Protecting Your Wi-Fi Router from Hacking: A Complete Guide for Users

Every third home internet user has experienced at least one suspicious Wi-Fi slowdown, unfamiliar devices on the network, or strange redirects to fraudulent websites. The cause is usually the same: router hackingHackers don't need to physically break into your home: a vulnerability in your router settings is enough to access personal data, banking details, or even use your IP address for illegal activities.

The problem is compounded by the fact that 90% of users never change the default settings of the router after purchase. Manufacturers like TP-Link, ASUS or Keenetic supply devices with factory logins (admin/admin), open ports, and outdated encryption protocols. It's like leaving your apartment key under the doormat—sooner or later, someone will use it. In this article, we'll look at Specific steps to protect your router from hacking, including hidden settings that even experienced users ignore..

1. Change the factory administrator login and password

The first thing hackers check when attacking a router is standard credentials. Databases with login/password combinations for popular models (D-Link DIR-300, Zyxel Keenetic, MikroTik hAP) are freely sold on internet forums. If you haven't changed the factory settings admin/admin or user/user, your router is vulnerable to brute force attacks.

How to change:

  • 🔧 Go to the router control panel via a browser (usually 192.168.1.1 or 192.168.0.1).
  • 🔑 Find the section System Settings → Administration (the name may differ).
  • 🆔 Create a complex password: at least 12 characters with numbers, capital letters and special characters (for example, W1F1_7#pL!nk_2026).
  • 🔄 Save the changes and reboot the router.
⚠️ Attention: Never use the same password to access your router and your Wi-Fi network. Hackers who hack your Wi-Fi network will automatically gain access to the control panel if the passwords match.
📊 How often do you change your router password?
Never changed
Once a year
Only upon purchase
After every security incident

2. Choosing the Right Wi-Fi Encryption Protocol

The encryption protocol determines how difficult it is to guess the password for your network. Outdated standards like WEP or WPA can be hacked in minutes using free utilities (Aircrack-ng, Wifite). The modern minimum is WPA2-PSK (AES), but it's better to use WPA3, if your router supports it.

How to check and change:

  • 📡 Go to the section Wireless Network → Security Settings.
  • 🔒 Choose WPA2-PSK (or WPA3-PSK, if available).
  • 🔐 In the "Encryption" field, specify AES (Not TKIP!).
  • 📶 Create a Wi-Fi password that is at least 15 characters long (e.g. Coffee$WiFi_789!Moscow).
Protocol Security level Time to crack (with a weak password) Support for older devices
WEP ❌ Extremely low 1–5 minutes Yes
WPA (TKIP) ⚠️ Low 10–60 minutes Yes
WPA2 (AES) ✅ High From weeks to years Yes
WPA3 ✅✅ Maximum Almost impossible* No (software update required)

* Provided that the password is complex and there are no vulnerabilities in the router firmware.

3. Disabling remote control and dangerous ports

Many routers allow it by default. remote administration via the Internet (ports 80, 443, 8080). This is convenient for IT professionals, but dangerous for home users: hackers scan networks for open ports and attack vulnerable devices. For example, a botnet Mirai In 2016, it infected millions of routers through an open port. 23 (Telnet).

How to close vulnerabilities:

Close port 23 (Telnet)|Disable remote management (WAN)|Close port 7547 (TR-069)|Disable UPnP (if not used)-->

Instructions for popular models:

  • 📌 TP-Link: Advanced Settings → Administration → Remote Management → disable.
  • 📌 ASUS: Internet → NAT → Disable UPnP.
  • 📌 Keenetic: System → Management → Internet Access → set to "Prohibited".
⚠️ Attention: Port 7547 This port is often used by ISPs for remote router configuration. Disabling it may disrupt some services (such as IPTV). Check with technical support to see if this port can be disabled safely.

4. Hiding SSID and filtering by MAC addresses

Hiding the network name (SSID) It won't make your Wi-Fi invisible to experienced hackers, but it will reduce the number of accidental connections. And filtering by MAC addresses This adds another layer of protection: the router will only allow devices from the "whitelist" to connect. The downside of this method is that you have to manually add the MAC address of each new device.

How to set up:

  • 👁️ Hiding SSID: Wireless Network → Basic Settings → Hide SSID (turn on).
  • 🔗 MAC Filtering: Wireless Network → MAC Filter → Allow only those listed.
  • 📱 To find out the MAC address of your device, enter the following in the terminal (Windows):
    ipconfig /all | findstr"Physical Address"

    On Android: Settings → About phone → Status → Wi-Fi MAC address.

How to bypass MAC filtering?

Hackers can replace their device's MAC address with an authorized one (spoofing). To do this, simply scan the network with a utility. Wireshark and identify active addresses. Therefore, MAC filtering is best used as a supplementary measure rather than a primary one.

5. Updating the router firmware

Manufacturers regularly release firmware updates to patch critical vulnerabilities. For example, in 2021, a flaw was discovered CVE-2021-20090 in routers Netgear, allowing hackers to execute arbitrary code. If the firmware is out of date, your router could be infected without your knowledge.

How to update:

  • 🔄 Automatically: Administration → Firmware Update → Automatic Check.
  • 📥 Manually:
    1. Download the latest version from the manufacturer's website (for example, for TP-Link Archer C6https://www.tp-link.com/ru/support/).
    2. Go to System Tools → Firmware Update.
    3. Download the file and wait for it to reboot (do not turn off the router!).
⚠️ Attention: If the power goes out or the router freezes during the update, don't panic. Wait 10-15 minutes, then unplug the power for 30 seconds and plug it back in. In 90% of cases, the device will recover. If not, you'll need to reflash the firmware. TFTP (look for instructions for your specific model).

6. Disabling dangerous functions: WPS, UPnP, DMZ

Some router features are convenient but carry risks:

  • 🔌 WPS (Wi-Fi Protected Setup): Allows you to connect to the network using a PIN code (often 8 digits), which can be cracked in a few hours. Disable it in Wireless Network → WPS.
  • 🌐 UPnP (Universal Plug and Play): Automatically opens ports for devices on the network. Used by viruses to spread. Disable it. Local Area Network → UPnP.
  • 🛡️ DMZ (Demilitarized Zone): Places the device outside the firewall. Often used for gaming consoles, but dangerous for PCs. Disable in Forwarding → DMZ.

Exception: If you are using IP cameras, smart home or game servers, some ports will need to be opened. In this case:

  • 🔗 Use port forwarding (Port Forwarding) instead of DMZ.
  • 🔒 Set up static IP for a device on a local network.
  • 🛡️ Install a firewall on your device (for example, Windows Defender Firewall or Little Snitch for Mac).
  • 7. Guest network and VLAN for device isolation

    If guests, friends, or smart home devices (lamps, outlets) connect to your Wi-Fi, it's a good idea to isolate them to a separate network. This will prevent access to your primary devices (laptops, smartphones) if one of them is hacked. Technologies for isolation:

    • 🏨 Guest network: Restricts access to local resources (printers, network drives). Configured in Wireless Network → Guest Network.
    • 🌉 VLAN (Virtual LAN): Divides the network into virtual segments. Supported on advanced routers (MikroTik, Ubiquiti).
    • Example of setting up a guest network on ASUS RT-AX58U:

      1. Go to Wireless Network → Guest Network 1 (2.4 GHz).
      2. Turn on the network and set a name (eg. Guest_WiFi).
      3. Set a password (different from the main network!).
      4. In the section Access to the local network select Forbidden.
      5. Save and reboot the router.

    8. Monitoring connected devices and intrusion detection

    Even after all the settings are set up, it's a good idea to periodically check who's connected to your network. Hackers can use MAC address spoofing or protocol vulnerabilities to remain undetected. Tools for control:

    • 📊 Built-in monitoring: Most routers have a section Network clients or DHCP clients (For example, Local Network → Client List V TP-Link).
    • 🔍 Third-party utilities:
      • Fing (Android/iOS) - Scans the network and shows all devices.
      • WireShark (PC) - analyzes traffic and identifies suspicious activity.
      • GlassWire (Windows) - Monitors new connections in real time.

    Signs of a hacked router:

    • ⚡ Unexpected Internet slowdown without objective reasons.
    • 🔄 Spontaneous reboot router.
    • 🌍 Redirection to strange websites (especially with a request to enter login/password).
    • 📡 Unknown devices in the list of connected clients.
    • 💸 Unauthorized payments or online banking activity.

    FAQ: Frequently Asked Questions about Wi-Fi Security

    Is it possible to hack my router if I have a complex Wi-Fi password?

    Yes, if:

    • 🔓 An outdated protocol is used (WEP or WPA-TKIP).
    • 🕳️ There is a vulnerability in the router firmware (for example, CVE-2023-1389 For Zyxel).
    • 🔌 Dangerous ports are open (23, 7547) or enabled WPS.
    • A complex password only protects against guessing. For complete security, you need to take all the measures described in this article.

    How do I check if my router supports WPA3?

    Methods:

    1. Check the model specifications on the manufacturer's website (section "Wireless Standards").
    2. Go to your router's control panel and check the available protocols. Wi-Fi Settings → Security.
    3. Update your firmware - some routers (eg. Netgear Nighthawk RAX40) received WPA3 support after the update.

    If there is no WPA3, use WPA2-PSK (AES) - this is a reliable standard.

    What to do if the router has already been hacked?

    Follow these steps:

    1. Disconnect your router from the Internet (remove the WAN cable).
    2. Reset settings button Reset (hold for 10-15 seconds).
    3. Update the firmware from the official website (not through the control panel!).
    4. Reconfigure your router, following these instructions.
    5. Check all devices on the network with an antivirus.
    6. Change your passwords from important services (bank, mail, social networks).

    If your router is unstable after a reset, it may be infected with malware. In this case, it's best to buy a new one.

    Should you turn off Wi-Fi at night?

    This is not required for security, but is recommended for two reasons:

    • 🛡️ Reducing the risk of night attacks: Most botnets scan networks during off-peak hours.
    • Energy saving: The router consumes 5–20 W/hour even when idle.

    The alternative is to customize Wi-Fi schedule (available on most routers in the section Wireless Network → Schedule).

    How to protect your router from hacking through vulnerabilities in IoT devices?

    Smart devices (cameras, lamps, sockets) often have weak security and become entry points for hackers. Precautions:

    • 🔌 Separate IoT into a separate network (guest or VLAN).
    • 🔄 Update your firmware devices (via official applications).
    • 🔒 Disable cloud access, if it is not needed (for example, in cameras Xiaomi).
    • 🛡️ Use a firewall on the router (if there is a function SPI Firewall, turn it on).

    Example: in 2020, cameras Ring were hacked due to a vulnerability in the cloud API. Attackers gained access to video and microphone.