Did you know that a wireless router can be the biggest security risk at your office?
In our region, thousands of companies use a cheap wireless router to protect their network. They don’t realize that hackers and malware can often bypass them and hurt the business.
What would a few days of network outage cost you? What would happen if your customer data was stolen? If you rely on a cheap wireless router, then these problems may be just a click away.
You should never use a router to protect your network. However, if you are stuck with one, the following steps may help limit your risk.
Steps to secure your wireless router
You can find many of the settings described below by logging into your router’s settings page.
1. Update the firmware
Go to the router manufacturer’s website and download the latest update for
your model. Apply the update in your router settings page. Check for new
2. Require a password
Require a password to use your wireless connection. Make it at least 10 characters long and use a mix of uppercase, lower case, numeric, and special characters.
3. Select WPA2 encryption
Choose WPA2 encryption if your router gives you the option (do not use WPA or
WEP, they are not safe).
4. Change the name of the wireless router
The service set identifier (SSID) is the name you see when the router is listed as an available wireless connection. Change this ID from the default to anything you like.
5. Enable MAC address filtering
Filtering by media access control (MAC) address allows you to set the devices that can use your network. For it to work, you must enable the filter and register the MAC address of each machine you want to allow.
6. Disable remote administration on the wireless router
This will prevent anyone from changing the router’s settings through a wireless
connection. Only a machine plugged into the router with an Ethernet cable will be able to log in.
7. Enable router firewall on the wireless router
Ideally, you want a real security device to protect your network instead of a router. But, if you’re stuck with basic router security, then enable the firewall. It’s better than nothing.
8. Disable all guest networks
Some routers have optional wireless connections that allow people to join without a password, giving them internet access without access to other resources like shared drives. Disable this feature.
9. Disable all other services, such FTP, that you do not use
Every feature enabled on a router is another potential way for hackers to break in.
Limit your exposure by shutting off all unnecessary features and services.
10. Change the default IP address range of the wireless router
By picking a custom IP address range, you can avoid attacks directed at the millions of routers that use the default settings.
11. Enable HTTPS for administrative connections
Not all routers have this feature, but if possible, only allow administrative access over encrypted, HTTPS sessions. This means you will access your router settings over a secure connection with “https://” in the address bar of your browser.
12. Disable WPS on The Wireless Router
Wi-Fi Protected Setup (WPS) provides an easier way to secure and connect to a wireless network. Though widely used on consumer routers, WPS is not secure, so disable it.
13. Safely log out of your wireless router
After logging into a router to check the settings, always (1) Log out and restart the device, and (2) Clear the cookies in your web browser.
14. Disable PING, Telnet, SSH, UPnP and HNAP, if possible
All of these are remote-access protocols. If you or the person responsible for your network are able to, instead of setting their relevant ports to “closed,” set them to “stealth” so that no response is given to unsolicited external communications that may come from attackers probing your computer network.
According to Michael Horowitz, “[E]very single router has an option not to respond to PING commands,”. “It’s absolutely something you want to turn on — a great security feature. It helps you hide. Of course, you’re not going to hide from your ISP, but you’re going to hide from some guy in Russia or China.”
15. Change the Domain Name System (DNS) server
Change the router’s Domain Name System (DNS) server from the ISP’s own server to one maintained by:
- OpenDNS: 184.108.40.206, 220.127.116.11,
- Google Public DNS: 18.104.22.168, 22.214.171.124, or
- Cloudflare: 126.96.36.199, 188.8.131.52.
For those who have adopted Internet Protocol version six or IPv6, you can use the following corresponding addresses:
For OpenDNS: 2620:0:ccc::2 and 2620:0:ccd::2
Google: 2001:4860:4860::8888 and 2001:4860:4860::8844
Cloudflare: 2606:4700:4700::1111 and 2606:4700:4700::1001.
16. When possible, use a virtual private network (VPN) router to supplement or replace your existing router and encrypt all your network traffic.
17. Do not use cloud-based router management if your router’s manufacturer offers it. Instead, figure out if you can turn that feature off.
Some security experts consider cloud-based router management as a really bad idea mainly because it now means that you are trusting another person between you and your router.
Admittedly, many so-called “mesh router” systems, such as Google Wifi and Eero, are entirely cloud-dependent and can interface with the user only through cloud-based smartphone apps. While those models offer security improvements in other areas, such as with automatic firmware updates, it might be worth looking for a mesh-style router that permits local administrative access, such as the Netgear Orbi.
Finally, if you are a Do-It-Yourself business owner who moonlights as your own IT admin, use Gibson Research Corp.’s Shields Up port-scanning service . It will test your router for hundreds of common vulnerabilities, most of which can be mitigated by the router’s administrator.
A Better Approach:
Do not rely on router security
We are a leading provider of network security and IT services in our region. We protect small and medium-size offices from the most dangerous online
threats every day.
Call us for a free security checkup: (512) 814-8044.
You can also use this form to contact us.