Router Hardening Checklist

The Checklist at a Glance

Router security does not require deep networking expertise. It requires ten specific actions, each of which takes a few minutes and makes a measurable difference. This checklist covers them in order of impact.

graph TD
    subgraph "Router Hardening Checklist"
        A["1. Change admin credentials"] --> B["2. Update firmware"]
        B --> C["3. Enable auto-update"]
        C --> D["4. Disable WPS"]
        D --> E["5. WPA3/WPA2 + strong passphrase"]
        E --> F["6. Enable PMF - 802.11w"]
        F --> G["7. Disable remote management"]
        G --> H["8. Disable UPnP"]
        H --> I["9. Guest network / IoT VLAN"]
        I --> J["10. Review port forwarding"]
    end
    subgraph "Verification"
        J --> K[Scan with BLEShark Nano]
        K --> L[Confirm WPA2/WPA3]
        K --> M[Check WPS disabled]
        K --> N[Test PMF with deauth check]
    end

The complete router hardening checklist - ten steps from most critical to supplementary, followed by verification

1. Change Default Admin Credentials

This is the single most important step, and it is the one most frequently skipped. Default credentials for every router model are documented online. Databases like routerpasswords.com list the default username and password for thousands of models. Automated scanners use these databases to access routers whose owners never changed the defaults.

Log into your router's admin panel (typically 192.168.0.1 or 192.168.1.1) and change both the username (if the router allows it) and the password. Use a password manager to generate and store a strong, unique password. This password protects the keys to your entire network - treat it accordingly.

Where to find it: Administration or System settings. Look for "Admin Password," "Management Password," or "Router Login."

2. Update Firmware to Latest

Check your router's current firmware version against the manufacturer's latest release. If an update is available, install it. Firmware updates patch known vulnerabilities that may already be targeted by automated scanning tools.

Navigate to the firmware section of your admin panel and either click "Check for Update" (if the router supports online checks) or download the latest firmware from the manufacturer's support page and upload it manually.

Where to find it: System Tools, Administration, or Advanced Settings. Look for "Firmware Update," "Software Update," or "Router Update."

3. Enable Auto-Update

If your router supports automatic firmware updates, enable this feature. Auto-update ensures that patches are applied without requiring you to manually check for them. Most routers apply updates during a low-usage window (typically 2 AM to 5 AM local time) to minimize disruption.

Where to find it: Same location as firmware update. Look for "Auto Update," "Automatic Firmware Update," or a toggle near the manual update button.

4. Disable WPS

WPS (WiFi Protected Setup) contains a fundamental protocol vulnerability that allows the WPA password to be recovered through brute force in hours. The vulnerability cannot be fixed through firmware updates because it is in the protocol design. Disable WPS entirely.

After disabling, verify from outside the router (using a WiFi scanner) that WPS is actually off. Some routers do not fully disable WPS even when the admin panel indicates it is disabled.

Where to find it: Wireless Settings or WiFi Settings. Look for "WPS," "WiFi Protected Setup," or a dedicated WPS tab.

5. Use WPA3 or WPA2 with a Strong Passphrase

Set your wireless security to WPA3 if all your devices support it. If some devices only support WPA2, use WPA2/WPA3 transitional mode. Never use WPA, WEP, or an open network.

The passphrase should be at least 20 characters. A sequence of four or five random words (a passphrase) is both strong and memorable. Avoid using names, addresses, birthdays, or any information that someone could guess or find on social media.

graph LR
    subgraph "WiFi Security Hierarchy"
        A[WPA3-SAE - strongest] --> B[WPA3/WPA2 Transitional]
        B --> C[WPA2-AES - acceptable]
        C --> D[WPA-TKIP - weak - avoid]
        D --> E[WEP - broken - never use]
        E --> F[Open - no encryption - never use]
    end
    subgraph "Passphrase Strength"
        G["Short: wifi123 - cracked in seconds"]
        H["Medium: MyH0m3W1f1! - cracked in hours"]
        I["Strong: correct-horse-battery-staple - years to crack"]
        J["Best: 20+ random chars from password manager"]
    end

WiFi security modes ranked from strongest to weakest, and passphrase strength comparison

Where to find it: Wireless Settings or WiFi Security. Look for "Security Mode," "Encryption," or "Authentication Type."

6. Enable Protected Management Frames

Protected Management Frames (PMF / 802.11w) encrypt management frames like deauthentication and disassociation. Without PMF, an attacker can disconnect any device from your network by sending forged deauth frames. With PMF, these frames are authenticated and forgeries are rejected.

PMF is mandatory in WPA3 and optional in WPA2. If you are using WPA2, enable PMF manually. Set it to "optional" or "capable" if some devices have compatibility issues, or "required" if all devices support it.

Where to find it: Advanced Wireless Settings. Look for "Protected Management Frames," "802.11w," "PMF," or "Management Frame Protection."

7. Disable Remote Management

Remote management allows accessing the router's admin panel from the internet (WAN side). Unless you have a specific, documented need to manage your router remotely, disable this feature. When enabled, the admin panel is exposed to the entire internet and protected only by the admin password. Combined with a known vulnerability in the admin interface, remote management creates a direct attack path from the internet to your router's configuration.

Where to find it: Administration or Advanced Settings. Look for "Remote Management," "Remote Access," "WAN Access to Admin," or "Web Access from WAN."

8. Disable UPnP

Universal Plug and Play (UPnP) allows devices on your network to automatically open ports on the router without user intervention. This is convenient for gaming consoles and media streaming but creates a security risk. Malware on any device inside your network can use UPnP to open ports, exposing internal services to the internet.

Multiple critical UPnP vulnerabilities have been disclosed over the years, some allowing remote code execution from the WAN side without authentication. Disable UPnP and manually configure port forwarding for the specific applications that need it.

Where to find it: Advanced Settings, NAT, or Network. Look for "UPnP," "Universal Plug and Play," or "NAT-PMP."

9. Set Up a Guest Network or IoT VLAN

IoT devices - smart speakers, cameras, thermostats, light bulbs - often have weak security and receive infrequent updates. Placing them on the same network as your computers and phones means a compromised IoT device can potentially attack your primary devices.

Create a separate network for IoT devices. Most routers support a guest network that is isolated from the main network. Put your IoT devices on the guest network. They can reach the internet (to connect to their cloud services) but cannot communicate with devices on your primary network.

For routers that support VLANs, create a dedicated IoT VLAN with firewall rules that block traffic from the IoT VLAN to the primary VLAN. This provides stronger isolation than a basic guest network.

graph TD
    subgraph "Segmented Home Network"
        A[Router] --> B[Primary SSID - Trusted Devices]
        A --> C[IoT SSID - Smart Home Devices]
        A --> D[Guest SSID - Visitors]
        B --> E[Laptops, phones, tablets]
        C --> F[Cameras, speakers, lights]
        D --> G[Guest devices - internet only]
    end
    subgraph "Isolation Rules"
        H[IoT cannot reach primary network]
        I[Guest cannot reach any internal network]
        J[Primary has full access]
    end
    C -.->|Blocked| E
    D -.->|Blocked| E
    D -.->|Blocked| F

Network segmentation with three SSIDs - IoT and guest networks are isolated from primary trusted devices

Where to find it: Guest Network settings (usually a dedicated section). For VLANs: Advanced Settings, Network, or LAN settings on routers that support VLAN tagging.

10. Review Port Forwarding Rules

Port forwarding rules expose internal services to the internet. Each forwarded port is a potential entry point for attackers if the service behind it has a vulnerability. Review your port forwarding rules and remove any that are no longer needed.

Common scenarios: a port forwarded for a game server you no longer run, a forwarded port for a security camera that was replaced, or test rules created during troubleshooting and never removed. Each of these is an unnecessary hole in your router's firewall.

For each remaining port forwarding rule, verify that the service behind it is current and patched. If a forwarded port leads to a device running outdated software, that port is an active vulnerability.

Where to find it: NAT, Port Forwarding, or Virtual Server settings. Some routers list it under Advanced, Firewall, or WAN.

Verification with the BLEShark Nano

After completing the checklist, verify your changes from outside the router. The BLEShark Nano's WiFi scanner provides the external perspective needed to confirm your configuration.

Confirm WPA2/WPA3. Scan for your network and check the encryption type shown. It should match what you configured. If it shows WPA or WEP, the security mode did not apply correctly.

Check WPS status. The scan results show whether WPS is enabled for each network. Your network should show WPS as disabled. If it still shows as enabled after you disabled it in the admin panel, your router may not be fully disabling WPS.

Test PMF with a deauth check. The BLEShark Nano can send deauth frames to test whether PMF is working. If PMF is correctly enabled and set to required, your devices should remain connected during the test because they will reject the unauthenticated deauth frames. If devices disconnect, PMF is either not enabled or not working correctly. Note: in EU firmware, deauth is disabled for compliance reasons.

These three checks take less than a minute and give you confidence that the ten hardening steps actually took effect. Configuration changes that do not apply (due to firmware bugs, router limitations, or human error during setup) are surprisingly common. External verification catches these failures before an attacker does.

Router hardening is not a one-time task. Firmware updates continue to be released. New features may reset settings to defaults. Periodic verification - monthly or quarterly - ensures that your hardened configuration remains intact. Add a calendar reminder, spend five minutes with the checklist and a scanner, and keep your network's first line of defense solid.