I have seen the inside of more home networks than I can count. I have seen things that would make a network engineer weep. I have seen routers running firmware from 2017. I have seen Wi-Fi passwords that are the street address of the house. I have seen smart TVs on the same network as banking computers. I have seen baby monitors with default passwords accessible from the open internet. Every single time, the person who owns the network says the same thing: "But I'm not a target."
You are a target. Not because you're interesting. Not because someone has a personal vendetta against you. You are a target because automated scanning tools don't care who you are. They scan every IP address on the internet, every Wi-Fi network in range, every device with an open port. If your router has a known vulnerability, a bot will find it. If your Wi-Fi password is guessable, a neighbor's kid with a YouTube tutorial will crack it. If your smart doorbell has a default password, it's already been indexed by Shodan and anyone with a browser can watch your front porch.
Here's how to fix the most common problems. None of this requires a degree. All of it matters.
Open a browser. Type 192.168.1.1 or 192.168.0.1 or whatever your router's gateway address is. If the login is admin/admin, admin/password, admin/1234, or literally anything you haven't personally set — change it right now. This is the control panel for your entire home network. Anyone who can access this can redirect your traffic, intercept your data, change your DNS, and effectively own every device in your house.
Set a strong, unique password. Write it on a sticky note and put it inside a drawer if you have to. A password on a sticky note in your physical home is infinitely more secure than admin/admin on a device facing the internet.
Your Wi-Fi should be using WPA3 if your router supports it. WPA2 at minimum. If your router is still on WPA or — God help you — WEP, you effectively have no password. WEP can be cracked in under five minutes with free tools that any teenager can download.
Your Wi-Fi password should be long. Not complex — long. "correct horse battery staple" is a better password than "P@ssw0rd!" because length beats complexity. Aim for at least 16 characters. A sentence works. "my dog hates the mailman every tuesday" is an excellent Wi-Fi password.
Change the default network name (SSID). "NETGEAR-5G" tells an attacker exactly what router model you have, which tells them exactly what exploits to try. Change it to something that doesn't identify the hardware. Don't make it something edgy like "FBI Surveillance Van" — every apartment building already has three of those and it stopped being funny in 2014.
Log into your router's admin panel. Find the firmware version. Google it. Is there a newer version? There probably is. Update it. Router firmware updates patch security vulnerabilities that are being actively exploited by botnets. The Mirai botnet, which took down half the internet in 2016, spread primarily through home routers with default passwords and outdated firmware. Your router is a computer. It needs updates just like your phone and laptop.
If your router is so old that the manufacturer has stopped issuing firmware updates, replace it. A new router with current firmware costs $50-100. The one sitting in your closet with firmware from 2018 is a liability.
Better yet: if you're comfortable with it, flash your router with OpenWrt. It's open-source router firmware that gets regular security updates and gives you far more control over your network than the manufacturer's software ever will. It runs on hundreds of router models. Check openwrt.org for compatibility.
Remote management / remote access: This allows you to access your router's admin panel from outside your home network. Unless you have a specific reason for this, turn it off. It's the most common way attackers get into home routers.
UPnP (Universal Plug and Play): This allows devices on your network to automatically open ports on your router. It was designed for convenience and is a security nightmare. Malware on any device in your network can use UPnP to open a port and let attackers in from the internet. Turn it off. If a specific device stops working (some gaming consoles need specific ports), manually forward just that port instead.
WPS (Wi-Fi Protected Setup): The button on your router that lets you connect devices by pressing a button instead of typing a password. The PIN-based version of WPS can be brute-forced in hours. Turn it off.
Guest network: Actually, turn this ON. Create a separate guest network for visitors and IoT devices (smart TVs, cameras, thermostats, robot vacuums). This isolates them from your main network. If your smart TV gets compromised — and smart TVs are notoriously insecure — the attacker can't pivot to your laptop or phone because they're on separate networks.
Your router probably uses your ISP's DNS servers by default. This means your ISP has a complete log of every website every device in your house has visited. Change your router's DNS to a privacy-respecting provider:
1.1.1.1 — Cloudflare. Fast. Privacy-focused. Audited.
9.9.9.9 — Quad9. Blocks known malicious domains automatically.
8.8.8.8 — Google. Fast and reliable but Google logs queries.
If your router supports DNS over HTTPS (DoH) or DNS over TLS (DoT), enable it. This encrypts your DNS queries so your ISP can't see them even in transit. Most modern routers support this. The setting is usually under WAN or Internet settings.
Log into your router and look at the list of connected devices. You should recognize everything on that list. If you see a device you don't recognize, find out what it is. It might be a smart plug you forgot about. It might be a neighbor who guessed your Wi-Fi password. It might be something worse.
Most routers show connected devices under a section called "Connected Devices," "Client List," or "DHCP Leases." Each entry will show a MAC address, an IP address, and sometimes a device name. If you see something you don't recognize and can't identify, change your Wi-Fi password. Every device will be disconnected and will need to reconnect with the new password. The ones that don't reconnect are the ones you should worry about — and the ones that weren't supposed to be there.
If you're using the router your ISP gave you — the one that came with your internet plan — you should know that many ISPs have remote access to these devices. They can update them, restart them, and in some cases view connected devices and traffic. Some ISP-provided routers also run a second, hidden Wi-Fi network that shares your bandwidth with the ISP's hotspot service (Comcast's Xfinity WiFi does this).
The best move is to buy your own router and use the ISP's device as a modem only (or replace it entirely if your service allows it). Your own router, your own firmware, your own rules. The ISP doesn't need to be inside your network.
If you do nothing else, do these five things today:
1. Change your router admin password from the default.
2. Make sure you're on WPA2 or WPA3 with a strong Wi-Fi password.
3. Disable remote management, UPnP, and WPS.
4. Update your router's firmware.
5. Change your DNS to 1.1.1.1 or 9.9.9.9.
Thirty minutes of work. Your network goes from being an open door to being a locked door. It won't stop a determined, funded attacker — nothing will stop that short of not having a network at all. But it will stop the bots, the script kiddies, the opportunists, and the curious neighbor. And those are the ones knocking most often.