Home WiFi Router Security

Setting up a Wi-Fi network at home is easy, right? You plug in your shiny new router, find it on your laptop and phone, enter the password written on the back, and then write it on a scrappy piece of paper that's pinned to your fridge.

That’s a good start, but you are only just beginning. What you need to do now is to harden security of your home WiFi. That might sound like a lot of work, but it isn’t. It will also protect you against a variety of threats that, sadly, are all too common.

This is because, unless you live on an island in the middle of the ocean, other people can probably see (and potentially connect) to your home network. That sounds pretty obvious, but strangely many people who are otherwise very tech-savvy leave their home network insecure. I guess we want to feel safe at home, and so we don’t like to think about the idea of our home WiFi network getting hacked.


The responsibility to secure the networks that you own is even more significant, of course, if you run a coffee shop, bar, or other small business that provides free WiFi. Ultimately, you are responsible for the safety of your customers, and they will likely get pretty annoyed if they are the victim of a hack while they were connected to your network. Even ignoring the potential legal problems caused by that happening, they are not going to leave you a good review!

Securing your home WiFi network requires two things. First, you should understand the types of threats that you are vulnerable to. Then you can take steps to limit your susceptibility to them.

What Are The Main Threats To Home WiFi?

Let's look at the threats first. There are several techniques that hackers can use to access your home network, steal your data, and generally make your life more difficult than it should be.

If you’re interested in learning in more detail about these threats, we have in-depth guides to all of them. For now, though, let’s briefly go through the most common vulnerabilities of home Wi-Fi networks.

  • Man In The Middle Attack - Many hacks start with some variant on a man in the middle attack. This is when an attacker inserts themselves between two parties who are trying to communicate securely with each other, such as your laptop and your router, and intercepts the data passing between them. Typically, this type of hack is merely a prelude to a more complex attack and will be focused on gaining access to systems and hardware that the attacker will then use to compromise further systems. If an attacker can use a man in the middle attack to steal the admin password for your home network router, for instance, they can then start snooping on your online activity.

    Man in the middle attacks come in lots of different types. There are, for example, man in the disk attacks, and (more recently) man in the phone attacks. These are essentially developments of the basic attack to take advantage of new hardware (like smartphones), and are just as dangerous as the basic attack, if not more so.

  • Evil Twin Attack - One type of man in the middle attack is an Evil Twin Attack. In this variant, an attacker will set up their device to look like a server that you are trying to communicate with. Though you (and your device) think you are on a trusted website, in reality, all the information you send is being read by an evil twin.

    Public Wi-Fi networks are particularly susceptible to this type of attack, though you should be aware that they can also be deployed against home networks.

  • Rogue Access Points - A man in the middle attack often makes use of Rogue Access Points. These are mostly ‘fake' Wi-Fi routers that broadcast a network that looks the same as your home WiFi network. Though it sounds simple, this type of attack succeeds in a depressingly high proportion of cases. This is because Wi-Fi security protocols are inherently flawed, and specifically because most devices know very little about the networks they are connected to.

    The hardware for a rogue access point can be a fake Wi-Fi router, the network card on an attacker's laptop, or a variety of more exotic devices. Perhaps the most dangerous is a Wi-Fi Pineapple, a router with a broad range and the ability to deploy sophisticated hacking scripts.

    Most of the time, an attacker will use a Rogue Access Point in a reasonably simple way. They will make their ‘fake' network look the same as a trusted network, and then kick users off the real network. Most users, frustrated that they have suddenly gone offline, will connect to the attacker's network, and open themselves up to attack.

  • DNS Spoofing - Once an attacker has access to the target network, they can deploy a variety of further attacks to steal data. A DNS Spoofing attack is perhaps the most common and is essentially a variant on a standard phishing scam.

    The Domain Name Server (DNS) system is a fundamental part of the way that the internet works, and allows your devices to find the websites you are looking for. If an attacker can gain administrative privileges to your home Wi-Fi router (or any router), they can re-direct devices to fake websites that look just like the real thing.

    If a user then enters their authentication details, an attacker will steal these. They are then able to gain access to a victim's social media accounts, or (worse) their email, or (even worse) their online banking accounts.

  • Session Hijacking - An attacker can also steal data using a Session Hijacking attack. When you log into a secure site, your device will exchange a small file with the server where the site is stored. This small file is called a ‘session cookie,' and allows the server to identify you as a user. This means it can store information about your ‘session', such as the items you've put in your online shopping cart, or (more worryingly) your payment details.

    By stealing this session cookie, a hacker can impersonate you on the sites you use and will have access to everything you can do online. This includes reading your emails but also buying goods and services.

  • Packet Sniffing - A more complex technique is to use Packet Sniffing attack. A ‘packet sniffer’ is a piece of software that allows a user to intercept and potentially read all of the ‘packets’ of data that pass across a target network. If this data is unencrypted, then the users are in trouble, because a hacker can use this information to gain access to online accounts.

    They can also sell login details on the Dark Web, where there is a thriving market for personal information on unsuspecting users.

  • Even if the network is encrypted (as your home WiFi network should be), Packet Sniffing is still dangerous. Hackers can use this technique to build up profiles on users, including which sites they visit and which online systems they have access to. This information can then be used to target phishing scams or man in the middle attacks.

All this might sound scary but fear not. There are some easy ways to limit your vulnerability to all of these attacks. These include using secure security protocols like HTTPS and always using a VPN to encrypt the information you share online.

We’ll come to those techniques shortly. First, though, let’s look at the basics of setting up a home Wi-Fi network.

Setting up a Secure Home WiFi Network

If you've just bought a new Home WiFi router, you are probably eager to unbox it, plug it in, and get online. It would help if you did that, but our advice is also to spend a few minutes making it more secure. Doing this will ultimately save you time, money, and hassle because it might be the difference between falling victim to a hack or not.

Here are the steps to setting up a secure home WiFi network:

  • First, though it might sound strange, put your router in a physically safe location. Ideally, no-one should be able to see your home network except you and your family. If your Wi-Fi signal is ‘leaking’ out onto the street outside, or (worse) the bar downstairs, this is a potential vulnerability. The best way to secure your network is, ultimately, to make it invisible to everyone else.

    This step is even more critical if you run a small business. Many attacks start by an attacker merely pressing the ‘reset' button on your router. If you run a coffee shop, put your router behind the counter where you can keep an eye on it!

  • Second, change your router password. If you've just got a new router, there's a 99% chance that the admin password is either ‘admin' or something equally silly like ‘password.' Seriously. You are supposed to change this password, but the majority of people don't.

    Home network routers that use the generic admin password are really, really vulnerable to attack. Even if the manufacturer of your router thinks they have been smart and given it a password other than ‘password,' the hackers are one step ahead of them.

    Believe it or not, there are tables online of the default passwords for the majority of routers on the market so that the bad guys can look them up with a quick Google search.

    Defeating this kind of ‘hack' is easy enough. Login to your router (you can find instructions online on how to do this), and change the password. As with any password, you should choose a password that is nice and long and uses a variety of different types of character. It would be best if you also changed this password regularly, so make a reminder for yourself to do so every quarter or so.

  • Finally, you should check what kind of encryption your router is using, and use the best encryption available. This advice holds whether you are setting up a network for the first time, or just looking to improve security on an old network.

    Wi-Fi networks have historically been inferior when it comes to security protocols. The first such protocol, WEP, was designed to offer the same level of security as wired networks: WEP stands for ‘Wired Equivalent Protocol.' It didn't. Many security holes were quickly found, and so began a rush to develop more secure protocols and patch Wi-Fi systems so that they could use them.

    The next protocol, WPA, was a bit better, but because it was designed to be backward-compatible with WEP it retained many of the problems of the older system. WPA2, the next Wi-Fi security protocol to be developed, was the first genuinely new development in Wi-Fi security since wireless connections were invented. Combined with AES, another encryption technology that was itself developed by the US government for Top Secret communications, WPA2 is currently the most secure protocol available.

    You can quickly check which security protocol your router is using by logging in to it or even just looking at the connection information on your smartphone or laptop. You should changes this to WPA2 + AES if that is available. If not, change it to WPA2, and if not that then WPA. If your router only offers WEP, get a new router. Seriously.

After following these steps, you should have a pretty secure home WiFi network. Well done you. You can now use your network relatively safely.

However, you should also be aware that even the most secure home networks are vulnerable to attack. This means that keeping yourself safe online requires not just a secure home network, but also that you take steps to limit your exposure to hacking when you are using the internet.

Staying Safe On Your Home WiFi Network

If you’ve taken the steps above, you now have a secure home network. Unfortunately, that’s only half the story. Most of the internet, if you haven’t noticed by now, is outside your control! That means that the information you send and receive when you are online, which for a lot of us is all the time, is still vulnerable.

Protecting yourself, therefore, requires constant vigilance, and some extra tech. Here are our recommendations:

  • First, you should know what an attack looks like. As we’ve explained above, many of the most common types of attack start with a hacker setting up a Rogue Access Point. This is a fake Wi-Fi router that broadcasts a signal that looks just like your home network. Our advice here is pretty simple: if a new network suddenly appears, especially one that has the same name as yours, and especially if it is unsecured, DO NOT connect to it.

    The same goes for the websites you visit. If a website looks sketchy, its probably a fake phishing site. Giveaways can be poor spelling, cheap-looking images, or websites that are suspiciously eager to know your login credentials.

  • Another good practice is always to use HTTPS. You can check out our guide on Packet Sniffing for the gory details on the differences between internet connection protocols, but the short story is this: there are two connection protocols used for most of the web. One is secure (HTTPS), and one isn’t (HTTP).

    Most (good) websites now offer HTTPS connections, but some don't. Worse, even some big sites don't force you to use HTTPS when you connect, which means that it is easy to connect to the wrong, insecure version of the site. A Packet Sniffer can potentially intercept any information you send over an HTTP connection, so you shouldn't use it.

    You can tell if you are connected via HTTPS because your browser will display a small green padlock symbol when you are. If you don’t see that symbol, get out of there.

  • Finally, if you are looking for the ultimate level of protection online, whether you are using your home network or a public one, use a VPN. A Virtual Private Network (VPN) provides you with a secure ‘tunnel’ through which all your data passes. This means that no-one, except you and the site you are communicating with, can read it.

    Even if after you have taken all the necessary precautions, everyone is occasionally vulnerable to hackers trying to steal their personal information. Using a VPN will really annoy them because all of the information they have stolen will be an encrypted mess of gibberish.

    Using a VPN on your home network also keeps you safe from other forms of attack, such as DNS re-directs, and ensures that you stay anonymous while browsing.

Secure Your WiFi With PureVPN 31-day money-back guarantee

You can quickly check which security protocol your router is using by logging in to it or even just looking at the connection information on your smartphone or laptop. You should changes this to WPA2 + AES if that is available. If not, change it to WPA2, and if not that then WPA. If your router only offers WEP, get a new router. Seriously.

All of this advice, of course, stands for connecting to networks outside your home as well. Though we are focusing here on home WiFi networks, the same goes for any Wi-Fi network you want to connect to. This is especially important when you are connecting to large-scale public WiFi networks in the airport or other public spaces because these are a favorite of hackers.


My ISP says it is the most secure out there. Is that true?

Well, maybe. Who are we to judge?

The problem here is that, even though many ISPs sell their services based on the premium level of security they offer, your ISP is only a tiny part of the internet. They might promise to look after the information you send and receive via their servers, but they have no control over this data outside of that.

Specifically, it is important to realize that ALL home WiFi routers are vulnerable to attack because Wi-Fi itself is an inherently vulnerable system. No matter what promises the manufacturer of your router makes about the security of its hardware; ultimately it is your responsibility to make sure you are safe online.

What’s the Best Wi-Fi Security Protocol for me?

This question gets asked a lot, and the short answer is that it depends on the router you have.

Each new Wi-Fi security protocol has improved security over those that came before, and so the basic rating from best to worst of the modern Wi-Fi security methods available on modern (after 2006) routers is like this:

  • WPA2 + AES
  • WPA + AES
  • WPA + TKIP/AES (TKIP is there as a fallback method)
  • WPA + TKIP
  • WEP
  • Open Network (no security at all)

So, you should use WPA2 combined with AES if possible, followed by WPA and AES if WPA2 is not available, and so on down the list.

Which of these protocols works best for you will depend on your router. Routers from before 2006 might not support WPA2 for example. If you have a router from before 2006, you can sometimes download firmware updates that will make it compatible with a better security protocol, but the extra encryption might also make it a bit slower.

You should never use WEP, and (obviously) you should never, EVER use an open network with no security at all. If these are your only options, get a new router.