How to Secure Your WiFi Network

Secure Home WiFi_header
It’s easier than ever to set up a wireless network. Plop in a WiFi router and connect to a DSL or cable modem, or if you are one of the lucky ones, with a FiOS box. But before you start online banking, shopping, and surfing the Web, make sure your network is secure from intruders.

You may think that your neighbor hopping onto your wireless network to check email is harmless. Actually, there is more at stake than the fact that this unauthorized person may hog up the bandwidth by streaming HD videos. This person, once on your network, can intercept all the data you are sending, trick you into going to a malicious site, and break into computers and other devices you may have connected over the WiFi. Letting someone you don’t know on to your network is essentially letting that person see all the data flowing in and out.

If you have your own WiFi network, it’s important you secure it from unauthorized users and devices by configuring the wireless router appropriately. While specific steps in the management software vary from vendor to vendor, and from router to router, the options are fairly universal and shouldn’t be too hard to find.

Below are some tips on how to enhance your wireless network security.

1. Encrypt with WPA2
When you set up your wireless network, you had the option to turn on encryption. For home networking users, you should turn on encryption (as opposed to running an open network) and you should select WPA2 as the encryption method. WEP is not secure and some of the other methods are generally out of reach for most home users. Even if you didn’t enable WPA2 when you first set up the network, your management software should let you turn it on after the fact.

When you select WPA2, you will be prompted to create a passkey for users to enter when trying to connect to the network. It is important—no, critical—to make sure the password is unique and complex so that outsiders can’t just brute-force or guess a password and hop on to the network. Make sure to select a string of characters that is fairly long and a mix of both numbers and letters. If your passkey is flimsy, then determined attackers will be able to breach your network anyway.

Don’t turn on WPS (WiFi Protected Setup). It doesn’t always work consistently, and its nine-digit PIN is vulnerable to guessing attempts. Once the attacker figures out the PIN for WPS, there is nothing stopping the adversary from accessing any shared data that resides on your wireless network.

2. Change Default Passwords
Many of the routers ship with a default password for the administrator management software. It could be “admin,” or even a blank password, and is quite often printed somewhere in the documentation and available online. Users should immediately change the password for the management interface while setting up the wireless network so that outsiders can’t reach the management interface. If adversaries get access to the management interface, they have full control over your router and you would be in serious trouble.

While you are changing passwords, check to see if the router shipped with any pre-created SSIDs. SSIDs are the names of the wireless networks configured for the router. You should change the passwords for these SSIDs even if you aren’t using them, just in case.

3. Clean up the list of SSID names
Speaking of SSIDs, vendors tend to use very generic names for the SSIDs, such as ‘linksys’ or ‘netgear-wireless.’ Change them from the default to something unique. Attackers can launch man-in-the-middle attacks by using frequently used SSIDs for their rogue wireless hotspots which could be used to trick devices into connecting to that network. Having a different SSID name and password ensures that it will be harder for a person to guess and break in.

It may be just easier to delete all the SSIDs on the router (usually listed under “wireless” on the management software) other than the one you are using. Why increase the potential attack surface? After you have cleaned up your list of SSIDs, hide the name. Some vendors call this cloaking, but the idea is to prevent the SSID from broadcasting to all devices in the vicinity. You can connect by manually entering the name of your network, but other people won’t know that network is there.

4. Regularly Check Who Is Connected
The management software generally has a section called “Device List”, which shows the computer name of all the devices that are connected to the wireless network. It’s a good idea to periodically go in and check to make sure you recognize the names. To prevent unknown devices from ever being able to connect, you can enable Mac Address Filtering. This will require you to know how to get your device’s hardware address (MAC Address) so that you can enter it in the software. It can be a little manual and time-consuming, but it ensures no one will ever be able to get on the network without your knowing about it.

Your router has other advanced features, such as “guest networking”, which you should turn off, and a firewall, which you should turn on. If you aren’t already running a software firewall, turning on the router’s firewall is critical, but it’s not a bad idea to have both to boost your layers of security.

Regularly update your router firmware when they are available, and you’ll have a pretty secure wireless network. It’s worth the time to set it up properly as a closed network will save you tons of headaches down the road.

Get ZoneAlarm Extreme Security

Get it now

44 comments on “How to Secure Your WiFi Network

  • Sten Drescher says:

    DO NOT hide the SSID on your router! Doing this may cause your devices to broadcast the SSID everywhere you go, as explained at .

    • Henry Hertz Hobbit says:

      I don’t think you mean to use the term “hide your SSID” and some wireless routers allow you to have only only one SSID. What you mean is to turn broadcasting of your SSID off. You will have to give the WPA2 login credentials to others you allow to connect and temporarily turn broadcasting back on for them to connect. Once they have a connection established, turn the broadcasting of your SSID back off.

      Changing your IP address range used to another one of the NRIP addresses (make sure it uses only netmask for lower ranges) can also help. But don’t do that over the wireless. Also restrict how you can connect to the router (e.g. only from the wired side of the LAN) for even greater security if it has that capability.

  • Interesting comment about SSID cloaking as on Jan 15 2014 your blog post said “While some argue for hiding SSIDs altogether, in truth this has little effect on security.” See – and hidden SSIDs are often not recognised see which says a lot inc “There’s another problem with hiding your wireless network name: depending on the device, many devices won’t let you automatically connect to a hidden network, and if you have automatic connection enabled, you’re actually leaking your network name,”

    • Hiding SSID or not, the important thing is to make sure your network is encrypted with WPA2 and to use a strong password.

  • Thanks for the article. I am currently doing everything you have suggested except for hiding the SSID. It would have been nice if you could have explained how to hide it.

  • Going so far as to hide your SSID is a bit paranoid and overkill. Strong encryption and and strong passwords are good to be sure.. However, unless you are a V.I.P., most of our home networks are not important enough for a hacker to spend that much time trying to break into.

    • a person with a laptop “hacked” my wireless because at that time I did not know to change the shipped password. They then changed the default password so I could not get into my router settings. In the settings, your network access password is displayed for them to be able to log in to your wireless network. They then downloaded movies while on my network, which of course was traced back to MY internet account!!!

  • Mark Hoenig says:

    What about using the MAC address filter? With the MAC filter, you identify every device that is authorized to access the network by its unique identification number – whether it’s a TV, smartphone, computer, etc. Even though the network SSID may be broadcast, no device can log on unless it is on the MAC address list. No password to hack, etc.

    • I used to swear by MAC address filtering, but then I read that devices broadcast their MAC addresses to the router in plain, unencrypted text (!), and that it’s easy enough for a hacker to spoof a MAC address to gain access.

      As others have said, the only really effective way to secure your network is WPA2 with a *strong* password.

    • The article did mention MAC filtering, at least the version of the article that I read. Many people, including me, don’t use MAC filtering for, mainly, the following reasons:

      1. It’s extra work for you whenever you have a new device that you DO want to grant access to your network. This applies to things like a new iPad, a Blu-ray player, any new device that has Wi-Fi capability. It also applies to when cousin Sally brings her laptop over and wants to use it on your network for the first time. Never mind the extra work, what if you’re not home then? Does your wife know how to add Sally’s computer to the router’s MAC list?

      2. It would still be possible for a determined hacker to figure out the MAC address of one of your devices, and spoof that address (disguise his device as having that address). The tools for doing this are readily available to anyone who wants them, at little or no cost.

      3. As mentioned above, encryption with a strong passphrase provides very adequate security for the typical home network.

      More security usually means less convenience. One needs to be sure that the cost-benefit trade-off is a good one. This applies to hiding the SSID as well.

  • Many home routers permit WiFi network access only to ‘allowed’ MAC addresses; a code uniquely identifying the interface of each item of network-able hardware, by means of a table (a.k.a. an access control list or ACL).

    A highly determined intruder could circumvent the ACL by ‘spoofing’ an allowed address after all, no security system is impervious to attack. However an ACL, when used in conjunction with the other security tips you’ve explained is a strong way to ensure that only known devices can access your WiFi network.

    An additional tool for my own home WiFi network is to use my router’s feature that only allows router administrative changes from a wired network device.

  • We have a 2wire router from AT&T. It is wifi and Ethernet. We have it strictly wired for security issues. Now that I see this, am I secure enough with this or do I need to do something more? We do not use the wi fi part.

  • Tony Thomas says:

    I have MAC Authentication set up. Would you consider this less secure, more secure, or equally secure to using WPA2 with a password?

    • Are you talking about using it INSTEAD of WPA2 and a strong password? That would be a huge mistake. MAC addresses are NOT ENCRYPTED when your wireless devices request access to your router – they are sent in plain text – and they can be spoofed.

    • You should use both imho. The point being, like your house or your car, it’s almost impossible to stop a determined thief. Likewise, with your home wifi it is very difficult to prevent a determined attacker getting in. All you can do (with the tools you have at your disposal) is make it as difficult as possible and lock all the open doors…. 😉

    • It’s very similar to securing your house against burglars, leaving the house doors and windows unlocked renders it unsecure, locking all the doors makes it more secure, in addition, switching on a burglar alarm will make it more secure, if you then add additional locks this makes it more secure. In other words, you are (sort of) adding more layers of protection.
      It’s the same thing with your home WiFi. The majority of home routers come with a firewall, MAC filtering and WPA-2 using one of them will make your home WiFi more secure, using all of them will make it even more so BUT a determined (so called) hacker can get in. The more layers of security he has to get through will make it more difficult and might just frustrate him so that he will go and try his luck elsewhere. If you do not change the Admin password, do not set-up WPA-2 (with a strong password) do not activate the firewall etc. You are basically leaving all the doors unlocked and asking for trouble.
      I have had numerous home and business WiFi routers installed by ISP’s and so far, they have never changed the default SSID. Never changed the default Admin password, never switched on the Firewall, never mentioned WPA-2, MAC filtering, static IP’s etc.
      This blog post is intended to bring awareness to the uninitiated…. 😉

      • If I had a sophisticated, heavy steel vault door with a combination lock inside each of my normal doors, I might feel that locking the outer doors was a waste of my time. That pretty much describes how I and many others feel about MAC filtering, hiding the SSID, and various other methods of security overkill.

    • Less secure. MAC addresses can be spoofed and it takes only a bit of effort for a hacker to get the MAC addresses that are in use. But if a password is required, it makes it much harder for someone to use your Wifi.

  • I have only a WEP pin available; maybe my router/modem is a bit old.? What can I do?
    I am a bit scared to get the starter disc going and changing passwords etc in case I have to re enter other stuff and I’m not too hot on all the jargon

    • ZoneAlarm says:

      Your router may be too old. It may be worth investing in a new router that provides WPA2 encryption. Many of them are very simple to install.

  • Jon Fukumoto says:

    MAC filtering will not keep people off. MAC addresses can be spoofed, since there’s software available that will enable anyone to temporarily change the MAC address on their NIC in order to get on. Also, hiding the SSID will not prevent anyone from getting on, since the client will transmit the SSID in the clear. Changing the defaults is definitely recommended in addition to using WPA2 with encryption.

    • ZoneAlarm says:

      A strong password would be one that isn’t easily guessed like “password” or “12345”. Think of the password you’re using right now, and ask if you think it’s easy to crack.

    • I’m using blue44myst. I think it’s strong enough. A dictionary based attack would be useless against it, since there’s no reason for it to be found in any dictionary of possible passwords. A purely brute force attack — simply trying every possible combination of letters, numbers, and symbols — would eventually stumble upon it, but the time required would exceed any hacker’s attention span. It’s also fairly simple and easy to remember. If you don’t think you can remember your passphrase, you can always tape it to the outside of your router.

        • Sorry, I should have said I’m using something close to blue44myst. But, if you can find my network, go ahead and give it a shot.

    • By the way, I’m in favor of using the term passphrase, not password. WPA2 allows imbedded spaces, which greatly enlarges the universe of possibilities that a hacker would have to deal with. Thus, you could choose a passphrase like “home after six”. The word “password” implies incorrectly that it has to be a single string with no spaces.

  • John Peek says:

    How do you ACCESS your ROUTER’s settings, so that you can follow these instructions to make it secure?

  • Wish this article had come out earlier. Someone logged into my router with the default password and changed it so I had to contact tech support to get control of my router back. While in the router settings, your wpa2 password is displayed for them to be able to gain access to the internet. I received a letter forwarded from my provider that told me I had a problem. (see below)
    YES, it can happen to anyone that does not know what to do to keep them out. Change default password also!

    Quote: You are being contacted on behalf of NBC Universal and its affiliates (“NBC Universal”) because your Internet account was identified as having been used recently to illegally copy and/or distribute the copyrighted movies and/or television shows listed at the bottom of this letter. This notice provides you with the information you need in order to take immediate action that can prevent serious legal and other consequences.

  • There are a number of websites where you can test your password strength, blue44myst is not overly strong, though probably enough to deter the casual attack.
    I create mine from the first three letters of three random words, each with one upper and two lower case letters, mix in a couple of numbers and a punctuation character or two and you have a password that can withstand brute force attacks for a considerable time.

  • Thank you for this valuable info, and to all that contributing with their comments. I’m going to change router password. BTW, while setting a repeater I read 54 Mbps connections don’t support WPA2 and -since I still have a couple of class G adapters-, I skipped turning on WPA2 protection despite both router and repeater are WPA2 capable. What can be done in this case? I appreciate your best advice.

  • One technique that can help create more-secure passwords is to use the first letter of each word in a long sentence to create what appears to be a random string, but is easy for you to remember. Take, for example, the sentence: “This is not the real password I use for any of my devices today, but it is quite similar in how it works.” This would become “TintrpIu4aomd2d,biiqsihiw.” which, at 26 characters (including punctuation — 24 without), will withstand a brute force attack and also a “dictionary attack.” For those who don’t know, a dictionary attack is where the hacker uses words from the dictionary, either alone or in combination with other words, in an attempt to find the password.

    In my job, I often need to know customers’ passwords for various accounts and devices including routers. I’ve found way too many people create passwords by using important dates, pets’ names, children’s names, names or phrases from their religion, and common words found in any dictionary. A neighbor or other social engineer doesn’t have to do much work to find out what dates are important to your family, to know that your only child “Amber” named the family dog “Farley” or that you have a big “John 3:16” bumper sticker on the back of your mini-van. If you want to keep unauthorized people out of your network, don’t use these things to create your password.

    In my experience, the vast majority of successful hacking attempts have been completed by people looking for free internet access and who know the owner of the device that was hacked. They used simple and basic social engineering techniques to gain access to the device, and then use it for their own purposes. More advanced hackers often use these simple techniques as well, but they want your personal information, not just your internet bandwidth. It is important to guard against both types of attacks. The techniques from this article will help protect you from both types of hackers.

  • Why should “guest networking” be turned off? I’ve used it successfully to allow limited (i.e. just Web-browsing) access, and it’s secured with a strong passphrase (one which, not so tangetially, is quite different from the router’s master password). Thanks in advance.

  • You are so awesome! I do not believe I’ve read anything like this before.

    So nice to discover someone with a few unique thoughts on this topic.
    Seriously.. thank you for starting this up. This website is something that’s needed on the web, someone with a little originality!

  • How can I secure my laptop from hacking when I connect to a private home wifi? VPN would protect my connection to the internet, but what to do to secure the connection to the home owner’s wifi during an Airbnb stay?


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.