1.

Change default router admin credentials

Why: Default logins like 'admin/admin' are publicly documented and are the first thing an intruder will try to gain full control of your network.

How:

Access your router via its IP address (usually 192.168.1.1 or 192.168.0.1) in a web browser.
Navigate to 'System Tools' or 'Administration'.
Set a unique username and a strong password (16+ characters) and store it in a password manager.

Done when: The router requires the new, unique credentials to access the settings page.

2.

Update router firmware to the latest version

Why: Manufacturers release patches for critical vulnerabilities (like the 2025 CVE-2025-7850 command injection flaws) that could allow hackers to bypass security.

How:

Look for 'Firmware Update' or 'Check for Updates' in the router settings.
Download and install any available updates.
Enable 'Auto-Update' if your router supports it to stay protected against future zero-day exploits.

Done when: The router status displays 'Your firmware is up to date'.

3.

Disable Wi-Fi Protected Setup (WPS)

Why: WPS allows devices to connect via a simple 8-digit PIN, which is highly vulnerable to brute-force attacks that can reveal your main Wi-Fi password in hours.

How:

Find the 'Wireless' or 'WPS' section in your router settings.
Toggle the 'Enable WPS' switch to 'Off'.
If your router has a physical WPS button, ensure the software override is active.

Done when: The WPS status is set to 'Disabled' or 'Off' in the router dashboard.

4.

Enable WPA3 or WPA2-AES encryption

Why: Older standards like WEP or WPA are easily cracked; WPA3 (the 2025 standard) provides individualized data encryption for each device.

How:

Go to 'Wireless Security' settings.
Select 'WPA3-SAE' if available; otherwise, choose 'WPA2-PSK (AES)'.
Avoid 'TKIP' or 'WPA/WPA2 Mixed Mode' as they weaken security for compatibility.

Done when: Wireless security mode is set to WPA3 or WPA2-AES.

5.

Set a strong Wi-Fi passphrase

Why: A complex passphrase prevents 'dictionary attacks' where hackers use automated lists of common words to guess your password.

How:

Create a passphrase of at least 16-20 characters.
Use a mix of unrelated words, numbers, and symbols (e.g., 'Blue-Elephant-49-Running-Fast!').
Update all your connected devices with this new password immediately.

Done when: All devices are reconnected using the new, long passphrase.

6.

Disable UPnP and Remote Management

Why: UPnP (Universal Plug and Play) allows apps to open ports automatically, creating holes in your firewall, while Remote Management lets anyone on the internet attempt to log into your router.

How:

Locate 'UPnP' under 'Advanced' or 'Forwarding' and turn it off.
Locate 'Remote Management' or 'WAN Access' under 'Security' and ensure it is disabled.

Done when: Both UPnP and Remote Management are toggled to 'Off'.

7.

Rename the SSID to a generic name

Why: Default SSIDs (like 'Netgear_5G' or 'Smith_Family_WiFi') reveal your hardware type or identity, helping hackers target specific vulnerabilities or your physical location.

How:

Change the 'Network Name (SSID)' to something anonymous and generic like 'Signal_Alpha' or 'Guest_Area_7'.
Do not include your name, address, or router model in the name.

Done when: The Wi-Fi name visible to neighbors is generic and non-identifiable.

8.

Create a Guest Network for IoT devices

Why: Smart home devices (cameras, bulbs, plugs) often have weak security; if one is hacked, a guest network prevents the attacker from reaching your main computer or phone.

How:

Enable the 'Guest Network' feature in your router settings.
Give it a separate password and ensure 'Allow guests to see each other' or 'Local Access' is disabled.
Move all smart home (IoT) devices to this network.

Done when: All IoT devices are connected to the isolated Guest Network.

9.

Enable the router's built-in Firewall

Why: A firewall acts as a gatekeeper, inspecting incoming and outgoing traffic to block known malicious patterns.

How:

Find the 'Firewall' or 'Security' tab.
Ensure 'SPI Firewall' or 'IPv4/IPv6 Firewall' is enabled.
Set the protection level to 'Medium' or 'Typical' to balance security and connectivity.

Done when: The firewall status is 'Enabled' or 'Active'.

10.

Scan the network for unauthorized devices

Why: Regular scanning helps you identify 'ghost' devices or neighbors who might have gained access without your knowledge.

How:

Download a generic network discovery tool (e.g., Fing for mobile or Angry IP Scanner for desktop).
Run a full scan of your IP range.
Identify every MAC address and IP; if you don't recognize one, block it in your router settings.

Done when: A complete list of authorized devices is verified and documented.

11.

Schedule a monthly security audit

Why: Security is a process, not a one-time setup; regular checks ensure that settings haven't been reset and firmware is current.

How:

Set a recurring calendar event for the first of every month.
Check for firmware updates, review the connected device list, and verify that WPS/UPnP remain disabled.

Done when: A recurring reminder is set in your calendar.

12.

Physically secure the router

Why: If an intruder has physical access to the router, they can press the 'Reset' button to wipe all your security settings and gain entry.

How:

Place the router in a central location for signal, but keep it out of reach of visitors or public-facing windows.
If in a shared space, consider a ventilated lockbox or high shelf.

Done when: The router is located in a secure, non-publicly accessible area of the home.

WiFi security home network

Projekt-Plan