So you've just been given, or given yourself, a brand-new Wi-Fi router for the holidays. What's the first thing you should do?
The answer: There are roughly half a dozen "first" things you need to do after you take the router out of the box and plug it in. But we'll start with the three most important ones.
1. Change the default admin password
This is not the password you need to get internet access — we'll get to that in a minute — but instead the password you need to get into the router's settings and perform other administrative tasks.
In most cases, a brand-new Wi-Fi router will come out of the box with a very simple factory-default admin password like, well, "admin" or "password." And if you don't change that admin password, that might be the single greatest cybersecurity mistake you can make.
Not only are the default admin passwords easy to guess, but they're also public knowledge. Here and here and here are websites listing the default admin passwords for top router brands like Linksys, Netgear and TP-Link.
If you leave the admin password unchanged, anyone who can get on your Wi-Fi network will be able to get into the router's settings and change your access password, add more devices to the network or even change the admin password themselves to lock you out.
Sophisticated attackers might be able to access your router through the internet — more on that below — and, with your admin password, do whatever they want. They could change your router's settings to send you to a fake bank login page when you think you're going to the real thing, or load dodgy firmware that hacks your router.
The admin password you create should be long, strong and very hard to guess. You can use one of the best password managers to generate and store it, or you can just use an online password generator and then write the password down and keep it someplace safe.
Think of it this way: Your home Wi-Fi router is the gateway to the internet. If the person who controls that gateway is not you, then someone else has control over what you see and do online.
2. Change the Wi-Fi access password
This is a bit less important than the admin one, but you still don't want just any jerk passing by to be able to get on your Wi-Fi network. It's a lot easier to hack a router or other devices on the network if you can get on the network itself.
Many newer routers don't have a default access password, but instead force you to make one up during the setup process. Don't rush it creating the password or making it something too easy.
Your Wi-Fi access password should not be too obvious, but still something you'd remember — not "123456," but maybe a word mixed up with capital letters, numbers and punctuation marks, like "BullM00se1776!" or some such.
3. Change the default network name
Many routers will automatically create a network name, or SSID, based on their model name or number. So if you pass by an apartment building and scan for home Wi-Fi networks, you'll generally see a number of networks with names that include "xfinitywifi," "linksys," or "NETGEAR."
The danger here is that if an attacker knows what kind of router you have, they can attack it more easily if that router brand is known to have security flaws. And if you're the kind of person who leaves the network name unchanged, chances are you've left the admin password unchanged and have a lousy access password too.
Ideally, you want a Wi-Fi network name that's memorable and unique but doesn't contain your name, address or any other personal information. Anything that doesn't contain that information or the router brand should be fine. So go ahead and call your network "FBI-Surveillance-Van" — there's one on almost every block.
Other router settings you ought to change
Now we'll get into the weeds. These are not the "first" things we'd do when setting up a new router, but if we were setting up your home network, we wouldn't want to use the router at all without doing these too.
As with the settings above, you would change these settings in the router's administrative interface, whether that's through a web browser or a smartphone app. But these settings might be buried on a second page or in the "advanced" section; you may have to do some poking around to find them.
1. Turn off remote access to the router
Router makers think you might like to be able to access your home router from your workplace, and they certainly like to make it easy for their own tech-support personnel to do so when they're fielding your troubleshooting calls.
But as Admiral Ackbar might say, it's a trap. Remote access is how hackers and malicious programs locate and attack your router from afar.
They'll scan the internet for routers of specific brands that have remote access turned on, then try each result with that brand's default admin username and password. Much of the time, they get in and can install malware or change router settings.
2. Turn off Universal Plug and Play
You may not be familiar with the Universal Plug and Play (UPnP) networking protocol, but it allows devices on the same Wi-Fi network to "find" and connect to each other without any sort of authentication. It's how a smart-home device can find and connect to a smartphone over the Wi-Fi network without you having to fiddle with port configurations and connection protocols.
This is all fine and dandy if all the activity stays on the local network. But UPnP has been extended so that more advanced devices, such as gaming consoles or security cameras, can automatically change router settings so that those devices can have fast two-way connections to the internet.
Hackers love this. There are at least half-a-dozen different ways in which UPnP can be exploited to hack your home Wi-Fi network and the devices within. Unfortunately, most home Wi-Fi routers come with UPnP turned on by default. Turn it off.
3. Turn off Wi-Fi Protected Setup
Router makers in the mid-2000s decided that entering access passwords was too hard for many people, so they created two supposedly foolproof methods for getting a device connected to a Wi-Fi network and the internet beyond, and called them Wi-Fi Protected Setup (WPS).
If your router has WPS built in, you can either press a button on the router at the same time you're tapping an icon or pressing a button on the device to be connected, or you can enter an eight-digit security PIN — often printed on a sticker on the back or bottom of the router — in place of the access password.
As with UPnP, this sounds great. But it creates a security nightmare. Anyone visiting your house for any reason can connect their devices to your network without your permission as long as they can physically get their hands on your router for a few seconds. Think of that next time you throw a big party.
Meanwhile, that eight-digit WPS security PIN is really two PINs of three and four digits each, plus a checksum. That means it's got only 11,000 possible configurations (not 100 million as it should) and can be easily "brute-forced" by a laptop or smartphone in less than an hour.
So turn off WPS — if you can. Some older or less expensive routers won't let you. (Some newer or pricier routers don't have WPS at all — check for that PIN sticker.)
If you're sure your router has WPS and you can't turn it off, then lock the router in a glass or wooden cabinet so that no one else can access it physically without your permission.
4. Turn on automatic firmware updates
Automatic firmware updates should be turned on by default, but it’s good to make sure that this setting is actually enabled in your router. When responsible router makers discover a vulnerability in their router’s firmware, they will issue a patch to seal that potential security breach.
However, if you don’t have automatic firmware updates enabled, your router won’t get this patch on its own, leaving your network more vulnerable to attacks. Firmware updates can also improve the performance of routers and add new features, which is another reason why this setting should be turned on.