How to Secure Your Home Wireless Network
by Howard Fosdick
Updated: 2023 Originally published in OSNews
This tutorial tells how to secure your home wireless network. Good
security means implementing a series of small steps to
progressively lock down a system.
There is no single "silver
bullet." Add up all the small steps and you'll have a reasonably
Why care about security? If someone steals your bandwidth that
leaves less for you. But there's more. In the U.S., the courts
sometimes rule that home network addresses (IP addresses) uniquely
could be held responsible if someone uses your wireless network --
without your knowledge or permission -- to illegally download music,
movies, or software.
And yet some routers do not ship with all the most secure defaults.
It's on you! Hence this tutorial.
I'll walk you through how to secure your home network manually.
This ensures you'll understand it. That's important because all
manufacturers have different setup panels and use different
terminology. Our goal is to ensure you'll be able to recognize and
set the key security options whatever router you have.
Most routers offer easy-to-use Setup Wizards. These are helpful -- but
make sure yours lets you set all the security options I list in
If it doesn't, go back and manually update the
missing settings to be more secure.
Some routers also offer fully automated set up
older one called Wi-Fi
had a serious
Disable it if your router lets you. A new
automated setup procedure called Wi-Fi Easy Connect eventually
replaced WPS. It's secure, so use it if you like.
Okay, let's get started.
Turn Off Unused Wireless
It should go without saying, but if you don't need wireless to
access your network, disable it. Even if you disable wireless,
you still need to secure the router!
So keep reading.
Also: don't make a wireless router a more available target than it need
be. Turn it off when it's not in use.
Use Only Secure Routers and Wireless Devices
Ensure your wireless router and all your devices support current
security protocols. These are the common IEEE 802.11
wireless standards you'll encounter:
||WPA2, WPA, more
||WPA2, WPA, more
||WPA3, WPA2, more
||WPA3, WPA2, more
You'll often see these standards noted on routers or their packaging in this manner:
All routers, laptops, and other devices on your network should use
either at least the AC or N standards.
The B standard supports an obsolete encryption method that crackers
can break in minutes, called WEP
encryption. If you have some really old equipment you're still using, you need to be aware that old B routers are completely insecure. You really should toss out any old B router
and buy a newer secure one!
Router Security Settings
Now let's securely configure a wireless router. The exact options
and terminology you'll encounter vary by brand but you should be
able to locate the right settings on your router. They'll appear in
either drop-down list boxes or textual entry blanks. I'll show
common Linksys and D-Link terminology in my examples.
A tip first. While you can immediately change wireless settings for
devices, sometimes a quick reboot helps. Especially when configuring
a wireless laptop, a quick shutdown and restart sometimes fixes a
problem that can otherwise vex you.
router a network name,
as a Service Set Identifier
. Assign an
SSID that someone can not easily identify or guess. A52c481757bc
is better than Joe_Fox
. Do not keep the default
name of Linksys
Write down the SSID for later. You may have to enter it into the
network connection definition for each wireless device that will
connect to this router when you set up its networking configuration.
Here's how to enter the SSID on Linksys and D-link routers:
Wireless Network Name (SSID): ______________
Wireless Network Name: ______________ (Also called
Disable SSID Broadcasting.
the automatic broadcasting of your SSID name. Unless you do, the router continually
bleats its name out to the world.
use for this is to help
someone who doesn't know your network is there to notice
it, and then to try and get on it. Disabling SSID broadcasting alone
does not stop crackers any more than assigning an unusual SSID (for
reasons I won't go into here), nevertheless it is one of the many
steps you should take to enhance Wi-Fi security.
To turn off SSID broadcasting:
Wireless SSID Broadcast: ___ Enable
Enable Hidden Wireless: _x_ (Also called the
Since your router is not broadcasting its presence and name, you'll
have to manually enter the SSID or network name into the network
connection definition for each device that will wirelessly connect
with this router. You only have to do this one time for each device,
when you first set up its wireless connection.
If you have a laptop client configuration tool that only
configures for broadcast
SSIDs, enable SSID broadcasting on the router, configure the laptop
for access, then disable SSID broadcasting on the router. The client
will now be able to access the router even though it doesn't
broadcast its SSID.
Router Password --
Assign a tough password to the router to block unauthorized users.
Good passwords are long and contain intermixed letters, digits, and
special characters. The router's HELP panel will tell you its
password rules. You can enter any password into the free online Password
to find how crackable it is.
User or Admin ID --
need a user id
to login to
the router with the password. A few routers just use the network
name (one reason why an unusual SSID is better than one that is easy
to guess or identify). In this case enter:
ID: __network-name__ PASSWORD: __your-password__
Most routers allow you to create both the user ID and its
corresponding password, so you would enter:
ID: __your-user-id__ PASSWORD: __your-password__
Every cracker knows all the router default SSID's, user ids, and
Assign strong new ones!
Wired Administration Only --
This setting ensures that only a physically connected computer can
access the router configuration panels. So the router can not be
remotely configured by wireless even if someone has the password.
This is excellent security, because
it means that someone can not remotely access your administration panels --
they would have to get physically inside your house to do that.
Remote Management: ___ Enable _x_
Enable Remote Management: ___
Remember -- If you always use a
wireless laptop, this means that if you ever want to reconfigure
the router again, you'll have to physically attach your laptop by
wire to the router to make changes.
Authentication and Encryption
refers to how a router verifies the legitimacy
of a wireless device that tries to connect to it and establishes a
refers to the securely coded
communications between the router and the wireless device once it's
Routers support various authentication and encryption standards. Your goal is to use the strongest
methods supported by your router and the wireless devices that use
Here are common levels, from weakest to strongest. Not
all routers support all options:
Routers usually have a drop-down list box where you select this
standard. It's labeled something like Security Mode
Unfortunately router vendors use different terms to refer to the
I'll list most the terms you might
encounter below and show how they are equivalent. You'll have to
pick out the specific term your router uses.
is the best standard. It was introduced in late 2018.
(Simultaneous Authentication of Equals) feature
replaces the PSK
(Pre-Shared Key) authentication method used
in prior WPA versions.
Set your router to the best
setting it supports:
||Usually Labeled As:
||WPA3 Personal, WPA3-SAE
||WPA2 Personal, WPA2-PSK2, WPA-PSK
||WPA Personal,WPA-PSK, WPA Shared Key
||WEP 64-bits, WEP 128-bits, WEP Shared Key
||WEP Open System, No encryption, None
Unless your goal is to share your internet with the world, do not
, No Security
, Open System
, or None
Options containing the words Enterprise
used by businesses using RADIUS servers, so you normally wouldn't
use them for a home network.
The Password --
Next, you'll need to enter a
password value that will become the basis for encryption. It will be
labeled something like:
- Shared Key
- Passphrase (a phrase that automatically generates a password
Use the router's HELP panel to see how complex it can be. Supply a strong, uncrackable key
-- this encrypts all the data that passes between your router and
your wireless devices. You may find the free online Password
When you set up your wireless client devices, you'll also enter this
value into their Network Configuration definition. This is why this
value is often called a shared
-- it is shared between the router or modem and your
The Encryption Algorithm --
In addition to setting the
router's authentication level and encryption key, you'll have to
tell the router the kinds of wireless devices it will support and
their encryption algorithms. Select from the table below. Not all
routers support all settings:
and all your
wireless devices support WPA3 or WPA2.
| Only if necessary:
|You have a
mixed set of wireless devices. The router will use the
encryption standard appropriate to each wireless device.
and/or your wireless devices use WPA.
is best. Since nearly
all devices made in the past decade support it, it should be your
Some routers will ask you whether you want to support AC, N, G
and/or B wireless devices. Ideally, you have only AC devices. Remember,
if you have any B devices, they are completely insecure.
Remaining Router Security Settings
MAC Address Filtering --
Every wireless device or
laptop has a unique Media Access
, or MAC Address
Many routers offer a feature called MAC
, by which you can either allow or disallow
wireless devices with specific MAC addresses. This feature ensures
that only the wireless devices you specify are allowed to use your
To set this up, you need to know the MAC address of every laptop or
wireless device you want to use your router. Then enter it into the
router's panel of allowable MAC addresses.
Most laptops have a
sticker underneath or on the wireless card that will tell you the
MAC address. Or use enter a software command to determine it:
|Windows line command:
(look for the Physical Address of your wireless connection)
|Linux line command:
(look for the HWaddr
value for your wireless connection)
|Mac OS GUI:
||System Preferences ->Network -> pick proper Location -> AirPort -> see the
||Settings -> General -> About > see the
A typical MAC address
appears as a series of hexadecimal values in one of these formats:
Enter the MAC addresses of all your wireless devices into the MAC
Address Filter table in the router's configuration panels, then tell
the router to only
communications from these addresses. Voila!
Ping Response --
is an anonymous request that comes into your router and asks for a
response. Respond to an anonymous internet request? Not a good idea.
Tell your router not to respond:
Block Anonymous Internet Requests: _x_
Enable WAN Ping Respond: ___
with an embedded firewall. Ensure it is enabled. It should be by
default. Some routers allow you to specify rules or otherwise
configure the firewall. This is very router-specific so I won't
cover it here. The default configuration is usually adequate.
Firmware Update --
The software embedded in your router is called firmware
. Most routers allow
you to automatically perform a firmware update across the web. This
increases security if vendors fix firmware bugs or add security
features since the router shipped. So be sure to update your router.
Be certain the update occurs without interruption! Never
turn off the router or
computer during the update or otherwise interrupt the update. This
could mess up your router's firmware or even make it unusable.
is a radio frequency
used for wireless communication between your router and its wireless
clients. Routers typically offer channels 1 through 11. Channel 6 is
the usual default. Other routers default to auto channel scan
or auto channel selection
means the router dynamically determines the channel to use.
The purpose of having multiple channels is to find a frequency that
is free from interference with other devices (your cordless phone,
game box, etc). From the security standpoint, the channel is
irrelevant. I usually pick a channel other than 6 just because it's
less common. Remember that the
router and wireless devices that use it must be set to use the
There is no single silver bullet for a router security. But if you
follow these recommendations you'll have a reasonably secure home
Read more in Wikipedia articles on Wi-Fi
and the WPA
Howard Fosdick is an independent consultant who supports databases
and operating systems.
Router Security Checklist
You can use this checklist to ensure that you've set all the most secure
====> Like this free article? Please spread the link
love to Slashdot
||AC, N , G, or B router
||AC and N routers are current. Replace any obsolete B router
||Set to Off or Disable if you don't use wireless devices.
||Assign a unique complex SSID (network name).
||Disable (default is often Enable).
||Assign unique complex router password.
||User or Admin id
||Assign unique complex router user id if the SSID is not used as the
login user id.
||Wired administration only
||Enable. This means anyone (including you) can only
update the router with a physically connected device going
forward. It's much more secure.
||Disable. This means anyone (including
you) can only update the router with a
physically connected device going forward. It's much
||Use WPA3 or WPA2. Don't pick WPA. Never use WEP or Open System or None
-- unless you wish to share your internet with everyone.
||MAC Address Filtering
||Enable (the default is "Disabled" or "not used"). You'll have to enter the MAC
address of each of your devices into the router, but doing
so enhances security.
||I pick a lesser-used channel, but it's not really that relevant to
LXer, or wherever. Thank you!