Every third home internet user has experienced at least one suspicious Wi-Fi slowdown, unfamiliar devices on the network, or strange redirects to fraudulent websites. The cause is usually the same: router hackingHackers don't need to physically break into your home: a vulnerability in your router settings is enough to access personal data, banking details, or even use your IP address for illegal activities.
The problem is compounded by the fact that 90% of users never change the default settings of the router after purchase. Manufacturers like TP-Link, ASUS or Keenetic supply devices with factory logins (admin/admin), open ports, and outdated encryption protocols. It's like leaving your apartment key under the doormat—sooner or later, someone will use it. In this article, we'll look at Specific steps to protect your router from hacking, including hidden settings that even experienced users ignore..
1. Change the factory administrator login and password
The first thing hackers check when attacking a router is standard credentials. Databases with login/password combinations for popular models (D-Link DIR-300, Zyxel Keenetic, MikroTik hAP) are freely sold on internet forums. If you haven't changed the factory settings admin/admin or user/user, your router is vulnerable to brute force attacks.
How to change:
- 🔧 Go to the router control panel via a browser (usually
192.168.1.1or192.168.0.1). - 🔑 Find the section
System Settings → Administration(the name may differ). - 🆔 Create a complex password: at least 12 characters with numbers, capital letters and special characters (for example,
W1F1_7#pL!nk_2026). - 🔄 Save the changes and reboot the router.
⚠️ Attention: Never use the same password to access your router and your Wi-Fi network. Hackers who hack your Wi-Fi network will automatically gain access to the control panel if the passwords match.
2. Choosing the Right Wi-Fi Encryption Protocol
The encryption protocol determines how difficult it is to guess the password for your network. Outdated standards like WEP or WPA can be hacked in minutes using free utilities (Aircrack-ng, Wifite). The modern minimum is WPA2-PSK (AES), but it's better to use WPA3, if your router supports it.
How to check and change:
- 📡 Go to the section
Wireless Network → Security Settings. - 🔒 Choose
WPA2-PSK(orWPA3-PSK, if available). - 🔐 In the "Encryption" field, specify
AES(NotTKIP!). - 📶 Create a Wi-Fi password that is at least 15 characters long (e.g.
Coffee$WiFi_789!Moscow).
| Protocol | Security level | Time to crack (with a weak password) | Support for older devices |
|---|---|---|---|
| WEP | ❌ Extremely low | 1–5 minutes | Yes |
| WPA (TKIP) | ⚠️ Low | 10–60 minutes | Yes |
| WPA2 (AES) | ✅ High | From weeks to years | Yes |
| WPA3 | ✅✅ Maximum | Almost impossible* | No (software update required) |
* Provided that the password is complex and there are no vulnerabilities in the router firmware.
3. Disabling remote control and dangerous ports
Many routers allow it by default. remote administration via the Internet (ports 80, 443, 8080). This is convenient for IT professionals, but dangerous for home users: hackers scan networks for open ports and attack vulnerable devices. For example, a botnet Mirai In 2016, it infected millions of routers through an open port. 23 (Telnet).
How to close vulnerabilities:
Close port 23 (Telnet)|Disable remote management (WAN)|Close port 7547 (TR-069)|Disable UPnP (if not used)-->
Instructions for popular models:
- 📌 TP-Link:
Advanced Settings → Administration → Remote Management→ disable. - 📌 ASUS:
Internet → NAT → Disable UPnP. - 📌 Keenetic:
System → Management → Internet Access→ set to "Prohibited".
⚠️ Attention: Port 7547 This port is often used by ISPs for remote router configuration. Disabling it may disrupt some services (such as IPTV). Check with technical support to see if this port can be disabled safely.
4. Hiding SSID and filtering by MAC addresses
Hiding the network name (SSID) It won't make your Wi-Fi invisible to experienced hackers, but it will reduce the number of accidental connections. And filtering by MAC addresses This adds another layer of protection: the router will only allow devices from the "whitelist" to connect. The downside of this method is that you have to manually add the MAC address of each new device.
How to set up:
- 👁️ Hiding SSID:
Wireless Network → Basic Settings → Hide SSID(turn on). - 🔗 MAC Filtering:
Wireless Network → MAC Filter → Allow only those listed. - 📱 To find out the MAC address of your device, enter the following in the terminal (Windows):
ipconfig /all | findstr"Physical Address"On Android:
Settings → About phone → Status → Wi-Fi MAC address.
How to bypass MAC filtering?
Hackers can replace their device's MAC address with an authorized one (spoofing). To do this, simply scan the network with a utility. Wireshark and identify active addresses. Therefore, MAC filtering is best used as a supplementary measure rather than a primary one.
5. Updating the router firmware
Manufacturers regularly release firmware updates to patch critical vulnerabilities. For example, in 2021, a flaw was discovered CVE-2021-20090 in routers Netgear, allowing hackers to execute arbitrary code. If the firmware is out of date, your router could be infected without your knowledge.
How to update:
- 🔄 Automatically:
Administration → Firmware Update → Automatic Check. - 📥 Manually:
- Download the latest version from the manufacturer's website (for example, for TP-Link Archer C6 — https://www.tp-link.com/ru/support/).
- Go to
System Tools → Firmware Update. - Download the file and wait for it to reboot (do not turn off the router!).
⚠️ Attention: If the power goes out or the router freezes during the update, don't panic. Wait 10-15 minutes, then unplug the power for 30 seconds and plug it back in. In 90% of cases, the device will recover. If not, you'll need to reflash the firmware. TFTP (look for instructions for your specific model).
6. Disabling dangerous functions: WPS, UPnP, DMZ
Some router features are convenient but carry risks:
- 🔌 WPS (Wi-Fi Protected Setup): Allows you to connect to the network using a PIN code (often 8 digits), which can be cracked in a few hours. Disable it in
Wireless Network → WPS. - 🌐 UPnP (Universal Plug and Play): Automatically opens ports for devices on the network. Used by viruses to spread. Disable it.
Local Area Network → UPnP. - 🛡️ DMZ (Demilitarized Zone): Places the device outside the firewall. Often used for gaming consoles, but dangerous for PCs. Disable in
Forwarding → DMZ.
Exception: If you are using IP cameras, smart home or game servers, some ports will need to be opened. In this case:
- 🔗 Use port forwarding (Port Forwarding) instead of DMZ.
- 🔒 Set up static IP for a device on a local network.
- 🛡️ Install a firewall on your device (for example, Windows Defender Firewall or Little Snitch for Mac).
- 🏨 Guest network: Restricts access to local resources (printers, network drives). Configured in
Wireless Network → Guest Network. - 🌉 VLAN (Virtual LAN): Divides the network into virtual segments. Supported on advanced routers (MikroTik, Ubiquiti).
- Go to
Wireless Network → Guest Network 1 (2.4 GHz). - Turn on the network and set a name (eg.
Guest_WiFi). - Set a password (different from the main network!).
- In the section
Access to the local networkselectForbidden. - Save and reboot the router.
- 📊 Built-in monitoring: Most routers have a section
Network clientsorDHCP clients(For example,Local Network → Client ListV TP-Link). - 🔍 Third-party utilities:
- Fing (Android/iOS) - Scans the network and shows all devices.
- WireShark (PC) - analyzes traffic and identifies suspicious activity.
- GlassWire (Windows) - Monitors new connections in real time.
- ⚡ Unexpected Internet slowdown without objective reasons.
- 🔄 Spontaneous reboot router.
- 🌍 Redirection to strange websites (especially with a request to enter login/password).
- 📡 Unknown devices in the list of connected clients.
- 💸 Unauthorized payments or online banking activity.
- 🔓 An outdated protocol is used (WEP or WPA-TKIP).
- 🕳️ There is a vulnerability in the router firmware (for example, CVE-2023-1389 For Zyxel).
- 🔌 Dangerous ports are open (
23,7547) or enabled WPS. - Check the model specifications on the manufacturer's website (section "Wireless Standards").
- Go to your router's control panel and check the available protocols.
Wi-Fi Settings → Security. - Update your firmware - some routers (eg. Netgear Nighthawk RAX40) received WPA3 support after the update.
- Disconnect your router from the Internet (remove the WAN cable).
- Reset settings button
Reset(hold for 10-15 seconds). - Update the firmware from the official website (not through the control panel!).
- Reconfigure your router, following these instructions.
- Check all devices on the network with an antivirus.
- Change your passwords from important services (bank, mail, social networks).
- 🛡️ Reducing the risk of night attacks: Most botnets scan networks during off-peak hours.
- ⚡ Energy saving: The router consumes 5–20 W/hour even when idle.
- 🔌 Separate IoT into a separate network (guest or VLAN).
- 🔄 Update your firmware devices (via official applications).
- 🔒 Disable cloud access, if it is not needed (for example, in cameras Xiaomi).
- 🛡️ Use a firewall on the router (if there is a function
SPI Firewall, turn it on).
7. Guest network and VLAN for device isolation
If guests, friends, or smart home devices (lamps, outlets) connect to your Wi-Fi, it's a good idea to isolate them to a separate network. This will prevent access to your primary devices (laptops, smartphones) if one of them is hacked. Technologies for isolation:
Example of setting up a guest network on ASUS RT-AX58U:
8. Monitoring connected devices and intrusion detection
Even after all the settings are set up, it's a good idea to periodically check who's connected to your network. Hackers can use MAC address spoofing or protocol vulnerabilities to remain undetected. Tools for control:
Signs of a hacked router:
FAQ: Frequently Asked Questions about Wi-Fi Security
Is it possible to hack my router if I have a complex Wi-Fi password?
Yes, if:
A complex password only protects against guessing. For complete security, you need to take all the measures described in this article.
How do I check if my router supports WPA3?
Methods:
If there is no WPA3, use WPA2-PSK (AES) - this is a reliable standard.
What to do if the router has already been hacked?
Follow these steps:
If your router is unstable after a reset, it may be infected with malware. In this case, it's best to buy a new one.
Should you turn off Wi-Fi at night?
This is not required for security, but is recommended for two reasons:
The alternative is to customize Wi-Fi schedule (available on most routers in the section Wireless Network → Schedule).
How to protect your router from hacking through vulnerabilities in IoT devices?
Smart devices (cameras, lamps, sockets) often have weak security and become entry points for hackers. Precautions:
Example: in 2020, cameras Ring were hacked due to a vulnerability in the cloud API. Attackers gained access to video and microphone.