Home Wi-Fi has become as essential an apartment accessory as a refrigerator or washing machine. But while we take care of our appliances—cleaning, repairing, and updating them—the router often remains a "black box" with a sticker from the provider. And that's a shame: unprotected router It can become a juicy target for hackers, freeloading neighbors, and even botnets that steal your data or use the network to attack other people's websites.
The problem is that 90% of users Never change the default router settings after connecting. Meanwhile, even basic security—the correct password and disabling WPS—reduces the risk of hacking. 87% (research data Kaspersky Lab for 2023). This article is not about paranoid measures like disabling DHCP or installing pfSense On a separate PC. Here are only working methods that will take no more than 20 minutes but will make your network inaccessible to 99% of attacks.
We'll figure out why. WPA3 better WPA2 (and when it's not), how to fool password cracking programs, why guest access It's more dangerous than it seems, and what to do if your router is already hacked. No fluff—just concrete steps and explanations of "why it works."
1. Change the default login and password for the router admin panel
The first thing any hacker (or even the neighboring teenager) checks is WiFi Hacker App from Play Market) are the standard combinations for entering the router control panel. TP-Link This admin/admin, at ASUS — admin/admin, at Zyxel Keenetic - a completely blank password. An attacker only needs to enter the router's IP address (usually 192.168.0.1 or 192.168.1.1) in the browser - and it is inside the system.
How to fix it:
- 🔑 Create a complex password For admin: minimum 12 characters, with numbers, capital letters and special characters (e.g.
R7#pL9!kM2@q). Do not use birthdays or pet names. - 👤 Change your username With
adminto something non-obvious (for example,home_net_2026). Not all routers have this option, but if they do, be sure to use it. - 🔄 Disable remote access to the control panel (optional)
Remote ManagementorWAN Access). It's only needed if you're setting up a router from another network—which home users don't need.
⚠️ Attention: If you have forgotten the new password for the admin panel, you will have to reset the router to factory settings using the button Reset (Hold for 10-15 seconds). This will delete all settings, including the Wi-Fi network name and password!
2. Set up the correct network encryption: WPA3 or WPA2?
An encryption standard determines how easily an attacker can intercept and decrypt your network traffic. Two protocols are currently in use:
- 🔒 WPA3 is the most modern (released in 2018). It fixes vulnerabilities.
WPA2, for example, an attack KRACK, and uses individual encryption for each device (Simultaneous Authentication of Equals). - 🔓 WPA2 — obsolete, but still common. Supported by all devices, but vulnerable to dictionary attacks (if the password is weak).
It would seem that the choice is obvious, but there is a nuance: Not all devices support WPA3For example, old smartphones on Android 8 or printers may not connect to such a network. Check compatibility:
| Device | WPA3 support | What to do if it doesn't support |
|---|---|---|
| iPhone (iOS 13 and later) | ✅ Yes | Update the firmware |
| Android (version 10+) | ✅ Yes | Install the latest OS version |
| Smart light bulbs Xiaomi Yeelight | ❌ No | Use WPA2/WPA3 Transition Mode |
| Printers HP LaserJet (until 2019) | ❌ No | Connect via cable or set up a guest network with WPA2 |
If at least one important device does not support WPA3, select the mode in the router settings WPA2/WPA3 Personal (aka Transition Mode). This is a hybrid mode where modern gadgets will use WPA3, and the old ones - WPA2.
3. Disable WPS: Why it's more dangerous than it seems
WPS (Wi-Fi Protected Setup) — a technology for "easy" connecting devices using a PIN code or a button on the router. It sounds convenient, but in practice it's the biggest security hole most home networks. Here's why:
- 🔢 An 8-digit PIN code can be guessed in 4–10 hours (even on a weak PC). The attacker simply tries combinations until they guess.
- 🔄 Many routers do not block PIN entry attempts, which allows for endless attacks.
- 🚪 Even if you don't use WPS, the feature may be enabled by default (for example, on D-Link DIR-300 or Tenda N301).
How to disable WPS:
- Go to your router's control panel (usually at
192.168.0.1or192.168.1.1). - Find the section
Wi-Fi → WPSorSecurity → WPS Settings. - Select an option
Disable WPSorDisable. - Save the settings and reboot the router.
⚠️ Attention: On some routers (for example, Zyxel Keenetic) WPS can be disabled separately for the push-button and PIN code. Make sure both options are disabled!
☑️ Check if WPS is disabled
4. Hiding SSID: Does it help or not?
Many "experts" advise hiding the network name (SSID) so that the router doesn't show up in the list of available Wi-Fi networks. The logic is simple: "If the network isn't visible, it's harder to hack." In practice, this myth, and here's why:
- 🔍 Hidden
SSIDIt is still transmitted over the air in unencrypted form (it can be caught by a traffic analyzer like Wireshark). - 📱 Devices that were previously connected to the network will constantly "shout" its name into the air, trying to find the router.
- ⚠️ Some devices (eg. Android-smartphones) may not work well with hidden networks, constantly losing connection.
Hiding SSID It only makes sense in one case: if you want reduce the number of random connections (For example, from neighbors looking for free Wi-Fi). But this offers virtually no security. Instead:
- 🔐 Use complex password (see section 1).
- 🔄 Change your network name regularly (
SSID) to make life difficult for hacking programs. - 🚫 Turn it off
Broadcast SSIDonly if you really need to hide the network from prying eyes (for example, in an office).
How to find a hidden network?
A hidden network can be detected using programs like NetSpot or inSSIDerThey scan the airwaves and display all networks within range, even those that don't broadcast their names.
5. Update your router firmware: why it's critical
A router's firmware is its "operating system," which controls all its functions. Manufacturers regularly release updates to patch vulnerabilities. For example, in 2022, routers ASUS found a critical flaw CVE-2022-26376, allowing hackers to execute arbitrary code. A fix was released a month later—but only for those who have updated.
How to check and update firmware:
- Go to your router control panel.
- Find the section
System,AdministrationorFirmware Update. - Check the current firmware version and compare it with the latest one on the manufacturer's website (for example, tp-link.com/ru/support).
- If there is a new version, download it and upload it via the web interface.
⚠️ Note: Router interfaces and update methods may vary depending on the model and year of manufacture. For details, please refer to the official documentation for your device.
Some routers (eg. Keenetic or MikroTik) support automatic updateEnable this option if it exists—this will protect you from new vulnerabilities without manual control.
6. Set up MAC address filtering (but don't rely on it)
MAC filtering Allows only specific devices to connect to the network using their unique addresses. This sounds like reliable protection, but in practice, it's easily circumvented:
- 🔄 The MAC address is transmitted in clear text and can be intercepted.
- 🎭 An attacker can replace his MAC with an authorized one (this is done in two commands in Linux or through programs like Technitium MAC Address Changer on Windows).
- 📱 Each new device (for example, a guest smartphone) will have to be added to the list manually.
However, MAC filtering is useful as an additional layer of protectionIt won't stop a seasoned hacker, but it will make life more difficult for casual hackers. How to set it up:
- Find the MAC addresses of your devices (on Windows:
ipconfig /allon the command line; Android: in Wi-Fi settings). - In the router panel, go to
Wireless → MAC Filtering. - Select mode
Allow(allow only specified addresses) and add your devices. - Save the settings.
Don't forget to update your MAC address list when adding new devices. And remember: this isn't a panacea, but just one element of security.
7. Guest Network: How to Avoid Giving Hackers Access to Your Data
Guest Wi-Fi is a convenient feature that prevents you from sharing your main network password with friends or colleagues. However, if configured incorrectly, guests can access all devices on your local network (printers, NAS, smart speakers). Here's how to secure guest access:
- 🔐 Separate the guest network: in the router settings, enable the option
AP IsolationorClient IsolationThis will prevent devices on the guest network from "seeing" each other and your devices. - 🔄 Limit your speed: Allocate no more than 10-20% of your total bandwidth to guests so they don't hog your channel.
- ⏰ Turn on the timer: Set the guest network to turn off automatically at night or a few hours after connecting.
- 📡 Use a different SSID: The name of the guest network should not be the same as the main network (for example,
Ivanov_Guestinstead ofIvanov_Home).
Example setup for TP-Link:
Go to:Guest Access → Settings → Enable Guest Network
Install:
- Network name (SSID): MyGuestWiFi
- Password: complex (not like the main network!)
- Allow local network access: ❌ Disabled
- Speed limit: 10 Mbps
- Schedule: from 09:00 to 22:00
⚠️ Attention: On some routers (for example, D-Link DIR-615By default, the guest network has the same permissions as the main network. Always check your isolation settings!
8. Additional measures: for the paranoid (and those who are really taking risks)
If you store cryptocurrency at home, work with sensitive data, or just want maximum protection, here are a few advanced measures:
- 🛡️ Disable UPnPThis feature automatically opens ports for devices (for example, for online games), but it is often exploited by viruses. Find the option
UPnPin the settings and deactivate. - 🔗 Change DNS: By default, the router uses the provider's DNS, which may be vulnerable. Switch to
Cloudflare (1.1.1.1)orGoogle DNS (8.8.8.8). - 🔍 Enable loggingConnection logging will help you spot suspicious activity. Store logs on an external drive or in the cloud.
- 🔌 Disable unused services: For example,
FTP,TelnetorRemote ManagementThey are rarely needed at home, but often become a loophole for hackers. - 🔄 Set up a VPN on your router: some models (eg ASUS RT-AX88U) support OpenVPN or WireGuardThis encrypts all traffic, including smart devices that cannot connect to the VPN on their own.
For the most advanced users, there is another option - replacing the standard firmware to an alternative, for example, DD-WRT or OpenWRTThis gives you full control over the router, but requires technical knowledge and may void the warranty.
What is DD-WRT?
DD-WRT is an open-source firmware for routers that adds advanced features such as bandwidth control, VPN support, advanced firewall, and more. It is compatible with the following models: Linksys WRT54G, Netgear R7000 and others. Installation requires care—an error can brick the router.
FAQ: Frequently Asked Questions about Wi-Fi Security
Is it possible to hack a router via WPS if it is disabled?
No, if WPS completely disabled (including PIN and PBC). However, some routers "forget" the settings after a reboot - check the function status regularly. Also, make sure there is no option in the settings WPS Lock (it blocks attempts after several failures, but not all models support it).
How do you know if your router has already been hacked?
Signs of hacking:
- 🖥️ Unknown devices in the list of connected devices (checked in
DHCP Clients List). - 🐢 A sharp drop in internet speed for no apparent reason.
- ⚙️ Changed router settings (for example, a different DNS or open ports).
- 🔄 Spontaneous device reboots.
If you notice any of this, immediately reset the router to factory settings and set it up again using these instructions.
Should I change my Wi-Fi password if it's already complex?
Yes, even a complex password is worth changing. once every 6–12 monthsReasons:
- 🔑 The password could accidentally fall into the hands of third parties (for example, through guest access).
- 💻 Vulnerabilities in encryption protocols (for example, in
WPA2) can allow a network to be hacked even with a strong password. - 📡 Neighbors could "catch" the handshake (authentication packet) and try to decrypt it.
Use password managers (eg. Bitwarden or KeePass) for generating and storing complex combinations.
Is it possible to use the same password for Wi-Fi and the router admin panel?
Categorically NoIf a hacker cracks the Wi-Fi password (for example, via WPS or a vulnerability in WPA2), he will also have access to the router settings. Come up with different passwords For:
- 📶 Wi-Fi networks (for connecting devices).
- 🔐 Router admin panel (to access the control panel).
Also, do not use the same password on several routers (for example, at home and at the dacha).
Do "Wi-Fi antiviruses" like Avast Wi-Fi Inspector?
Such programs can detect vulnerabilities (such as a weak password or open ports), but they don't replace manual configuration. They are useful for:
- 🔍 Scan the network for connected devices.
- 🛡️ Checking router vulnerabilities (but not all!).
- 📊 Traffic monitoring (who consumes and how much).
However, they do not protect From firmware-level attacks or zero-day exploits. The primary defense is proper router settings.