1.

Change default router admin credentials

{{whyLabel}}: Default logins like 'admin/admin' are publicly documented and are the first thing an intruder will try to gain full control of your network.

{{howLabel}}:

Access your router via its IP address (usually 192.168.1.1 or 192.168.0.1) in a web browser.
Navigate to 'System Tools' or 'Administration'.
Set a unique username and a strong password (16+ characters) and store it in a password manager.

{{doneWhenLabel}}: The router requires the new, unique credentials to access the settings page.

2.

Update router firmware to the latest version

{{whyLabel}}: Manufacturers release patches for critical vulnerabilities (like the 2025 CVE-2025-7850 command injection flaws) that could allow hackers to bypass security.

{{howLabel}}:

Look for 'Firmware Update' or 'Check for Updates' in the router settings.
Download and install any available updates.
Enable 'Auto-Update' if your router supports it to stay protected against future zero-day exploits.

{{doneWhenLabel}}: The router status displays 'Your firmware is up to date'.

3.

Disable Wi-Fi Protected Setup (WPS)

{{whyLabel}}: WPS allows devices to connect via a simple 8-digit PIN, which is highly vulnerable to brute-force attacks that can reveal your main Wi-Fi password in hours.

{{howLabel}}:

Find the 'Wireless' or 'WPS' section in your router settings.
Toggle the 'Enable WPS' switch to 'Off'.
If your router has a physical WPS button, ensure the software override is active.

{{doneWhenLabel}}: The WPS status is set to 'Disabled' or 'Off' in the router dashboard.

4.

Enable WPA3 or WPA2-AES encryption

{{whyLabel}}: Older standards like WEP or WPA are easily cracked; WPA3 (the 2025 standard) provides individualized data encryption for each device.

{{howLabel}}:

Go to 'Wireless Security' settings.
Select 'WPA3-SAE' if available; otherwise, choose 'WPA2-PSK (AES)'.
Avoid 'TKIP' or 'WPA/WPA2 Mixed Mode' as they weaken security for compatibility.

{{doneWhenLabel}}: Wireless security mode is set to WPA3 or WPA2-AES.

5.

Set a strong Wi-Fi passphrase

{{whyLabel}}: A complex passphrase prevents 'dictionary attacks' where hackers use automated lists of common words to guess your password.

{{howLabel}}:

Create a passphrase of at least 16-20 characters.
Use a mix of unrelated words, numbers, and symbols (e.g., 'Blue-Elephant-49-Running-Fast!').
Update all your connected devices with this new password immediately.

{{doneWhenLabel}}: All devices are reconnected using the new, long passphrase.

6.

Disable UPnP and Remote Management

{{whyLabel}}: UPnP (Universal Plug and Play) allows apps to open ports automatically, creating holes in your firewall, while Remote Management lets anyone on the internet attempt to log into your router.

{{howLabel}}:

Locate 'UPnP' under 'Advanced' or 'Forwarding' and turn it off.
Locate 'Remote Management' or 'WAN Access' under 'Security' and ensure it is disabled.

{{doneWhenLabel}}: Both UPnP and Remote Management are toggled to 'Off'.

7.

Rename the SSID to a generic name

{{whyLabel}}: Default SSIDs (like 'Netgear_5G' or 'Smith_Family_WiFi') reveal your hardware type or identity, helping hackers target specific vulnerabilities or your physical location.

{{howLabel}}:

Change the 'Network Name (SSID)' to something anonymous and generic like 'Signal_Alpha' or 'Guest_Area_7'.
Do not include your name, address, or router model in the name.

{{doneWhenLabel}}: The Wi-Fi name visible to neighbors is generic and non-identifiable.

8.

Create a Guest Network for IoT devices

{{whyLabel}}: Smart home devices (cameras, bulbs, plugs) often have weak security; if one is hacked, a guest network prevents the attacker from reaching your main computer or phone.

{{howLabel}}:

Enable the 'Guest Network' feature in your router settings.
Give it a separate password and ensure 'Allow guests to see each other' or 'Local Access' is disabled.
Move all smart home (IoT) devices to this network.

{{doneWhenLabel}}: All IoT devices are connected to the isolated Guest Network.

9.

Enable the router's built-in Firewall

{{whyLabel}}: A firewall acts as a gatekeeper, inspecting incoming and outgoing traffic to block known malicious patterns.

{{howLabel}}:

Find the 'Firewall' or 'Security' tab.
Ensure 'SPI Firewall' or 'IPv4/IPv6 Firewall' is enabled.
Set the protection level to 'Medium' or 'Typical' to balance security and connectivity.

{{doneWhenLabel}}: The firewall status is 'Enabled' or 'Active'.

10.

Scan the network for unauthorized devices

{{whyLabel}}: Regular scanning helps you identify 'ghost' devices or neighbors who might have gained access without your knowledge.

{{howLabel}}:

Download a generic network discovery tool (e.g., Fing for mobile or Angry IP Scanner for desktop).
Run a full scan of your IP range.
Identify every MAC address and IP; if you don't recognize one, block it in your router settings.

{{doneWhenLabel}}: A complete list of authorized devices is verified and documented.

11.

Schedule a monthly security audit

{{whyLabel}}: Security is a process, not a one-time setup; regular checks ensure that settings haven't been reset and firmware is current.

{{howLabel}}:

Set a recurring calendar event for the first of every month.
Check for firmware updates, review the connected device list, and verify that WPS/UPnP remain disabled.

{{doneWhenLabel}}: A recurring reminder is set in your calendar.

12.

Physically secure the router

{{whyLabel}}: If an intruder has physical access to the router, they can press the 'Reset' button to wipe all your security settings and gain entry.

{{howLabel}}:

Place the router in a central location for signal, but keep it out of reach of visitors or public-facing windows.
If in a shared space, consider a ventilated lockbox or high shelf.

{{doneWhenLabel}}: The router is located in a secure, non-publicly accessible area of the home.

WiFi security home network

Projekt-Plan