Wi-Fi Security Best Practices

Practical steps to strengthen home and office Wi-Fi against unauthorized access and common attacks.

This page runs entirely in your browser. No data is sent anywhere.

Follow these steps to protect your Wi-Fi network from unauthorized access and potential security threats. These practices are recommended for both home and office networks.

Use a Strong Wi-Fi Password — Ensure your Wi-Fi password is long (at least 12 characters) and complex, with a mix of letters, numbers, and symbols.
Enable WPA3 Encryption — Always use WPA3 (Wi-Fi Protected Access 3) if your router supports it. If not, WPA2 is the next best option.
Disable WPS (Wi-Fi Protected Setup) — WPS is convenient but vulnerable to attacks. Turn it off in your router settings.
Change Default Router Settings — Change default usernames and passwords for your router’s admin console to something unique and strong.
Use a Guest Network for Visitors — Set up a separate guest network for visitors to keep your main network secure.
Enable Network Encryption — Ensure your network is encrypted using WPA2 or WPA3. Encryption protects data transmitted over the network.
Keep Your Router’s Firmware Updated — Regularly check for firmware updates for your router to protect against security vulnerabilities.
Disable Remote Management — Disable remote access to your router’s admin interface unless absolutely necessary. This prevents unauthorized access.
Limit Device Access with MAC Address Filtering — Enable MAC address filtering to limit access to only approved devices on your network.
Monitor Connected Devices — Regularly review the list of devices connected to your network to identify any unfamiliar ones.
Use VPN on Your Devices — Use a Virtual Private Network (VPN) on your devices to encrypt internet traffic and protect your online activities.
Set Up a Secure DNS — Use a secure DNS service (for example, Quad9, Cloudflare, or Google Public DNS) to reduce the risk of DNS hijacking and improve filtering.

Recommended Enhancements

Router Placement and Physical Access — Place the router centrally, away from windows and publicly accessible areas. Restrict physical access to prevent resets or tampering.
Automatic Updates and Scheduled Reboots — Enable automatic firmware updates if available. Consider scheduling periodic reboots to clear cached sessions and refresh connections.
Router Logging and Notifications — Turn on logs and alerts for new device joins or failed admin logins. Many routers can email or push notifications for unusual activity.
IoT and Smart-Device Segmentation — Put cameras, TVs, assistants, and other smart devices on a separate guest network or VLAN to keep them isolated from laptops and workstations.
Encrypted DNS (DoH/DoT) — Use DNS-over-HTTPS or DNS-over-TLS at the router or device level for encrypted lookups. If unavailable on the router, enable secure DNS in your browser settings.
Emergency Recovery Steps — If compromise is suspected, disconnect the router, perform a factory reset, update to the latest firmware, and reconfigure with a strong unique admin password before reconnecting.

Tip. If your router brand exposes a “remote management,” “cloud access,” or “WAN admin” feature, leave it disabled unless you truly need it and can secure it with strong MFA.

Advanced Practices ▶

Disable UPnP unless a specific service explicitly requires it.
Change the SSID to a neutral name that does not reveal brand, address, or identity.
IPv6 hardening — disable if unused, or configure properly with firewall rules.
Enable router firewall/IDS features if available, and review alerts weekly.
Per-device controls — limit bandwidth and schedule internet downtime for high-risk devices.
Browser secure DNS — in Chrome or Edge, go to Settings → Privacy and security → Security → “Use secure DNS.” Choose a trusted provider or your custom DoH endpoint.
Example DoT (systemd-resolved) — add to /etc/systemd/resolved.conf: DNSOverTLS=yes; restart with sudo systemctl restart systemd-resolved.