Home Wi-Fi networks have become an integral part of life: personal data, banking transactions, smart devices, and even video surveillance systems pass through them. However, most users still use their routers' factory settings, leaving their networks vulnerable to attacks. According to KasperskyIn 2026, 68% of home network hacks were due to weak passwords and outdated encryption protocols.
This article is not about abstract "safety tips", but about concrete actions, which cover 95% of vulnerabilities. We'll cover how to choose the right encryption, why WPA3 is better than WPA2 (and when it's not enough), how to block unauthorized devices by MAC addresses, and why updating your router firmware is more critical than installing antivirus software on your computer. And also— We'll reveal a little-known guest network trick that protects your main network even if your password is leaked..
1. Change the factory administrator login and password
The first thing hackers check is standard combinations admin/admin or admin/password. Router manufacturers (TP-Link, ASUS, Keenetic) still supply devices with default credentials that are easily googled.
How to change:
- 🔧 Go to your router's control panel (usually
192.168.0.1or192.168.1.1). - 🔐 Find a section
System Preferences → Device Management(name varies). - 🆔 Create a strong password (at least 12 characters, including numbers, letters, and special characters). Example:
V7#pL9!kR2@qN. - 📝 Save the new data in a password manager (1Password, Bitwarden).
⚠️ Important: If your router supports two-factor authentication (2FA), enable it. Even if your password is leaked, an attacker won't be able to log in without the code sent via SMS or an authenticator app.
Don't use the same password for your router and Wi-Fi network! Hackers often use automated scripts to check such combinations.
2. Choose the right encryption protocol: WPA3 vs. WPA2
The encryption protocol determines how difficult it is to guess your network password. As of 2026, the following are relevant:
| Protocol | Security level | Speed of work | Supported devices |
|---|---|---|---|
| WPA3 | ⭐⭐⭐⭐⭐ | High | Devices after 2019 |
| WPA2 (AES) | ⭐⭐⭐⭐ | Average | All devices |
| WPA2 (TKIP) | ⭐⭐ | Low | Outdated gadgets |
| WEP | ⭐ (hacked in minutes) | Very low | Devices before 2006 |
How to set up:
- In the router panel, find
Wireless Network → Security Settings. - Select WPA3-Personal (or WPA2/WPA3 Transition Mode, if you have old devices).
- In the "Version" field, specify
AES(not TKIP!). - Create a password of length 15+ characters (example:
BlueSky$2026_WiFi#Secure).
⚠️ Note: If your router does not support WPA3, please update your firmware or consider purchasing a newer model (e.g. ASUS RT-AX88U or TP-Link Archer AX6000).
3. Disable WPS: Why it's more dangerous than it seems
WPS (Wi-Fi Protected Setup) — a feature for quickly connecting devices using a PIN code. The problem is that an 8-digit PIN can be cracked in a few hours, even on a low-end computer.
How to disable WPS:
- 🔌 In the router panel, find the section
WPSorQSS(at TP-Link). - 🚫 Move the slider to the position
Disabled. - 🔄 Save the settings and reboot the router.
If you need WPS to connect a printer or an old TV, use an alternative:
An alternative to WPS for older devices
Use temporary access by MAC address:
1. Find the MAC address of the device (usually found on a sticker or in the network settings).
2. In the router, add it to the list of allowed (MAC Filter → Allow).
3. Turn on the network for 10 minutes, connect the device, then turn off the filter.
Even if you don't actively use WPS, it may be enabled by default. Check this in the settings!
4. Hiding SSID: Myths and Real Benefits
Many people believe that hiding the network name (SSID) makes it invisible to hackers. This is not true: an experienced attacker can find the network in seconds using Wireshark or Airodump-ngHowever, hiding the SSID makes life difficult for random "freeloading neighbors."
How to hide SSID:
- Go to
Wi-Fi Settings → Basic Settings. - Find the option
Hide SSID(orBroadcast SSID) and turn it off. - Save the changes.
Now, to connect new devices, you'll have to manually enter the network name. This isn't a panacea, but it does reduce the number of connection attempts.
5. MAC Address Filtering: Pros and Cons
Filter by MAC addresses Allows only authorized devices to connect to the network. This is an effective method, but requires manual control.
How to set up:
- Find the MAC addresses of all your devices (in the network settings or on a sticker).
- In the router panel, go to
Wireless Network → MAC Filter. - Select mode
Allow only specified. - Add addresses to the list (example:
00:1A:2B:3C:4D:5E).
Disadvantages of the method:
- ❌ New devices will not be able to connect without being added to the list.
- ❌ MAC addresses can be spoofed.
- ❌ Does not protect against protocol-level attacks (e.g. KRACK).
Use filtering as an additional layer of protection, not as a primary method.
6. Updating your router firmware: why it's critical
Manufacturers regularly release updates to patch vulnerabilities. For example, in 2026, a critical vulnerability was discovered in routers. Netgear And D-Link, allowing remote code execution. A firmware update fixed it with one click.
How to update firmware:
Download the latest version from the manufacturer's official website|
Check the current version in System Preferences → System Information|
Make a backup copy of your settings (Administration → Backup)|
Download firmware file via Administration → Software Update|
Do not turn off the router's power during the update!
-->
If automatic updates are not available, check for new versions manually every 2-3 months.
⚠️ Attention: Some routers (especially budget models) Tenda or Mercusys) may become bricked during the update. If your model is older than 5 years, check forum reviews before updating.
7. Guest Network: How to Isolate Untrusted Devices
A guest network creates a separate access zone with limited permissions. Even if a guest (or a compromised device) connects to it, they won't be able to access your files, printers, or smart speakers.
How to set up:
- 🌐 Find it in your router's control panel
Guest network(orAdditional SSID). - 🔒 Specify a separate network name (e.g.
MyHome_Guest). - 🔑 Set a password (it can be simpler than for the main network).
- 🚫 Disable local network access (
Isolate guests). - ⏱️ Set a time limit (for example, from 9:00 to 22:00).
Benefits of a guest network:
- 🛡️ Isolation from the main network.
- 📶 Speed limit for guests.
- 🕒 Automatic shutdown according to schedule.
Use a guest network for smart devices (lamps, sockets, cameras), which often become entry points for attacks.
8. Additional measures: VPN, firewall, and monitoring
For maximum protection, consider:
- 🔗 VPN on a router: Encrypts all traffic (configuration via
OpenVPNorWireGuard). Suitable for ASUS, Keenetic and routers with DD-WRT. - 🛡️ Firewall: Blocks suspicious connections (enabled in
Security → Firewall). - 📊 Device monitoring: Apps like Fing or GlassWire show who is connected to the network in real time.
- 🔄 Changing your password regularly: Change your Wi-Fi password every 3-6 months.
For advanced users:
Configuring DD-WRT for Enhanced Security
Firmware DD-WRT allows:
1. Set up VLAN to isolate devices.
2. Turn on Intrusion Detection System (IDS).
3. Use IPTables for fine-tuning the firewall.
⚠️ Requires technical knowledge and a compatible router!
Remember: Wi-Fi security isn't a one-time setup, but a regular process. Check your connected devices, update firmware, and stay up-to-date on vulnerability news.
1. Change the factory administrator password.
2. Enable WPA3 (or WPA2 with AES).
3. Disable WPS and update the firmware.
4. Use a guest network for smart devices.
-->
FAQ: Frequently Asked Questions about Wi-Fi Security
Is it possible to hack Wi-Fi with WPA3?
Theoretically yes, but in practice this requires physical access to the router or a zero-day vulnerability (which is quickly patched with updates). The main threat to WPA3 is dictionary attacks if the password is weak (for example, 12345678). Use passwords that are 15+ characters long, with mixed case and special characters.
How do I check who is connected to my network?
Methods:
- Via the router panel: section
Wireless Network → Client List(orDHCP Clients List). - Mobile applications: Fing (Android/iOS) or WiFi Guard.
- Windows command line:
(shows IP and MAC addresses).arp -a
If you see an unfamiliar device, immediately change your Wi-Fi password and check your router for backdoors.
Should you turn off Wi-Fi at night?
This reduces the risk of night attacks, but is not a panacea. Better:
- Set up a Wi-Fi shutdown schedule on your router (for example, from 1:00 AM to 6:00 AM).
- Use a guest network for devices that require constant access (cameras, thermostats).
Disabling Wi-Fi is also useful for saving energy (the router consumes ~5-10 W/hour).
My router doesn't support WPA3. What should I do?
Options:
- Update your firmware to the latest version (sometimes WPA3 is added retroactively).
- Buy a new router with WPA3 support (starting at 3,000 rubles). Recommended models: TP-Link Archer AX21, ASUS RT-AX55.
- Use WPA2 with
AES+ additional measures (MAC filtering, guest network).
Don't buy used routers - they may contain hidden backdoors from previous owners.
How to secure Wi-Fi in an office with a large number of devices?
For business it is recommended:
- 🔐 Use WPA3-Enterprise with authentication by certificates (for example, through Radius server).
- 📊 Divide the network into VLANs for different departments.
- 🛡️ Install a separate firewall (for example, pfSense).
- 📈 Monitor traffic with Zabbix or PRTG.
For small offices, a router of the class is suitable Ubiquiti UniFi or MikroTik with support for multiple SSIDs and advanced security settings.