Dust off your home WiFi router: It needs some upkeep to stay secure

Five steps to protect it so bad actors can’t run up your electricity bill

(iStock/Washington Post illustration)
Placeholder while article actions load

If your home — with all its blinking, beeping, Internet-connected devices — is a little digital kingdom, your WiFi router is the gate. And somebody needs to keep a close eye on it.

Unfortunately, router maintenance is rarely at the top (or even the bottom) of our to-do lists.

Back in 2007, Zulfikar Ramzan, chief scientist at digital safety company Aura, says he helped uncover a new kind of cyberattack: By simply getting a victim to view a single webpage, hackers could change the settings on home routers — those bulky boxes collecting dust in your closet that connect your tech devices to the Internet — and direct all the victim’s online traffic anywhere they chose. Fifteen years later, people are still making the same security mistake that led to those attacks by failing to reset the default password on their home routers, he says.

“I think with routers, you just assume it’s safe. No one ever thinks about it. But they can also be a conduit,” Ramzan said.

Within minutes of going online, routers become targets for hackers, cybersecurity experts say. Some cybercriminals steal the router’s computing power to mint cryptocurrency such as bitcoin — and run up your electricity bill. Others make off with your data after using your router to grab remote access to your computers. Some even put fake error messages up on connected gadgets like smart TVs, urging you to call a phony customer service number.

Buggy software in off-brand smart home devices is a hacker’s playground

You can sidestep most of these risks with some simple router maintenance. One day a year is all it takes to stay secure, says Brian Contos, chief security officer at Phosphorus Cybersecurity.

“Maybe on April Fools’ Day every year I’m going to take a look and see if there’s any updates or changes that I need to worry about because the risks on the back end of not doing anything are actually growing,” Contos said.

Here’s your Help Desk checklist for home router upkeep.


Set a strong password

Your router likely came with a default password. If you don’t change it to something distinct, hackers can punch it in remotely and access your network.

If you bought your own router, it probably came with a companion app where you can reset the password.

If you’re renting from your Internet service provider, you can still change your password online. Find the IP address printed somewhere on your router, its packaging or its manual. (It will be a set of four numbers separated by periods.) Type the IP address into the search bar of your Internet browser and hit go. That should take you to a page where you can choose to set a new password.

Go with a strong password you haven’t used anywhere else. Strong passwords have at least 12 characters as well as some numbers and special symbols, and they don’t connect directly to some easily-guessable aspect of your life. (So no pets’ names. And “password123” is off limits forever.)

Last, record the unique password somewhere secure — we recommend using a password manager like Dashlane, LastPass or 1Password. No need to rotate the password often, Contos said. Once a year is plenty.

The ultimate guide to secure passwords


Update the software

The software that runs on your router is called “firmware,” and it needs updates just like the operating system on your smartphone.

If your router allows for automatic updates, turn those on. That way, you don’t have to keep tabs on new updates, which are generally chock full of security fixes that keep bad actors out.

Otherwise, you should find updates in the same place you went to reset your password.

Want to avoid a cyberattack? Stop ignoring those pesky software updates.


Consider an upgrade — or get your own router

If your router is more than three or four years old, it’s probably time for a new one, Contos said. New systems come with better encryption options — which hide your traffic from snooping eyes — more secure radio frequencies for your WiFi to travel on and easier management tools, he said. Your old system also could be a liability. In the worst cases, the hardware is no longer supported, Contos said, which means it no longer gets essential security updates.

For the best value and security, consider investing in your own router rather than renting from your Internet service provider, he added. A router from an electronics store should come with extra security features as well as an easier interface for updating passwords and software, if updates aren’t totally automatic.


Don’t reveal personal details in your network name

Leave last names, home addresses, apartment numbers and phone numbers out of your SSID, which is the network name you see when you connect to your WiFi. That gives strangers more information than they need, Contos said.

At the same time, don’t keep the network name that comes with your router, especially if it reveals the device’s model and manufacturer. If hackers are trying to identify routers with outdated software or particular default passwords, this makes their job easier.


Don’t forget your other connected devices

Your router is the gateway to your home network, but beyond it lie a bunch of other connected gadgets that are potential vectors for cyberattacks, Ramzan said. His company’s metrics indicate that people have an average of 50 connected devices in their homes.

Choose distinct passwords for all your password-protected devices, check regularly for software updates and be wary when buying from manufacturers you aren’t familiar with. With a few extra checks, you can keep your router and other devices cybercrime-free.

Password managers have a security flaw. But you should still use one.