Why this matters
Your router is the one device every other device depends on. Phones, laptops, the television, the doorbell camera: all of them reach the world through it. Whoever controls the router sees and shapes the traffic of everything behind it.
It arrives set up for a quick start rather than a safe one. The settings that make a router easy to plug in on day one are the same ones an attacker looks for: a default admin login anyone can find online, remote access left open, old shortcuts that were broken years ago. None of this is hidden. It sits in a menu nobody opens twice.
The threat is not abstract. In May 2025 the FBI warned that criminals were hijacking end-of-life routers with remote administration left on, turning them into proxies to hide their own crimes behind your address. A month later it described home gadgets such as streaming boxes and digital picture frames being pulled into a botnet the same way. The weak device on your network becomes a tool used against others, and a door into the rest of your home.
The work is a single sitting. You change a handful of settings on the router, then split it into separate networks so the weakest gadget is walled off from the devices that matter. After that the front door is locked, and a cheap plug going bad stays a cheap plug going bad.
Change the few router settings that were built for convenience, then put your smart gadgets on a network of their own.
What you need first
Everything here is done from one place: the router’s own settings page, opened in a web browser. You need three things before you start.
- The router’s address. A short number like 192.168.1.1 or 192.168.0.1, usually printed on a label on the router itself. Type it into a browser to reach the settings.
- The admin login. Also on the label, and often something like admin and a short code. This signs you in to the settings, and it is the first thing you will change.
- A few minutes near the router. One step asks you to read the label, and a couple may briefly drop your Wi-Fi as settings save.
Every brand lays its settings out differently, so the exact words on your screen will not match these line for line. The settings themselves are the same across almost every router. Look for the section the step describes, not the precise label.
The settings that matter
Seven changes, made once. Work down them in order. After each, the router may pause for a moment as it saves.
Replace the default login first
Open the router’s address in a browser and sign in with the admin details from the label. Find the section for the administrator account or password, and set a long, unique password. This is the router’s own password, the one that guards every other setting, and it is separate from your Wi-Fi password. A password manager makes a long unique one painless to keep.
The default admin login for almost every router model is published online. Until you change it, anyone who reaches the page can walk straight in. Change it before anything else.
Install firmware updates and automate them
Find the section named Firmware, Update or Router Update. Install any update waiting there, then switch on automatic updates if the router offers them. An unpatched router is the exact thing the FBI warned about, because a known flaw left unfixed is a known way in.
Choose WPA3, and a long passphrase
In the wireless or Wi-Fi security section, set the encryption to WPA3. If some older device cannot join, choose a WPA2/WPA3 mixed mode, or WPA2 with AES. The Wi-Fi Alliance, which defines the standard, says WPA3 gives stronger protection against guessing of your Wi-Fi password. Set the passphrase to a long one, at least sixteen characters.
Change the name, but do not hide it
Change the default network name to something that does not announce the make and model of your router, which would tell an attacker which flaws to try. Do not bother with the option to hide the network. A hidden name is uncovered in seconds with free tools and only makes your own devices harder to connect.
Turn off the push-button shortcut
Find WPS, the Wi-Fi Protected Setup feature that lets a device join with a button press or a short PIN, and turn it off. The PIN can be guessed by a machine in minutes, which hands over your Wi-Fi password regardless of how long you made it.
Close the door from the internet
Find Remote Management, also called Remote Administration or Web Access from WAN, and turn it off. This stops the settings page being reachable from the internet, so only a device inside your home can open it. Leaving it on, paired with a weak password, is the combination the FBI saw criminals exploit.
Turn off automatic port opening, then see what breaks
Find UPnP and turn it off. It lets devices open ports on the router by themselves, which is handy and sometimes the hole that exposes a service to the internet. Turn it off, use your home for a few days, and if a game console or particular app stops working, turn it back on or open only the one port that device needs.
A network for smart things
The settings above lock the front door. Splitting the network decides how far a problem can travel once it is inside. This is the change that most repays the effort.
Your smart gadgets are the soft targets. A cheap camera, a smart plug, a streaming stick: each runs software you do not control and often cannot update, and each is exactly what the botnets in the FBI’s warnings are built from. The fix is not to throw them out. It is to keep them somewhere they cannot reach the devices that matter.
Most routers already have the tool for this, the guest network. It is a second Wi-Fi name that hands out internet but blocks anything on it from seeing the rest of your network. Turn it on, give it its own name and passphrase, and look for a setting called client isolation or “allow guests to access local network”, which should be off.
Create a second, isolated Wi-Fi name
In the router settings, enable the guest network and give it a name and a long passphrase of its own. Make sure any option that lets guest devices reach your main network is switched off, so the two sides stay separate.
Put smart devices on the guest side
Connect your smart plugs, cameras, speakers and televisions to the guest network instead of your main one. Keep your phones, laptops and anything you bank or work on over on the main network. The FBI’s own advice on these devices is to isolate them from your other connections.
Your laptop and the smart bulb now share a router but not a network. The bulb can talk to its app and the internet, and nothing more. If it is ever compromised, the attacker lands in an empty room with your real devices behind another wall.
Some smart devices insist on being on the same network as your phone to set up. Connect the phone to the guest network for the few minutes it takes to add the device, then move the phone back to the main one. A few routers offer a dedicated smart-home network that handles this for you.
Check it worked
Three quick checks confirm the important changes took hold.
- Encryption. On a phone or laptop, open the Wi-Fi details for your network. It should show WPA3, or WPA2/WPA3, rather than WPA2 alone or WPA.
- Remote management. Back in the router settings, confirm the remote management option reads as off. This is the single setting most worth getting right.
- The split. Connect a phone to the guest network and try to reach a device on your main one, such as a printer. It should fail, which means the wall is up.
A router that no longer receives firmware updates cannot be made safe, because the next flaw will never be fixed. The FBI lists old models already hijacked this way. If yours is years old and updates have stopped, replace it. A current router that still gets updates is worth more than any single setting in this guide.
If something breaks
| Symptom | What to try |
|---|---|
| the settings page will not open | Try 192.168.1.1, then 192.168.0.1, then the address on the label. Make sure you are connected to that router’s Wi-Fi, not a phone’s mobile data. |
| you are locked out after changing the admin password | Hold the recessed reset button for about ten seconds to restore factory defaults, then set everything up again from step 1. |
| an old device will not join WPA3 | Switch the network to WPA2/WPA3 mixed mode, or WPA2 with AES, rather than WPA3 only. |
| a smart device will not set up on the guest network | Add it with your phone on the guest network, then move the phone back. Or use the router’s dedicated smart-home network if it has one. |
| the internet broke after turning off UPnP | A console or app may rely on it. Turn UPnP back on, or open only the specific port that device asks for. |
| the router runs hot or behaves oddly | On an old router this can signal compromise. Update the firmware, factory reset it, and replace it if it is end of life. |
Quick reference
| Setting | Do |
|---|---|
| Admin password | Change from the default to a long, unique one. |
| Firmware | Install updates and turn on automatic updates. |
| Encryption | WPA3, or WPA2 with AES for older devices. |
| Network name | Rename it; do not bother hiding it. |
| WPS | Off. |
| Remote management | Off. |
| UPnP | Off, unless a device needs it. |
| Smart gadgets | On a separate guest or smart-home network. |
| End-of-life router | Replace it. |
Common questions
The questions people ask before they open the router settings for the first time.
Where do I find my router's settings?
In a web browser, go to the address printed on the router's label, often 192.168.1.1 or 192.168.0.1, and sign in with the admin details on that same label. The first thing to change is that admin password, since the label details are no secret to anyone who has read the manual.
Is the admin password the same as my Wi-Fi password?
No, and the difference matters. The Wi-Fi password joins your devices to the network. The admin password opens the router's own settings, where every change in this guide is made. They should be two different passwords, both long and unique.
WPA3 or WPA2?
WPA3 if every device supports it, because it better resists guessing of your Wi-Fi password. If an older device cannot join, use a WPA2 and WPA3 mixed mode, or WPA2 with AES. Avoid the older WEP and TKIP settings entirely, as both are broken.
Should I hide my network name?
No. A hidden network name is simple to uncover with free tools and only makes joining harder for you. Rename it to something that does not give away the router's make and model, and rely on WPA3 and a strong passphrase for the actual security.
Why put smart devices on their own network?
Cheap smart gadgets are often the weakest thing you own, and they get compromised. The FBI has warned of botnets built from infected TV boxes and digital picture frames. On a separate network a hacked gadget still reaches the internet, but it cannot see or touch the laptop and phone on your main network.
My router is old. Does it matter?
It can matter a great deal. A router past its end of life stops receiving security updates, and the FBI has flagged outdated models hijacked into criminal proxy networks through a flaw the owner can no longer patch. If yours no longer gets firmware updates, the fix is to replace it.
Can I use the router my internet provider gave me?
Yes, as long as it still receives updates and supports WPA3 and a guest network. Change its admin password and apply the same settings. If it is old or its settings are locked down, adding your own router behind it, or replacing it, gives you back the control this guide assumes.
What is UPnP and should I turn it off?
UPnP lets devices open ports on your router by themselves. It is convenient and occasionally the hole an attacker uses. Turn it off, and if a game console or app later misbehaves, turn it back on or open only the single port that device needs.