Best Router Security Settings 2026: Every Setting You Need to Configure

Your router ships with settings optimised for ease of setup, not security. The default configuration of most home routers leaves you vulnerable to a range of attacks — from password brute-forcing to DNS hijacking. This guide covers every security-relevant setting you need to change, with explanations of why each one matters. Before you start, run WiFi.Report's free security scan to see your network's current security score.

How to Access Your Router's Admin Panel

All changes in this guide are made through your router's admin interface. Here's how to access it:

1. Connect your device to your home WiFi (or plug in via Ethernet for the most reliable connection)
2. Open a web browser and enter your router's IP address in the address bar
3. Common addresses: 192.168.1.1, 192.168.0.1, 10.0.0.1, or 192.168.2.1
4. If none work: on Windows, run ipconfig in Command Prompt and find "Default Gateway"; on Mac, go to System Settings → Network → Details → Router
5. Log in with your admin credentials

Quick Reference: Recommended Settings at a Glance

1. WiFi Encryption: Enable WPA3

WiFi encryption determines how your wireless data is protected in transit. WPA3 is the current standard and should be used wherever possible.

Where to Find It

Look in: Wireless → Security, WiFi Settings → Security Mode, or Advanced → Wireless Security (varies by brand)

What to Set

• Best option: WPA3-SAE (if all your devices support it)
• Good option: WPA2/WPA3 Transitional — supports both old and new devices
• Minimum: WPA2-AES (AES cipher, not TKIP)
• Never use: WPA (TKIP), WEP, or Open (no password)

For a detailed comparison of WPA2 vs WPA3, see our WPA3 vs WPA2 guide.

2. Router Admin Credentials

The default admin username and password for every router model is publicly listed online. Change both immediately.

Where to Find It

Look in: Administration → Management, System → Password, or Advanced → Administration

What to Set

• Change the admin username from "admin" to something unique
• Set a strong password (16+ characters) that is different from your WiFi password
• Store it in a password manager

3. Disable WPS (WiFi Protected Setup)

WPS was designed to make connecting devices easier by using an 8-digit PIN. Unfortunately, the WPS PIN system is fundamentally broken — it can be brute-forced in as little as 4 hours due to a design flaw that allows testing 4 digits at a time.

Where to Find It

Look in: Wireless → WPS, WiFi → WPS Settings, or Advanced → WPS

What to Set

Disable WPS completely. If your router only lets you disable the PIN method (keeping the push-button method), that's acceptable — the push-button method requires physical access to the router and is less vulnerable.

4. Disable Remote Management

Remote management (also called "remote access" or "WAN management") allows your router's admin panel to be accessed from the internet. This is almost never needed for home users and exposes your router to attack from anywhere in the world.

Where to Find It

Look in: Administration → Remote Management, Advanced → Remote Access, or Security → Remote Access

What to Set

Disable remote management entirely. If you need to access your router from outside your home, consider a VPN or your router manufacturer's secure cloud management app instead.

5. Enable the Firewall

Your router likely has a Stateful Packet Inspection (SPI) firewall and possibly DoS protection. These should be enabled.

Where to Find It

Look in: Security → Firewall, Advanced → Security, or Firewall Settings

What to Enable

• SPI Firewall: Enable (blocks unsolicited incoming connections)
• DoS Protection: Enable (protects against Denial of Service attacks)
• Port Scanning Protection: Enable if available
• ICMP Ping from WAN: Disable (prevents your router from responding to pings from the internet, making it less visible to scanners)

6. Update Router Firmware

Router firmware updates fix security vulnerabilities. Not updating is one of the most common reasons routers get compromised.

Where to Find It

Look in: Administration → Firmware Update, Advanced → Firmware, or System → Software Update

What to Do

1. Check for available updates and install them
2. Enable automatic firmware updates if available
3. Set a reminder to check for updates manually every 3 months (not all routers notify you)

7. Set Up a Guest Network

A guest network creates a separate WiFi network that is isolated from your main network. Use it for visitors and, critically, for all your smart home (IoT) devices.

Why IoT Devices Need Isolation

Smart TVs, cameras, thermostats, and other IoT devices frequently have poor security. By isolating them on a guest network with client isolation enabled, a compromised smart device can't access your computers, phones, or NAS drives.

Where to Find It

Look in: Wireless → Guest Network, WiFi → Guest Access, or Advanced → Guest WiFi

What to Set

• Enable Guest Network: Yes
• Guest Network Isolation (prevents guests from seeing each other and your main network): Enabled
• Guest Network Password: Set a separate, strong password
• Guest Network Security: WPA2 or WPA3
• Access to local resources: Disabled

Read our full guide to setting up a guest network for detailed instructions by router brand.

8. Disable UPnP

Universal Plug and Play (UPnP) allows devices on your network to automatically open ports in your firewall. This makes some gaming and streaming services easier to set up, but it's also been exploited by malware like Mirai to create massive botnets from home routers.

Where to Find It

Look in: Advanced → UPnP, NAT → UPnP, or Administration → UPnP

What to Set

Disable UPnP. If a specific application stops working, you can manually configure port forwarding for that application instead — this gives you control over exactly which ports are open and for which devices.

9. Configure DNS Settings

By default, your router uses your ISP's DNS servers. ISP DNS can be slow, logs your queries, and doesn't offer malware protection. Switching to a better DNS provider improves privacy, speed, and security.

Where to Find It

Look in: Internet/WAN Settings → DNS, Advanced → DNS Settings, or Network → DNS

Recommended DNS Servers

• Cloudflare (1.1.1.1): Primary: 1.1.1.1, Secondary: 1.0.0.1 — Fast, privacy-focused, no query logging
• Google (8.8.8.8): Primary: 8.8.8.8, Secondary: 8.8.4.4 — Reliable and fast
• Quad9 (9.9.9.9): Primary: 9.9.9.9, Secondary: 149.112.112.112 — Blocks malicious domains

After changing your DNS settings, test for DNS leaks using WiFi.Report's privacy test. For more information, see our guide on encrypted DNS vs VPN.

10. Enable DoS and DDoS Protection

Denial of Service (DoS) attacks flood your router with traffic to make it unresponsive. Most modern routers include some built-in DoS protection — make sure it's enabled.

What to Enable

• SYN Flood Protection
• UDP Flood Protection
• ICMP Flood Protection
• IP Source Routing Protection
• Disable ICMP (Ping) responses from WAN

Verifying Your Changes

After making changes to your router security settings:

1. Reboot your router to ensure all changes take effect
2. Reconnect all devices using the (possibly updated) WiFi password
3. Run WiFi.Report's free security scan to verify your security score has improved
4. Check for DNS leaks to confirm your DNS settings are working correctly

Frequently Asked Questions

How do I access my router's admin settings?

Open a browser and enter 192.168.1.1, 192.168.0.1, or 10.0.0.1 in the address bar. On Windows, run ipconfig in Command Prompt and look for "Default Gateway." Log in with your admin credentials (the factory-set credentials are on a sticker on the router).

What encryption should I use on my router?

Use WPA3 if all your devices support it. For mixed environments (some older devices), use WPA2/WPA3 transitional mode. At minimum, use WPA2-AES. Never use WEP or WPA-TKIP. See our detailed WPA3 vs WPA2 comparison.

Should I disable DHCP on my router?

No — for home networks, leave DHCP enabled. It automatically assigns IP addresses to devices, which is convenient and has no meaningful security disadvantage compared to static IPs for most home users.

How do I know if my router has been hacked?

Warning signs include DNS settings changed to unfamiliar servers, unknown devices in your connected devices list, your router admin password not working, or browsers redirecting to unexpected sites. Run WiFi.Report's security scan and see our guide on detecting a hacked WiFi network.

Conclusion

Configuring your router properly takes about 30 minutes and dramatically reduces your exposure to the most common home network attacks. Work through the settings in this guide, prioritising WPA3 encryption, changing default admin credentials, disabling WPS, and enabling the firewall. After making changes, run WiFi.Report to verify your security score, and review your settings every few months to stay protected.