How to protect your wireless router

wireless router security© Choose

AS ISPs come in for flack over lax security procedures on their routers, it looks like it's time to tighten up on our internet security practices.

Virgin Media have come under scrutiny recently for issuing routers with weak passwords that open them up to potential hackers.

What's more Virgin are not the only ISP jeopardising customers' security with experts now criticising the likes of BT, Sky and TalkTalk for engaging in similar practices.

But exactly what can we do to protect our connection and our personal data? Read on for our top tips.

1. Password protect the router

disable router password

Many people don't bother to change any of the preset passwords supplied with their broadband router, which leaves them open to being accessed by pretty much anyone who knows where to look online.

The first password we need to change is the router password. This is different from - and potentially more important than - the password we use to log onto the wi-fi network via our computers and phones.

It's vital that we change this password - if there's one set up at all - because every router sold or provided to us comes with a generic password that can easily be found online.

This was the issue at the heart of Virgin's recent troubles, mentioned above, that led them to prompt over 800,000 customers with their Super Hub 2 device, to change their passwords.

Anyone who gets access to the router has the ability to fiddle with the rest of its settings, including changing the wi-fi password - also known as the network key - and can effectively lock us out of our own wireless network.

To change the router password, check for a sticker or panel on the back of the router that includes the network key: some ISPs include the router or admin address (http://192.168.x.x or similar) and the password on this label.

Navigate to this address in a computer browser and log in using the details provided, then look for the option to change the password to something more difficult and unique - and keep a note of the new password somewhere safe.

Change the router password
...on a BT hub
...of a Plusnet router
...with a Sky hub
...if it's from TalkTalk
...or one of Virgin Media's

We've included links to the instructions on how to do this for each of the UK's biggest ISPs in the box to the right.

It's also worth looking to see if there's an option to restrict admin access to the router to connections made via an Ethernet cable - so that once secured, only those with physical access to the router can change these settings.

Once the router password has been changed, stay logged into the screen to carry out the next few security checks.

2. Password protect the network

enable network password

The next step is to change the network key - the more familiar password we type into every device when first connecting to the wireless network - and make sure the network is encrypted to a decent standard.

There should be a "security" tab or menu, showing the various options for encryption - do not choose "none". If there's a choice between WEP or WPA, go for WPA, and ideally WPA2.


With WEP protection, the wireless router generates a 10 or 26 (64 bit or 128 bit) character sequence of random letters and numbers which becomes the password for anyone wanting access to the network.

This was all well and good until someone worked out how to hack it - have a quick search on Google for "How to hack WEP encryption" to see just how insecure it is as an encryption method.

Most of the newest routers should feature WPA2 encryption - often called WPA2-PSK - but if that's not an option, use WPA Personal. If there's a choice between WPA2 [AES] or WPA2 [TKIP], choose the [AES] option.

One of the strengths of WPA2 encryption is that it gets us to set our own password - which we should make as difficult as we can, thus helping to ensure that only the people we tell the password can log on.

As we should be using unique and difficult to remember passwords for every account we have, it's worth using a password manager to generate the new network key, even if we then have to write it down and tuck it under the router for future reference.

Also make an effort to change this password frequently, even if it does feel like a pain having to update the details on every device in the house.

3. Change the SSID

disable default ssid settings

After this, but before we start trying to connect our phones, smart TVs, printers and other devices using these new credentials, it's worth taking a little more time to change and possibly hide the network's SSID.

This is the name that comes up when we scan for available wireless networks to connect to, and most include more or less detail about the ISP and router model broadcasting the signal - run a scan and note how many start with "TALKTALK", "Sky" or "BTHub".

That gives hackers and other unwanted guests a place to start when checking if we're using default passwords (see step 1).

To change this, go to your "router setup" page and look for the "wireless settings" option. Here you should be able to enter a new SSID. Be sure to use something less revealing and steer away from including any personal information.

Given how many devices most of us have connected to our home wireless network, it's often not practical to hide the SSID - but doing so means the neighbours and any casual chancers won't see it on their list of networks when they're looking for a connection.

4. Switch off WPS

disable wps

Wi-fi Protected Setup, or WPS, is really useful for connecting new devices to a wireless network quickly and easily - simply select the WPS option on the device, then push a button on the router and access is granted.

It works by synchronising with - and granting access to - any devices in the surrounding area that are primed to receive WPS data.

While the obvious risk would seem to be from people hanging around our router to try to take advantage of these mini broadcasts, WPS can also be cracked fairly swiftly by hackers once they know just a few basic details about the router setup.

Once they've cracked the WPS, they can go on to access our other security details much more easily - so if in doubt, switch it off.

To disable, log into your network router and go to the wi-fi protected setup page then simply click the "off" option.

5. Disable remote administration

disable remote administration

Another way criminal hackers can penetrate a home internet connection is via the remote administration feature on a router, which exposes its web interface.

Luckily, remote administration can easily be disabled via the "administration" tab on the router's setup screen.

Those who require remote access should consider using an alternative method such as a VPN, which offers more protection.

6. Build the great firewall of China

setup router firewall

It's vital to protect broadband connections from virtual intruders as well as those physically near us.

Almost all routers have a built in hardware firewall which is a far more robust defence than any software firewall.

This will prevent any unwanted attention from hackers and any unauthorised traffic attempting to connect to our computer from the Internet.

The instructions will be in the router manual, or on the ISP's router help pages - but it may be as simple as looking in the router admin settings (see step 1) for the security option saying something like "SPI firewall" or "NAT firewall", clicking enable, and then saving and applying that change.

Remember, however, that a firewall on its own doesn't protect against viruses so always have anti-virus software installed and up to date.

Check our guide to online safety for more information on the security packages offered by all the major broadband providers.

Windows users can also easily switch on the Windows firewall to protect the incoming and outgoing traffic on their computer.

7. Setup a wireless MAC filter

enable wireless mac filter

Most routers offer this option, sometimes known as hardware address filtering, to limit the number of devices that can join a network, in a bid to keep hackers at bay and boost overall security.

When enabled, the router will check the MAC address of any device requesting to join a network against a list of approved addresses. If the address corresponds with one on the list then access is granted and if not it's blocked.

To put a wireless MAC filter in place go to the router setup page and open up the DHCP table. Here we have to enter the MAC address of each device we want to give access to. We'll also need to provide a description for the item and make sure the status says "enabled" then save our changes to implement them.

» Read more of the latest news

» Search for more guides on broadband and mobile

Follow us or subscribe for FREE updates and special offers