Wi-Fi Security Checklist: 25 Steps to Lock Down Your Home Network
Cut real-world risk with quick wins, then harden your router, devices and DNS. A VPN adds privacy on public and ISP networks.
Short answer: enable WPA3, strong unique passwords, auto-updates, guest/IoT isolation, secure DNS, and use a reputable VPN when you’re on public Wi-Fi or want to hide browsing from your ISP. Then run leak and speed tests to be sure everything works as expected.
New to this topic? First read the deep-dive Wi-Fi security guide, then follow this checklist. When you’re done, run a quick VPN speed test and a DNS/IPv6 leak test to verify your setup.
Quick wins (5–10 minutes)
- Change default router admin password to a unique 16–20-character passphrase; turn off remote admin if unused.
- Rename SSID to something neutral (no address, ISP name or family name).
- Set Wi-Fi encryption to WPA3-Personal (or WPA2-AES if legacy devices force it; avoid mixed/TKIP).
- Update router firmware and enable auto-updates if supported.
- Disable WPS and UPnP; keep only needed services on.
- Use a separate guest network and block access to your LAN by default.
- Prefer 5 GHz/6 GHz bands; reduce transmit power to cover just your home or apartment.
Router hardening (15–30 minutes)
- Create a dedicated IoT VLAN/SSID for cameras, bulbs and TVs; deny inter-device and LAN access.
- Switch router DNS to a secure resolver (DoH/DoT) — Cloudflare 1.1.1.1, Quad9 9.9.9.9 or AdGuard; optionally enable DNS filtering.
- Enable MAC randomization on clients; disable legacy 802.11b/g if not needed.
- Schedule Wi-Fi off during the night or long absences to reduce attack surface.
- Log out of the router panel after changes; keep an encrypted backup of the configuration.
Device hygiene
- Keep OS and apps auto-updated; remove unused apps and old VPN profiles.
- Enable full-disk encryption (BitLocker/FileVault), screen lock and 2FA for accounts.
- Use modern browsers with HTTPS-Only mode; block third-party cookies and aggressive tracking.
- On mobiles, disable “auto-join” for unfamiliar networks; prefer personal hotspots over unknown public Wi-Fi.
Use a VPN smartly
- Choose WireGuard or OpenVPN UDP for best speed/security; fall back to TCP when networks are restrictive.
- Enable the kill switch and auto-connect on untrusted Wi-Fi.
- Pick nearby servers for latency; use country-specific servers for streaming/licensing needs. Our guide on which VPN server to choose goes deeper.
- Consider router-level VPN for “always-on” protection; keep a split tunnel for latency-sensitive apps.
Run privacy & leak tests
- Check public IP and DNS servers before and after enabling the VPN.
- Run DNS and WebRTC/IPv6 leak tests; if leaks appear, disable IPv6 on the device or enable IPv6 support in the VPN app.
- Verify HTTPS padlock and certificate on sensitive sites (banking, email, workplace portals).
Common mistakes to avoid
- Using one password for both Wi-Fi and router admin.
- Leaving WPS on “for convenience”.
- Keeping IoT on the same LAN as your laptop/phone.
- Trusting “free” public Wi-Fi without a VPN.
If the video doesn’t load, watch on YouTube.
FAQ
Is WPA3 mandatory?
Prefer WPA3-Personal whenever your devices support it. If legacy gear breaks, use WPA2-AES only, never TKIP or “mixed” with WEP.
Do I need a VPN at home?
At home it adds ISP privacy and geo options; on public Wi-Fi it’s strongly recommended to mitigate local snooping and rogue access points.
Should I turn off 2.4 GHz?
Keep it mainly for IoT or distant rooms. Primary devices should use 5/6 GHz for speed and less interference.
Editor, VPN World — tests consumer VPN apps and writes practical Wi-Fi and privacy guides.