Router Security Security Checklist Website by     
Michael Horowitz 
Home Site Index Bugs News Security Checklist Tests Resources Stats DNS Search Popular Pages
See my new website:

The most expert person in the world can only make a router as secure as the firmware (router OS) allows. The following list of security features lets you judge how secure a router can potentially get. This is not a list of things to do to make a router more secure. That list includes a number of actions, like changing the default password, that are common to all routers and thus not in the list below. If you care about securing a router, look for it to have the features below. Sadly, reviews of routers never discuss any of this.

  1. WPS   (updated March 30, 2017)
  2. NO DEFAULT PASSWORDS (added Nov. 21, 2015)
  3. Default passwords are a huge problem for routers and should not be allowed. Even default passwords that look random are not. Eventually, someone figures out the formula for creating that password and can often use that, combined with public information from the router, to derive the password. Thanks to Russ for this idea.
  5. A malicious person on your network is bad enough, but we need to prevent them from being able to modify the router. The web interface of a router also needs to be protected from malicious web pages that exploit CSRF bugs.

  7. WIFI
  8. No one can hack into a network that does not exist.
  9. WPA2
  10. Although every router offers WPA2 encryption with Pre-Shared Key (PSK) there are still things to look for:
  12. In general, a guest network is a good thing. I blogged on this December 2015: To share or not to share - a look at Guest Wi-Fi networks. But, all guest networks are not the same.
  14. ROUTER ADMIN PASSWORD (updated Nov. 15, 2015)
  15. FIREWALL   (updated Jan. 14, 2019)
  16. There are three aspects to the security of a router firewall.
  18. I am well aware that MAC address filtering is far from perfect. That said, it does make it harder for bad guys to get on to your network. Many people say not to bother with it, both because its a big administrative hassle, and, because it wil not block a skilled attacker. The administration hassle, however, is not the same on all routers.
  19. UPnP (Revised Jan 12, 2019)
  20. Universal Plug and Play (UPnP) can be a security problem in two ways. It was designed to be used on a LAN where it lets devices poke a hole in the firewall. It is how IoT devices make themselves visible on the Internet, where many of them get hacked, either due to security flaws or the use of default passwords. UPnP was never meant to be used on the Internet, but some routers mistakenly enabled it there too. Most routers let you disable UPnP on the LAN side.
    • Can it be limited by source IP address and/or source IP subnet? The secure answer is yes. For example, both Real VNC and Apple Remote Desktop listen for incoming connections on TCP port 5900. Without this feature, anyone in the world can connect to these programs on that port. Bad guys scan the Internet to find devices that are listening on port 5900. With this feature, you can limit who is allowed to talk to the software on port 5900. The official term for this, I believe, is IP Filtering.
    • Can port forwarding be scheduled? If a techie uses Real VNC or Apple Remote Desktop to help a non-techie with their computer, but only does so in the evening, then this feature lets the forwarding of port 5900 be disabled in the morning, afternoon and late night.

  22. Is HNAP supported?
    The correct answer is no. The Home Network Administration Protocol has been the basis for multiple router flaws. In April 2015 it was found to make a number of D-Link routers vulnerable. In Feb 2014 is was used as part of an attack on Linksys routers (see this for more). The Linksys firmware in their classic WRT-54G supported HNAP. In 2010 HNAP was used to hack D-Link routers. As far as I know, there is no way to disable HNAP. There are two ways to check for HNAP support. First, ask the router vendor. If nothing else, this can be a great test of technical support. If the company can't or won't answer this question, their routers are best avoided. Peplink, my preferred router vendor, does not support HNAP - I asked them. For a technical test, try to load HTTP:// where is the IP address of your router. This works from inside your network using the routers internal IP address. The real danger, however, is from the outside, so have someone try it from the Internet using the public IP address of your router which you can find at many sites such as or For good luck, also run this test on port 8080, which would look like HTTP://

  24. SELF-UPDATING FIRMWARE (added Sept 29, 2016, revised Feb 15, 2017)
  25. Routers that automatically update their firmware have their own issues. A list of self-updating routers is on the Resources page.

    As for answering these questions, my experience with self-updating routers has been minimal. However, someone from Linksys was kind enough to address these issues (Feb. 2017) for their routers. I created a new page here for Self Updating Router Firmware and hopefully I can get answers from other router vendors too.

  26. Is the router vulnerable to the Misfortune Cookie flaw? This is not something we can test for ourselves, nor is there a full list of vulnerable routers anywhere. We need to have the router manufacturer issue a statement. So this is really a test of how the router vendor handles security issues. Did they post anything on their website? If you ask them, will they intelligently respond? The bugs page on this site links to responses from Actiontec and Peplink that their routers are not vulnerable. I looked for a Netgear response and could find nothing. ZyXEL patched some of their routers but not others. If a company is not forthright about this flaw, then you know that they can't be trusted to make a secure product. And, even if they were vulnerable, but issued updated firmware, I would also be concerned as this means they shipped extremely old software.

  27. Can it block access to a modem by IP address? See my blogs on this part one and part two.

  28. LOGGING: (revised Nov. 23, 2015)
    • Is there a log file (or files)? There should be, and hopefully, the data in the log is reasonably understandable and useful. I find the log created by Asus routers all but worthless. An old Verizon DSL gateway, the D-Link 2750B, had both a System Log and a Security Log. The Pepwave Surf SOHO has a single log file. The D-Link 860L has three log files: System, Firewall & Security and Router Status.
    • Does it log unsolicited incoming connection attempts? I consider this particularly interesting as it helps to illustrate how dangerous the Internet is and why a secure router is important. Its one thing to be preached to about how dangerous the Internet is, but quite another to see evidence of computers all over the world trying to hack into your router. If you see computers from China trying to access certain ports on the router, you can research the ports, try to close them, or forward them to a non-existing local IP address. This may be asking too much of a router, that is, it may require a NGF or UTM).
    • Does it log failed logon attempts? Successful logons? Failed logons are obviously good to know about, but so too are successful logons, just in case the person in charge of the router was not the one who successfully logged in. Hopefully, the logged information includes the source IP address.
    • Is anything logged when a new device joins the LAN? It would make a great audit trail if the router logged the client MAC address every time a new device joined the network. As of Firmware 6.3, released in Jan. 2016, Peplink can optionally log each time an IP address is given out by its DHCP server. There is no option, however, to log the appearance of a new device with a static IP.
    • Can it log all Internet access by a single device? In Nov. 2015 it came to light that a Vizio Smart TV was watching you and phoning home screen shots, even when it was playing video from an external source (think Roku and DVD). This feature lets you keep a close watch any any such "smart" device. It can be used to track children online. My favorite router company, Peplink, is due to roll out this feature in Firmware version 6.3 by the end of 2015.
    • Does it log changes made to the router configuration? Peplink, does a poor job of this, their log typically just says "Changes have been applied" with no indication of what was changed. On the other hand, the D-Link 860L logs nothing at all, not even the fact that something changed. The best I have read about are some DrayTek routers that create an audit trail/log of all admin access/activity.
    • Do the log files disappear when the router is powered down? If so, it makes it that much harder to spot trends or changes. The logs on the D-Link 860L are wiped out when it is powered off. This is not true on the Pepwave Surf SOHO.

  29. EMAIL: (added Nov. 19, 2015)
  30. Can the router send an email message when something bad happens?
  31. DDNS:
  32. Not everyone needs DDNS, it is mostly used for remote administration. If you do need it, there are some options to look for.
  34. Its nice to know who/what is connected to the router
  35. Can you disable the file sharing of storage devices plugged into a USB port? This came up in May 2015 with the industry-wide NetUSB flaw. Some routers let you disable the buggy file sharing, others did not. Netgear, for example, admitted there was no way to disable to flawed file sharing software. NetUSB was the second file sharing flaw that I am aware of. Asus had a bug here that exposed files plugged into a USB port to the Internet at large.
    If you must use a router to share files, then look for one that offers a way to safely disconnect the USB storage device. At least some Linksys routers have a Safely Remove Disk button. TRENDnet labels their button Safely Remove USB Device. And, just for good luck, avoid putting sensitive files on the storage device plugged into the router. My suggestion, however, is to look for a low end Synology or QNAP NAS device. As of May 2015 the cheapest Synology NAS (model DS115j) is $100 without a hard drive. QNAP seems to start around $120, also without a hard drive.

  36. Access to the web interface of a router is typically done via IP address. But dealing with IP addresses may well be too much for non-techies. Thus, to make things easier (almost always a security issue in the making) for people, some router companies offer fixed names. This lets someone on the LAN get into the router with http://something.easy rather than Netgear uses and TP-LINK uses, Asus uses, Netis uses, Edimax uses edimax.setup, Amped Wireless uses, Linksys uses myrouter.local and According to (the page is both undated and un-credited) this is a security weakness. Even if you follow the advice offered on this site, and elsewhere, to use a non-standard local subnet (such as 10.11.12.x) bad guys can still find your router (most likely via CSRF in a malicious web page) using these aliases. In addition, none of the router vendor documentation indicates that any of these names support HTTPS, which should always be used when logging in to a router.

  37. SSID hiding: (added Nov. 11, 2015) Like MAC address filtering, this offers only a small increase in security and comes with a high hassle factor. It was not included here at first, because I had not run across a router that did not offer it. But, there may well be some. Some routers, like those from Google, are focused on ease of use for non-techies and thus throw many features overboard. They, and others, may well omit this feature. Not sure.

  38. Smartphone apps: (updated Feb. 1, 2019)
  39. Security when administering a router via a web browser is easily understood, but smartphone apps are different.
  40. PRIVACY (Updated Jan. 17, 2019)
    • Do you need to have an account with the hardware manufacturer? This is a relatively new issue, I first ran across it with the mesh router systems targeting consumers that require you to have an account with the hardware vendor. The problem with this is that you never know what information is being reported back to the mother ship. One way of forcing you to open an account is to make the router into a brick when it is off-line. Eero, for example, wants your phone number before the router can be configured. And, even ignoring privacy issues, this probably means that if the hardware vendor goes out of business the router is useless. The Ubiquiti AmpliFi and the Netgear Orbi mesh router systems do not require a vendor account. Neither does Peplink/Pepwave. Luma, not only requires an account, but you can't even setup the router if location services are disabled on the mobile device running its app. Google requires an account to use their routers and their privacy policy is here: Google Wifi and your privacy (last updated Dec. 2016).
    • For routers that do not require a vendor account, we still have to ask: how much, if any, data does the router send back to the hardware manufacturer? I have tested this with my favorite router, the Pepwave Surf SOHO. The only outbound requests the router made were for the time of day. It did not send anything back to Peplink at all. Netgear swings both ways. While an account is not needed, in July 2017, they started collecting "analytics". For more on this see the Bugs page for July 2017, this article and What router analytics data is collected and how is the data being used by NETGEAR? (last updated Aug. 2018).
    • Linksys is owned by Belkin, which in turn, is owned by Foxconn Interconnect Technology, a subsidiary of Foxconn, the Taiwanese company best known for making iPhones. The Linksys Privacy Policy says: "We automatically collect information when you use Belkin websites or Belkin products, including ... usage data about how and when you use Belkin products, other devices that are connected to Belkin products and what features of Belkin products you use; [and] technical information and data gathered when your Belkin products are connected to the Internet, such as how many and which devices are connected to your home network, when you use the devices and the amount of network traffic generated." I am not sure which, if any, Linksys routers require an account.
    • Integrated security software: Some router vendors are integrating security software into the router firmware. One example is Netgear, which offers BitDefender software with some of their router firmware. This is sold to the public as good for security, but the flip side is that it is bad for privacy. Considering the EULA that Trend Micro requires router owners to agree to, it may be best to avoid routers that include Trend Micro software. The EULA notes that web page URLs and email message may be sent to Trend Micro. For more, see Review: ASUSWRT router firmware by Daniel Aleksandersen (May 2017) and The Asus RT-AC68U router - it's fast but it also secure? by John Dunn (July 2015).

  41. NEW DEVICE NOTIFICATION: (updated July 22, 2019)
  42. As the administrator of a Local Area Network, I would like to be dinged every time a new device gets onto the network. The ding could be a text message, an email, perhaps even a beep sound. Something, to alert me about a device (really a MAC address) that has not been seen before. There are two ways this might go, either I have to approve the new device before it is allowed access or it is allowed by default, but I am notified and can disable it later.
  43. RECENT DEVICES (added August 9, 2017)
    It would be nice if a router displayed a list of devices that had recently been on the network. This makes it easier to audit for devices that should not be there. Eero and the Norton Core router do this. Peplink sort of does this. Its display of currently attached devices, includes devices that are not currently attached but were recently attached. I think devices are included in the display until the lease on their IP address expires. Peplink can also log to its Event Log every time its DHCP server gives out an IP address.

  44. FACTORY RESET (Added Nov 27, 2018)
    A factory reset should put the router into a secure state, and, it should erase all personal data.

Rare security features

It can be argued that VLAN support belongs in the list above and I may add it at some point. It's certainly a security feature and not all that rare. VLANs (Virtual LANs) let you logically divide a single LAN into isolated sections. If attackers gain access to one section of the network, the VLAN prevents access to other areas of the same network. Sony Pictures would have been well advised to employ VLANs, it would have limited the damage from their breach. Security is also much improved by isolating IoT (Internet of Things) devices as much as possible. VLANs are not in the list above because many people get close enough to the VLAN experience with Guest networks. One difference, however, is that a VLAN is a separate subnet, a feature that Guest networks are not likely to include. I use a VLAN isolated wireless network at home for assorted devices that only need Internet access and do not need to see a network printer or a NAS box, let alone the computers on the LAN. The Pepwave Surf SOHO can even prevent this network from directly accessing the router. VLANs are not just for Wi-Fi, some routers, such as the Pepwave Surf SOHO and the Ubiquiti Edge Routers, can put each Ethernet LAN port into its own VLAN.

I know of two routers that can make multiple SSIDs and within each one, isolate devices so that they can not see each other: the Pepwave Surf SOHO and the Invizbox 2.

VPNs and Tor: a router that can function as a VPN server lets you connect to it securely when traveling. To me, no big deal. A router that can function as a VPN or Tor client can provide some security to multiple devices, even those that are unable to use a VPN or Tor on their own. The Resources page has a list of routers that can function as VPN and/or Tor clients.

The lifespan of a router is like that of a banana, but the real problem is that it does not turn brown when it goes bad. Router manufacturers, as a rule, are not up-front and honest about how long their devices will be updated with security patches. If you look for new firmware and see the latest release was 2 years ago, does that mean the router has been abandoned (probably), or, have their simply been no bugs in the last two years (unlikely). In November 2018 the German government released router security guidelines and the big gripe was that they said nothing about this.

The Portal router, which is expected to start shipping late Summer 2016 has an unusual take on Guest networks. Exactly what it is, however, is not clear from their documentation which says: "You never need to give out your network password, and your guests never need to remember it. Granting Guest Access is done using the Portal App, which uses Facebook credentials or email addresses. Guest Access is time and distance controlled, making it very secure. Whenever a device that has been granted Guest Access is within range of your network, Portal automatically creates a guest network with random SSID and credentials. This information is securely exchanged over Bluetooth. When the guest device leaves your network, Portal deletes the guest network and credentials." Sounds interesting, I hope to fully understand it someday.

This may be asking too much, as I have not run across it anywhere: the ability to modify the Ethernet MAC address that is used as the base of WiFi networks. This would allow a router of brand X to masquerade as brand Y. This is a common feature, but I have only seen it apply to the WAN port. It exists because some ISPs use the MAC address as part of their security. I would also like it on the LAN WiFi side of things.


October 24, 2015: The German government, concerned about poorly secured routers, is considering a security rating system for routers. Using a checklist somewhat analogous to this one, routers will be given points for features that increase security. See German Govt mulls security standards for SOHOpeless routers. Three years later (November 2018), they released some security guidelines. See Germany proposes router security guidelines by Catalin Cimpanu of ZDNet and Germany pushes router security rules, OpenWRT and CCC push back by Richard Chirgwin of The Register.


Many routers are sold as a set of devices, commonly referred to as a mesh. Examples are Google Wi-Fi, Netgear Orbi, Eero, Ubiquiti AmpliFi. This begs the question, for which I have no answer, how is the communication between the two or three devices in a router system protected? As a rule, the main router controls firmware updates on the satellite devices. How? Securely?

Some non-security features to look for

Wake-on-LAN. It's not a security issue, but it is nice to have. Grandmas out at a movie? Login to her router, turn on her computer remotely, install bug fixes for her and then turn it off :-) Asus routers have done this for a long time. Peplink introduced WOL in firmware version 6.3 in December 2015.

Kick the kids off the Internet at bedtime. This can be done a few ways. Perhaps the best approach is to have a dedicated network/SSID for the kids to use, keeping the passwords for other WiFi networks a secret from the children. Then, a router with scheduling ability, can disable the kiddy network at bedtime. This can also be done using a single network/SSID but then you have to deal with identifying individual devices either by their MAC address or their IP address. This takes a bit more technical skill, is a bit more of a hassle to setup and maintain and requires that a specific device is always used by the same person.

Speed tests: Some routers can run their own speed tests. To really know how fast your Internet connection is, requires an Ethernet connected device plugged directly into the modem, no router at all. But, a router running its own tests should be good enough.

Current bandwidth: If the Internet seems slow, it can be helpful if the router shows the current bandwidth being used by each attached device. While some can do this, you have a great router if the list of attached devices can be sorted to show those using the most bandwidth at the top. The Surf SOHO does this.

CPU usage: It can be helpful to see CPU usage as it lets you gauge when its time for a new router. Check it at times when your router is the busiest and/or when streaming a video or two.

I prefer external antennas to internal ones as they are more flexible. I also prefer removable external antennas as they can be replaced if broken. They can also be upgraded should the need arise.

Ethernet lights: When things go wrong, it can be handy to have Ethernet status lights. There are two aspects to this. The main body of some routers have indicator lights for each LAN side Ethernet port. I prefer this, the more information provided, the better. Also, the Ethernet port itself, may have two lights, indicating the link status/speed and activity. The lights on the Ethernet port often indicate the link speed (normally 100Mbps or 1,000Mbps) and, when blinking, that data is being transmitted. Plus, just their being on at all, told us something about the link.

Some routers have done away with the lights on top/front and/or the lights on the Ethernet ports. For example, the TP-LINK Archer D9 has a single Ethernet light on the front - beats me how it indicates the status of multiple Ethernet ports. Still, it is a step up from the $300 D-Link DIR 890L/R, released in February 2015 that has no Ethernet lights at all on the top. The Amped Wireless RTA1750 is unusual in that its Ethernet status lights on the front are all white. And, if you don't like them, there is a switch that turns them all off. The Asus RT-AC68U also has a button to turn off all the lights. I read that the upcoming Synology RT1900ac router (scheduled to be released some time in 2016) will let you schedule the status lights. Thus, you could have them on during the day, but off at night.

Context sensitive help. That is, rather than having to refer to a separate monolithic manual, that may or may not be kept in sync with the firmware, it is best to have help directly available in the web interface (assuming there is a web interface).

Documentation: Find the User Guide for the router. Look at the first two pages. Is there a date that the manual was written? Does it show the version/release the manual applies to? Is there a Last Update date? This offers a glimpse into the professionalism of the company that made the router. If the manuals are missing basic information, such as a date and version number, the company is running a second class amateur operation. Another give-away is the failure to update the User Guide to reflect changes in the firmware.

Apple fails this test. The latest setup guide that I could find for the AirPort Extreme router has no date and no version number. A check in June 2015 for AirPort manuals turned up no manuals from 2014 or 2015. The AirPort Extreme manual was from June 2013, the AirPort Express was from June 2012. Worse still, the only manuals Apple offers are short Setup Guides. They don't have a long User Guide.

Website blocking is arguably a security feature, but an optional one. In the old days, some routers would only block HTTP access to the site, but not block HTTPS. And, if you use this feature, you also need to be able to carve out exceptions which may mean learning the MAC address of privileged devices or giving them a static IP address or using DHCP reservations. And, if a router blocks sites by name, then chances are that direct IP address reference to the website will not be blocked. So, I left it out of the checklist above.

This page was last updated: September 4, 2019 1AM CT     
Created: February 3, 2015
Viewed 293,564 times since February 3, 2015
(174/day over 1,687 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Copyright 2015 - 2019