A guide to improving Wi-Fi router security

Protecting a wireless connection is essential housekeeping for ensuring the integrity of your network, but what does that mean in practice?

Superfast IT clients need not worry - your routers are secure, while home-based users have VPNs to protect against these vulnerabilities. However, if you do not have guest WiFi or are looking to improve security, get in touch and we can let you know your options.

Router security is an important consideration for protecting an internet connection. It’s applicable to businesses and home users alike, and with more people working from home, it’s important that your office and your team’s home internet set-up is given due attention.

If a connection is wireless, then it becomes a priority. Wi-Fi by its nature is especially open to being breached, attacked or compromised. Network access is open and guests, whether authorised or not, don’t need server room keys and Ethernet cables to find it. Your business could be left open and vulnerable if your router is insecure in your home or office.

In danger by default

Wi-Fi routers left on default “out-of-the-box" settings can be unnecessarily vulnerable.

This is because factory settings are general and not personalised. As a result, they follow a formula and are more predictable to hackers.

But fear not, help is at hand. We’ve teamed up with broadband.co.uk to examine some common general tips for tightening Wi-Fi security.

How to make your router more secure

Securing your router usually starts with administrator or “admin” access and the login details that protect it.

Setting new, strong usernames and passwords is a basic must for any system, and it’s especially important for your router. Many routers will come with default admin logins that are the same across an entire range.  Change this and don’t make these details publicly available.

Permitted admin-level users should be limited to select IT staff or senior management only. 

Hypertext Transfer Protocol Secure (HTTPS)

Routers use a typical IP address for accessing admin controls via a web browser. For example, this defaults to http://192.168.0.1 or something like it, depending on manufacturer.

Not only can this address be changed, but the HTTP prefix switched to HTTPS also. Usually an option under “local management access” settings, this ensures the secure protocol is used to encrypt your wireless admin exchanges.

You can often go a stage further and choose to restrict admin access to wired Ethernet connections only.

It’s worth noting that admin access is only ever local. No interaction here is ever shared with the wider web, just between the connected device (client) and the router.

Wi-Fi Passwords & Encryption 

The frontline of wireless protection is the network name (SSID) and the password needed for guests to connect.   

• Change the Wi-Fi Service Set Identifier (SSID). This is important if the default name reveals the router name or model. Try changing it to something more personalised for home or business. 

• Set the Wi-Fi Password. The network password that authenticates connections should be unique and strong, plus changed regularly.

Hiding the SSID is can be an optional way to shield the network’s visibility. More important is using strong Wi-Fi encryption.

Here it is advised to use WPA2 or preferably the stronger WPA3 if your devices have compatibility.

WPA2 (Wi-Fi Protected Access 2) is the second generation of the Wi-Fi Protected Access wireless security protocol, designed to secure and protect Wi-Fi networks. WPA2 ensures that data sent or received over your wireless network is encrypted, and only people with your network password have access to it.

WPA3 (Wi-Fi Protected Access 3) is the newest wireless security protocol designed to encrypt data. It’s more secure than its predecessor, WPA2, but it hasn’t been widely adopted as not all hardware supports WPA3.

 If your router only offers WEP then it’s time for an upgrade, as this is an outdated and insecure standard.

Disabling features like WPS

Wi-Fi Protected Setup or “WPS” is a popular feature that could be enabled by default. WPS makes it easier for certain devices to join a secured network without needing login details.

Known as insecure and a popular point of vulnerability, the option to disable should be found within admin settings.

Other ways to restrict access 

There are a number of options for limiting network connections. This can be among the most effective ways to “block” access by devices you weren’t expecting. 

Enable a guest Wi-Fi network 

This is a typical tactic for businesses especially. Often, office premises will want a more open, less secured wireless network available for visitors.

Obviously, this wants to be sufficiently separated and secured from the work network

If the router allows, you will find options for adding guest or virtual access points. Set an SSID, password and any restrictive parameters (such as data usage limits) as required.

Filtering device access by MAC address 

You might consider filtering access by the unique 12-digit identifier each network device has known as the MAC address.

Here you can create pools of permitted and denied addresses, that work a bit like a guest list to a nightclub. All MAC addresses added to a “whitelist” are allowed in, while the rest are barred.

Conversely, a “blacklist” blocks all listed addresses while permitting all the rest. Typically, SSIDs can have a maximum of 1024 clients added each.

When testing this, use the admin panel to view and monitor attached devices.
 

Time to update or upgrade?

One of the primary things to check is a router’s firmware. The default factory firmware is often out of date, with new versions offering enhanced security.

Check the version number and visit a manufacturer’s website to find any updates if you can’t install them via the admin panel.

Alternatively, a new router could be required to get cutting-edge protection. These will support revised, more secure protocols (Wi-Fi 6) or modes of encryption like WPA3.

Above all else, just remember that protection measures are cumulative and not exclusive. Use as many as you can to layer protections and close those security loopholes!

we can help

Implementing security measures takes time, but the long-term investment is worthwhile. Improving your overall resilience will reduce the number of business disruptions and the damage they cause. Get in touch to understand what security measures are proportionate for your business size.