Your home network is probably running on default settings. The router’s admin password is “admin” or printed on a sticker that also shows the WiFi password. UPnP is enabled, letting any device on your network open ports to the internet. Your IoT devices — smart bulbs, robot vacuums, security cameras — sit on the same network as your laptop with your banking sessions and tax documents.
None of this means you’re about to be hacked. Most home networks are fine because they’re not interesting targets. But “probably fine” isn’t the same as “secure,” and the fixes are neither difficult nor time-consuming. You can meaningfully improve your home network security in an afternoon without buying specialized equipment or becoming a network engineer.
Key Takeaways
- Change your router’s default admin password and update the firmware — this alone blocks the most common attack vectors against home networks
- Use DNS-based filtering (Pi-hole, NextDNS, or Quad9) to block malicious domains and tracking across every device
- Isolate IoT devices on a separate network — your smart light bulbs don’t need access to your laptop’s file shares
- Disable UPnP on your router — it’s a convenience feature that creates genuine security holes
- A guest network isn’t just for guests — it’s a simple way to segment untrusted devices without VLAN configuration
Start With the Router
Your router is the gateway between your home network and the internet. Every device connects through it. If it’s compromised, everything behind it is exposed.
Change the Admin Password
Most routers ship with a default admin password — “admin/admin,” “admin/password,” or a generic password printed on the device. Anyone on your WiFi can access the admin panel at 192.168.1.1 (or .0.1) and change any setting: DNS, firewall rules, port forwarding, even the WiFi password itself.
Change it to something strong and unique. Store it in your password manager. This takes 30 seconds and is the single most important thing you can do.
Update the Firmware
Router manufacturers release firmware updates to patch security vulnerabilities. Many routers don’t auto-update, so vulnerabilities discovered years ago remain unpatched on millions of devices. Log into your router’s admin panel, find the firmware update section, and check for updates.
If your router hasn’t received a firmware update in over two years, the manufacturer has probably abandoned it. This is a legitimate reason to replace it — an unsupported router with known vulnerabilities is a liability. Mid-range routers from ASUS, TP-Link, and Netgear typically receive firmware updates for 3-5 years.
For enthusiasts, replacing your router’s firmware with OpenWrt gives you full control over security features, firewall rules, and updates. OpenWrt is a Linux-based router firmware supported on hundreds of router models. It’s not for beginners, but it transforms a consumer router into enterprise-capable networking equipment.
Disable UPnP
Universal Plug and Play (UPnP) allows devices on your network to automatically open ports on your router — making themselves accessible from the internet without your knowledge or approval. Game consoles use it for online play. Smart home devices use it for remote access. Malware also uses it to open backdoors.
UPnP has been exploited in numerous real-world attacks. The “CallStranger” vulnerability (2020) affected billions of devices. Botnets like Mirai specifically targeted UPnP-enabled routers. Disabling it in your router settings means some applications will need manual port forwarding (which is more secure because it’s explicit and intentional). Most modern online gaming works fine without UPnP through NAT traversal techniques.
Find UPnP in your router’s settings (usually under “Advanced” or “NAT”) and turn it off.
Disable WPS
WiFi Protected Setup (WPS) — the feature where you press a button on the router to connect a device without entering the password — has a well-known design flaw. The WPS PIN (an 8-digit number) can be brute-forced in hours, bypassing your WiFi password entirely. Some routers have patched this; many haven’t. Just disable it.
Disable Remote Management
If your router has an option for remote management (accessing the admin panel from the internet), disable it unless you specifically need it and have secured it with strong credentials. An internet-facing admin panel is a direct attack surface.
DNS-Based Security
Your DNS server resolves domain names (google.com) to IP addresses (142.250.80.46). By default, your devices use whatever DNS your ISP provides — which offers zero security filtering and may be slow.
Switching to a security-focused DNS provider blocks known malicious domains (phishing sites, malware distribution, command-and-control servers) before your browser ever connects to them. This protects every device on your network, including IoT devices that can’t run their own security software.
Quad9 (9.9.9.9) blocks malicious domains using threat intelligence feeds from 25+ cybersecurity organizations. It’s nonprofit, free, and has a strong privacy policy (no logging of client IP addresses). Change your router’s DNS settings to 9.9.9.9 (primary) and 149.112.112.112 (secondary). Done — every device on your network now has basic malware domain blocking.
NextDNS ($20/year or free for under 300,000 queries/month) provides customizable DNS filtering with a web dashboard. You can block ad domains, tracking domains, malware domains, and specific categories (gambling, adult content — useful if you have kids). It also provides per-device analytics so you can see exactly what each device on your network is requesting.
Pi-hole is a self-hosted DNS sinkhole that runs on a Raspberry Pi or any Linux machine. It blocks ads and tracking at the DNS level for your entire network, and you have full control over the blocklists. It requires more setup than Quad9 or NextDNS but gives you the most control and keeps all DNS data local.
To use encrypted DNS (preventing your ISP from seeing your DNS queries), configure DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) on your router if supported. Many modern routers support DoT. If yours doesn’t, running Pi-hole with upstream DoH (using cloudflared as a proxy) achieves the same result. Your browser can also use DoH independently — Firefox enables it by default.
Network Segmentation: Why and How
Network segmentation means dividing your network into separate zones that can’t communicate with each other (or have limited communication). The reason: if your smart light bulb gets compromised, the attacker shouldn’t be able to access your laptop.
This isn’t paranoia. IoT devices have atrocious security track records. Cheap cameras with hardcoded passwords, smart plugs running firmware from 2019, robot vacuums sending data to servers in jurisdictions with no privacy laws — these are real devices on real home networks. They don’t need access to your file shares, your NAS, or your computers. They need internet access and nothing else.
The Easy Way: Guest Network
Most routers have a guest network feature. Devices on the guest network can access the internet but can’t see or communicate with devices on the main network. Put all your IoT devices on the guest network. This takes five minutes and provides meaningful isolation.
Set a different strong password for the guest network. Don’t share this password with actual guests — give them the guest network password from a separate “visitors” network if your router supports multiple guest networks, or share your IoT guest password temporarily and change it after.
The Better Way: VLANs
VLANs (Virtual Local Area Networks) are proper network segments with granular control over inter-VLAN traffic. A typical home VLAN setup:
- VLAN 1: Management — router and network equipment only
- VLAN 10: Trusted — your computers, phones, tablets
- VLAN 20: IoT — smart home devices, security cameras
- VLAN 30: Guest — visitors’ devices
Firewall rules control what each VLAN can access. IoT VLAN gets internet access but no access to Trusted VLAN. Guest VLAN gets internet access only. Trusted VLAN can access everything.
VLANs require a router that supports them — most consumer routers don’t. OpenWrt-based routers, Ubiquiti UniFi equipment, pfSense/OPNsense firewalls, and some prosumer routers (ASUS with Merlin firmware) support VLANs. If you’re running a self-hosted home server, a managed switch ($30-60) and a VLAN-capable router are worthwhile investments.
Securing WiFi Properly
Use WPA3 (or WPA2 at Minimum)
WPA3-Personal is the current WiFi security standard. It uses SAE (Simultaneous Authentication of Equals) instead of the older PSK (Pre-Shared Key) handshake, making offline dictionary attacks against captured handshakes much harder. If all your devices support WPA3, use it.
If some devices only support WPA2, use WPA2/WPA3 transitional mode. Never use WPA (the original — not WPA2), and absolutely never use WEP, which can be cracked in under a minute.
Pick a Strong WiFi Password
Your WiFi password should be long (at least 16 characters) and random. It doesn’t need to be memorable — you enter it once per device, and your password manager can store it. A weak WiFi password on WPA2 can be cracked through dictionary attacks on captured handshakes. A 20-character random password is effectively uncrackable.
Hidden SSIDs Don’t Help
Hiding your network name (SSID broadcast) is a common recommendation that provides zero actual security. Hidden networks are trivially discoverable with free tools (every WiFi scanning app can see them). Worse, your devices constantly broadcast probe requests looking for hidden networks, which actually leaks more information than just having a visible SSID.
MAC Filtering Is Theater
Allowing only specific MAC addresses to connect sounds secure but isn’t. MAC addresses are sent in plain text and can be spoofed in seconds. An attacker can observe any connected device’s MAC address and clone it. MAC filtering adds inconvenience for you without adding security against anyone with basic knowledge.
Monitoring Your Network
You can’t secure what you can’t see. Basic monitoring tells you what’s on your network and what it’s doing.
Router device list: Your router shows connected devices. Check it periodically. If you see devices you don’t recognize, investigate. It might be a neighbor piggybacking on your WiFi or a forgotten IoT device — either way, you should know.
Pi-hole or NextDNS query logs show every DNS request made by every device. This is the most revealing monitoring you can do without specialized equipment. You’ll discover that your smart TV makes DNS requests to tracking and advertising domains every few seconds. Your “smart” appliances phone home to servers you’ve never heard of. The query log lets you block specific domains per device and understand what your network is actually doing.
Network scanning with tools like Nmap (command-line) or Fing (mobile app) shows every device, its IP address, open ports, and manufacturer. Run a scan periodically and compare — new devices should be things you intentionally connected.
For deeper monitoring, ntopng or Wireshark can analyze actual traffic, but this is beyond what most home users need. The DNS log from Pi-hole or NextDNS covers 90% of what you’d want to know.
Firewall Configuration
Your router has a built-in firewall. On most consumer routers, it’s configured by default to block all incoming connections and allow all outgoing connections. This is a reasonable default — it prevents internet-side attackers from reaching your devices while allowing your devices to access the internet.
More advanced configurations:
Disable ICMP (ping) responses from WAN. Some routers respond to pings from the internet, confirming your IP is active. Disabling this doesn’t provide major security but reduces visibility.
Review port forwarding rules. Every forwarded port is a hole in your firewall. If you set up port forwarding for a game server three years ago and forgot about it, that port is still open. Remove any port forwarding rules you don’t actively need. Use a VPN (WireGuard via PiVPN or Tailscale) to access home services remotely instead of exposing them directly to the internet.
SPI (Stateful Packet Inspection) should be enabled — it’s on by default on most routers. SPI tracks connection states and blocks packets that don’t belong to established connections, which prevents various spoofing attacks.
If you want a proper hardware firewall, pfSense or OPNsense running on a small PC ($100-200 for hardware) gives you enterprise-grade firewall capabilities: intrusion detection/prevention (Suricata/Snort), detailed traffic logging, VPN server, and granular firewall rules. This is overkill for most households but valuable if you’re running internet-facing services or have a complex network.
Physical Security (The Overlooked Layer)
All the network security in the world is useless if someone can physically access your equipment.
Your router should not be in a publicly accessible area if you live in a shared building. The reset button on most routers restores factory defaults (including the default admin password) — anyone with 10 seconds of physical access can take over your network.
If you have a home server, NAS, or other equipment containing personal data, it should be in a location that’s not easily accessible to visitors, service workers, or roommates you don’t fully trust. A closet with a lock is fine. The goal isn’t Fort Knox — it’s preventing casual physical access by untrusted individuals.
USB ports on your router can be a vector if someone plugs in a malicious device. If your router has USB ports you’re not using, there’s no standard way to disable them, but being aware of the risk is the first step.
A Practical Security Checklist
Here’s a realistic order of operations. Each step provides meaningful security improvement, and you can stop at whatever level suits your comfort:
- Change router admin password (2 minutes)
- Update router firmware (5 minutes)
- Disable UPnP, WPS, and remote management (5 minutes)
- Set DNS to Quad9 (9.9.9.9) on the router (2 minutes)
- Ensure WPA3 or WPA2-AES encryption with a strong password (5 minutes)
- Put IoT devices on a guest network (15 minutes)
- Review and remove unnecessary port forwarding rules (10 minutes)
- Set up Pi-hole or NextDNS for network-wide ad/malware blocking (30-60 minutes)
- Set up VLANs if your router supports them (1-2 hours)
- Set up monitoring with Pi-hole logs or Fing (30 minutes)
Steps 1-5 are the baseline that everyone should do. Steps 6-7 are strongly recommended. Steps 8-10 are for people who enjoy tinkering or have specific security needs.
Frequently Asked Questions
Can someone hack my home network from the internet?
If your router is properly configured (default deny incoming, UPnP disabled, firmware updated), direct attacks from the internet are very difficult. Most home network compromises happen through other vectors: malware on a device inside the network, phishing attacks that trick a user into installing something, or exploitation of exposed services with weak credentials. The router’s NAT and firewall are actually quite effective at blocking unsolicited incoming connections.
Is my ISP-provided router secure?
Usually acceptable but not ideal. ISP routers typically receive firmware updates (though sometimes slowly), have reasonable default security settings, and are maintained by the ISP’s engineering team. The downsides: limited configuration options, sometimes no VLAN support, and some ISPs have been caught injecting tracking into customer traffic or leaving management backdoors enabled. If you have specific security needs, buying your own router gives you full control.
Do I really need to worry about IoT device security?
Yes, but proportionally. The risk isn’t that a hacker will control your smart light bulb for evil purposes. The risk is that a compromised IoT device becomes a foothold on your network — the attacker uses it to scan for more valuable targets (your NAS, your computer, your connected storage). IoT devices are the weakest link on most home networks because their manufacturers prioritize cost and features over security. Isolating them on a separate network (guest or VLAN) eliminates this lateral movement risk with minimal effort.
Should I use a VPN on my router for all traffic?
Running all traffic through a commercial VPN at the router level provides some privacy benefits (your ISP can’t see which sites you visit) but introduces significant downsides: slower speeds (VPN adds latency and overhead), streaming services may block VPN traffic, local services like printing may break, and you’re shifting trust from your ISP to the VPN provider. For most people, it’s better to run VPN selectively — on specific devices when on untrusted networks — rather than routing everything through a VPN 24/7.
How often should I update my router firmware?
Check quarterly at minimum. Some routers support automatic updates — enable this if available. Critical security patches (rated CVSS 9.0+) sometimes require urgent updates between regular checks. Subscribe to your router manufacturer’s security advisories or check their support page when you see major router vulnerability news. A router with an unpatched critical vulnerability is the single biggest security risk on most home networks.
