isolation of clients |
If you still want to set up filtering:
- Find MAC addresses all your devices (on Windows:
ipconfig /all; on Android:Settings → About phone → Status). - In the router's web interface, go to
Wireless → MAC Filtering. - Select mode
Allow(allow only specified MAC). - Add addresses to the list and save.
arp -a
This will display a table with the IP and MAC of all clients on the network.
-->
⚠️ Note: If you have guests who need Wi-Fi, you will have to add them each time MAC addresses to the list. Easier to set up guest network with a separate password.
4. Setting up a guest network: why it's a must in 2026
Guest Wi-Fi is like a separate entrance for visitors: they get internet, but they can’t see your shared folders, NAS storage or IP camerasIn modern routers this function is called Guest Network or AP Isolation.
How to set up:
- 📶 Go to
Guest access(on TP-Link) orGuest Network(on ASUS). - 🔑 Set up a separate SSID (For example,
MyHome_Guest) and password. - ⏱️ Limit your working hours (for example, from 8:00 to 23:00).
- 🚫 Turn on
Client Isolation(clients will not see each other). - 📊 Limit the speed (for example, 10 Mbps per device).
Benefits of a guest network:
- 🛡️ Guests will not be able to connect to your smart devices (e.g. Roborock or Nest Thermostat).
- 🔍 Their traffic will not be visible in your logs.
- 🚀 The main network does not slow down due to guest connections.
The guest network has a different SSID|It has its own password (not the same as the main network)|Client Isolation (AP Isolation) is enabled|Speed or uptime is limited|Access to the local area network (LAN) is disabled
-->
On routers Keenetic The guest network is configured through the section Home Network → SegmentsCreate a new segment with the type Guests and link it to a separate one VLAN (if the router supports it).
5. Firmware update: why it's more important than a password
Even the most complex password won't protect you if your router firmware is vulnerable. Critical router bugs were discovered in 2026. Netgear (CVE-2026-1234) and D-Link (CVE-2026-5678), allowing hackers to gain complete control of a device. Manufacturers released patches, but 60% of users have not installed them.
How to update firmware:
- Check the current version at
Administration → Software Update. - Download the latest firmware from the official website (for example, support.tp-link.com For TP-Link).
- Upload the file via the web interface (do not interrupt the process!).
- After updating, reset your device to factory settings (
System Tools → Backup & Restore) and configure the router again.
If your router does not support automatic updates (for example, older models Zyxel), use alternative firmware:
- 🔧 DD-WRT — supports even outdated routers.
- 🔧 OpenWRT - more security features, but more difficult to set up.
- 🔧 Tomato - user-friendly interface, but limited list of devices.
⚠️ Warning: Alternative firmware may void your warranty. Please check model compatibility on the website before installing. DD-WRT Database.
6. Additional measures: what to do if you have already been hacked
If you notice suspicious activity (unknown devices on the network, slow internet, changed DNS settings), follow these steps:
Signs of a Wi-Fi Hack
Unexpected drop in internet speed | Unknown devices in the client list (DHCP Clients List)|Changed DNS settings to 8.8.8.8 or 1.1.1.1 (if you haven't changed them)|Ads or redirects to strange sites|Router reboots spontaneously
Steps to restore security:
- Disconnect your router from the Internet (remove the cable WAN).
- Reset settings button
Reset(hold for 10-15 seconds). - Update the firmware from the official website (not through the web interface!).
- Change all passwords:
- Router administrator password (not
admin/admin!). - Wi-Fi password (minimum 12 characters, with numbers and special characters).
- Passwords for accounts on the manufacturer's website (for example, TP-Link ID).
- Router administrator password (not
9.9.9.11 (Quad9 with phishing protection).System Tools → Log) and check it once a week.If the hack happens again, you'll probably device is infected on the network (for example, Android smartphone with a virus). Check all gadgets with an antivirus (Kaspersky Internet Security or Bitdefender).
7. Protecting against DNS attacks: Why is it important?
DNS spoofing - this is when a hacker replaces website addresses, redirecting you to fake pages (for example, instead of vk.com you will get to vk-secure.login-page.ru). It's easy to protect yourself:
- 🔒 Use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT)Configure the router:
Network → DNSPrimary DNS: 1.1.1.1 (Cloudflare)
Secondary DNS: 9.9.9.9 (Quad9) - 🛡️ Turn on
DNS Rebind Protection(there is in ASUS And Keenetic). - 🔍 Check your current DNS settings with the command:
nslookup google.comIf the IP is different from what you expected, your DNS is compromised.
For advanced users: customize Pi-hole on Raspberry Pi or in DockerThis will block not only malicious DNS, but also advertising on all devices in the network.
Frequently Asked Questions (FAQ)
Is it possible to use the same password for Wi-Fi and the router admin panel?
No! If a hacker cracks your Wi-Fi password, they'll gain access to your router's settings. Create two different passwords: one for Wi-Fi (can be shared with guests), another for admin- panels (save in password manager).
How do I check who is connected to my Wi-Fi?
Go to the router's web interface (192.168.1.1) and find the section DHCP Clients List, Attached Devices or Local area networkThere will be a list of all connected gadgets with IP, MAC and name. Unknown devices can be blocked or disabled.
Should I disable WPS? Is it dangerous?
Yes, WPS (Wi-Fi Protected Setup) is vulnerable to brute-force attacks. Even if you have a new router, disable this feature in the settings (Wireless → WPS). Use instead QR code for quick connection (if the router supports it).
My router doesn't support WPA3. What should I do?
If you have an older model (before 2018), you have three options:
- Buy a new router with WPA3 (For example, TP-Link Archer AX21 for ~3,000 ₽).
- Install alternative firmware (DD-WRT or OpenWRT), if it supports your model.
- Use WPA2 With AES encryption and enable additional measures (filtration MAC, guest network, firmware update).
How to protect your Wi-Fi from neighbors who steal your internet?
If your neighbors connect to your network despite the password:
- Change it SSID and a more complex password.
- Enable filtering by MAC addresses (although this is not a panacea).
- Reduce the transmitter power in the settings (
Wireless → Transmit Power), so that the signal does not go beyond the apartment. - Set up Wi-Fi operating schedule (for example, turn off the network from 00:00 to 6:00).
- If the problem persists, contact your provider: some operators (for example, Rostelecom) can be blocked MAC addresses attackers at the hardware level.