Make sure you choose WPA2/WPA 3 for Wi-Fi encryption
for backwards compatibilityDisable WPS
when it’s not
neededSTEP ONE in hardening the security
of your home network lies in
determining if your router remains
fit for purpose. If it’s over six or
seven years old, now is a good time
to consider upgrading to something
more robust that supports the
latest security protocols. The
boxout on page 45 reveals what
to look for in a new router—the
Synology RT2600ac we recommend
is one of two routers we’ve tested
for this feature, the other being
an older—and more consumer-
oriented—Archer VR900 modem
router. Alternatively, check out the
box on DD-WRT on page 46 to see
if it’s possible to give your existing
model a new lease of life.
Whether you’ve decided to
splash out on a new router, or
simply wish to perform a network
security audit with your current
model, step one is to log into your
router’s management tools, which
is typically done through your web
browser. All you need to do is type
your router’s IP address into the
browser and hit Enter. If you’re
wondering what its IP address
is, open Settings > Network &
Internet in Windows 11 and click
Properties. Your router’s IP address
will be listed next to IPv4 gateway.
You’ll be prompted to log in,
typically with a username and
password, but sometimes just a
password. If you’ve never done this
before, then consult your router
manual. You’ll discover the default
login details aren’t exactly secure,
and this is where you should
perform your first tweak: change
them to something infinitely more
challenging to bypass.
Look for an admin section in
your router’s management utility.
Archer users will need to navigate
to Advanced > System Tools >
Administration to change this to
something more secure; Synology
users would change this during
the initial setup, or later on under
‘Control Panel > User’. Synology’s
approach scores points because
it adopts a multi-user model, so
would-be hackers would need to
guess your username as well as
your password to gain access.
We recommend using a
password manager’s generator
such as that offered by Bitwarden
to create your new password—
something random, containing a
mixture of letters, numbers, andspecial characters, and at least 14
characters long to protect it from
brute-force attack. Obviously,
make sure this is saved in your
password manager or written down
somewhere safe.
While you’re in the administration
section, look for an option that
allows you to administer your router
remotely—in other words, from
outside your local network over
the internet. Disable this feature to
prevent any drive-by hackers from
attempting to log in.
If you think there will be times
that you’ll need this feature, look
to strengthen your account further.
In the case of Synology routers, you
can apply two-step verification via
a 2 FA code to add an extra layer of
security. Try to get into the habit
of leaving the feature disabled,
except when you need it (say when
traveling), to minimize its exposure
to the internet.CHANGE YOUR
NETWORK SUBNET
Now is also a good time to consider
changing your network’s default
subnet. Most routers default to192 .1 68 .0 or 192 .1 68 .1 for their
subnet and assign themselves
an obvious IP address, such as
192 .1 68 .1.1 at the same time. This
makes IP addresses easier for
hackers to guess, even after you’ve
disabled the automatic assignment
of IP addresses to new devices via
DHCP (see further down). Why not
pick something less obvious, for
example, 192 .1 68 .42 as a subnet,
and 192 .1 68 .42. 187 for your router’s
IP address?
Be warned: if you’ve already
assigned manual IP addresses
on the router’s current subnet
to certain devices for whatever
reason, they will lose network
access as soon as the change is
made, so switch them back to
automatic/DHCP for now. If you’re
looking at your Windows 11 PC,
for example, you can do this via
‘Settings > Network & Internet’.
Click your network adapter (WiFi
or Ethernet) followed by Edit next
to ‘IP assignment’ to set it back to
‘Automatic (DHCP)’.
Once done, make the change: For
example, Synology users should
head over to ‘Network Center >
Local Network > General tab’
where you’ll see your router’s
current IP address under Local
IP. Change this to the desired
replacement, leaving the Subnet
mask set to 2 55.255.255.0. Make
sure you update the DHCP settings
beneath this too.
After clicking Apply, you’ll
momentarily lose your connection,
but when it returns, you should be
able to log on to your router again
via its new IP address to continue
tightening security.networking security guide