How to secure your home network

If you work from home, your home network is part of your employer's attack surface. The router your ISP shipped three years ago, still on its default admin password, sits between the internet and the laptop you use to access production systems. Most home networks are secured to the level of "the Wi-Fi has a password," which is roughly none of the way there.

The good news: hardening a home network is an afternoon of work, requires no new hardware in most cases, and the steps below are ordered by impact. Do them top to bottom.

Step 1. Change the router's admin credentials

Not the Wi-Fi password, but the admin login for the router's management interface. They're different things, and the admin one is the one attackers care about, because it controls everything else.

Log in to the router (usually 192.168.1.1 or 192.168.0.1 in a browser; the default address and login are printed on a sticker on the device). Then:

• Change the admin password to a long, unique one from your password manager. Defaults like admin/admin are in every attack tool's first-guess list, and many ISP-supplied passwords are derived from the device serial or SSID in ways that are publicly documented.
• Change the admin username too, if the router allows it.
• Disable remote management (sometimes called "remote administration" or "access from WAN"). There is almost no home scenario where you need to reach your router's admin page from the internet, and exposed router admin panels are a top compromise vector.

Step 2. Fix the Wi-Fi encryption

In the wireless settings:

• Use WPA3 if every device supports it; otherwise WPA2/WPA3 transitional mode. Pure WPA2 (AES/CCMP) is acceptable. WPA, WEP, or "open" are not; WEP is breakable in minutes and has been for two decades.
• Disable WPS (Wi-Fi Protected Setup). The push-button-and-PIN pairing feature has a long history of PIN brute-force vulnerabilities, and the convenience isn't worth it. Turn it off entirely.
• Set a strong passphrase. Length beats complexity: a four-word random passphrase is both stronger and easier to type into a TV than Tr0ub4dor!.
• Rename the SSID to something that doesn't identify the router model or your ISP. Default SSIDs like TALKTALK-XXXX tell an attacker exactly which default-password scheme to try. Don't bother "hiding" the SSID; it adds no real security and breaks some devices.

Step 3. Set up a guest network, and put the IoT on it

Almost every modern router can broadcast a second, isolated SSID. Use it for two things:

1. Actual guests. Visitors get internet without getting access to your devices.
2. Everything smart and cheap. TVs, plugs, bulbs, doorbells, printers, the robot vacuum. These devices receive security updates rarely or never, and several botnets have been built entirely out of them. On the guest network, a compromised bulb can reach the internet but not your work laptop.

Check that "client isolation" or "AP isolation" is enabled on the guest SSID so guest devices can't see each other either. This is the home-scale version of the VLAN segmentation used in enterprise IP address planning: same principle, one checkbox instead of a switch config.

Step 4. Check what your network exposes to the internet

Your router's firewall blocks unsolicited inbound traffic by default, but two features punch holes in it:

• Manual port forwards you (or someone) set up for a game, camera, or NAS and forgot.
• UPnP, which lets any device on your network open inbound ports automatically, no questions asked.

Audit both. In the router's settings, find the port forwarding table and the UPnP port-mapping list, and delete anything you can't name a current reason for. Disable UPnP unless something you actively use breaks without it; it's the single most common way home networks end up exposed without their owners knowing.

Then verify from the outside: run your public IP through the Port Checker against the usual suspects: 21, 22, 23, 80, 443, 445, 3389, 5900, 8080. Every one of these should come back closed unless you deliberately host something. If 3389 (Remote Desktop) or 445 (SMB) is open on a home connection, fix it today, not this weekend. How to check open ports walks through the process, and our port security guide explains why these specific ports are the ones that get networks compromised.

If you genuinely need remote access to something at home, the answer is a VPN (many routers have WireGuard or OpenVPN built in), not a port forward to the device itself.

Step 5. Turn on automatic updates

Router firmware vulnerabilities are discovered constantly, and unpatched home routers get swept up in mass exploitation campaigns within days of a bug going public. In the router's admin interface:

• Enable automatic firmware updates if available. If not, check for updates now, and put a quarterly reminder in your calendar.
• If the manufacturer no longer publishes updates for your model at all, the router is end-of-life. Replace it; an unpatchable internet-facing device is not salvageable by configuration.

Apply the same rule to everything on the network: enable auto-update on laptops, phones, and any IoT device that offers it.

Step 6. Review the connected device list

In the router's interface, find the connected devices / DHCP client list. Go through every entry and account for it. Names like ESP_8F3A21 or a bare MAC address aren't necessarily sinister (IoT devices often report nothing useful), but each one needs identifying.

For mystery entries, run the MAC address through the MAC Address Lookup tool. The first half of a MAC identifies the manufacturer, which usually resolves the question instantly: Espressif is your smart plug, Hon Hai is probably the TV. (Note that phones and laptops randomise their MAC per network by default these days, so the same device can appear under multiple addresses; that's normal, not an intruder.)

If something is connected that you genuinely can't account for, change the Wi-Fi passphrase. That forcibly disconnects everything; only devices you re-add with the new passphrase come back. It's faster and more reliable than MAC filtering, which is easily bypassed by address spoofing and mostly punishes you with maintenance.

While you're in the device list, give your known devices recognisable names in the router UI. Future you, doing this review again in six months, will be glad.

Step 7. A few settings worth the extra five minutes

• DNS: consider pointing the router's upstream DNS at a filtering resolver like Quad9 (9.9.9.9) or Cloudflare's malware-blocking 1.1.1.2. Free malware-domain blocking for every device on the network, configured once.
• Separate work, if you can. If your router supports a third SSID or VLANs, giving work equipment its own segment is the gold-plated version of step 3.
• Check the obvious physical thing: the router's sticker shows the default credentials. If you've had houseguests with the Wi-Fi password and never rotated it, rotate it.

TL;DR

1. Change the router admin password and disable remote management.
2. WPA3 (or WPA2/WPA3), strong passphrase, WPS off.
3. Guest network for guests and all IoT, with client isolation on.
4. Delete unknown port forwards, disable UPnP, verify from outside with the Port Checker.
5. Enable automatic firmware updates; replace end-of-life routers.
6. Audit the connected device list; identify strangers with MAC Address Lookup; rotate the passphrase if anything can't be accounted for.
7. Optional but cheap: filtering DNS resolver, separate work segment.

Related

• How to check open ports - the full version of step 4
• Why open ports matter - what attackers do with exposed services
• How to audit network security - the same exercise at business scale