NSA Router Security Check — Free Brand-Specific Checklist

5-minute router security self-check for your home network. Pick your router brand, follow the steps, and track progress locally in your browser.

Start checklist Why this matters (NSA event)

Quick brand links

Jump straight to a brand guide (static pages).

Pick your brand

Select a router brand to see a focused checklist.

Open the NETGEAR guide →

NETGEAR quick access

Login address: http://192.168.1.1
Default password hint: If you never changed it, check the router label or NETGEAR quick-start guide. Avoid leaving the admin password as default.

Progress

0/7 completed

1. Change the router admin password (not the Wi‑Fi password)CRITICALPASSWORD
Where to find it
Advanced > Administration > Set Password (or similar)
Expected result
Router admin password is unique, long, and not reused elsewhere.
2. Update router firmwareCRITICALFIRMWARE
Where to find it
Advanced > Administration > Firmware Update
Expected result
Router reports it is on the latest firmware version available for your model.
3. Disable remote management / WAN adminCRITICALREMOTE ACCESS
Where to find it
Advanced > Advanced Setup > Remote Management
Expected result
Remote management is Off (no admin access from the internet).
4. Use WPA2‑AES or WPA3 and a strong Wi‑Fi passwordHIGHWIFI
Where to find it
Basic > Wireless (2.4GHz / 5GHz) > Security Options
Expected result
Wi‑Fi uses WPA2‑AES or WPA3; password is 12+ characters and not shared publicly.
5. Turn off WPS (Wi‑Fi Protected Setup)HIGHWPS
Where to find it
Advanced > Advanced Setup > Wireless Settings > WPS
Expected result
WPS is disabled for all bands.
6. Disable UPnP unless you truly need itHIGHUPNP
Where to find it
Advanced > Advanced Setup > UPnP
Expected result
UPnP is Off (or limited) to reduce unexpected port exposures.
7. Review and lock down DNS settingsHIGHDNS
Where to find it
Internet/WAN Setup > Domain Name Server (DNS) Address
Expected result
DNS servers are trusted (ISP or reputable) and cannot be changed by unknown devices.

All checklists (no JavaScript)

JavaScript is disabled, so progress tracking is unavailable. Use the brand pages for a focused guide.

NETGEAR

Change the router admin password (not the Wi‑Fi password)

Advanced > Administration > Set Password (or similar)

Expected: Router admin password is unique, long, and not reused elsewhere.
Update router firmware

Advanced > Administration > Firmware Update

Expected: Router reports it is on the latest firmware version available for your model.
Disable remote management / WAN admin

Advanced > Advanced Setup > Remote Management

Expected: Remote management is Off (no admin access from the internet).
Use WPA2‑AES or WPA3 and a strong Wi‑Fi password

Basic > Wireless (2.4GHz / 5GHz) > Security Options

Expected: Wi‑Fi uses WPA2‑AES or WPA3; password is 12+ characters and not shared publicly.
Turn off WPS (Wi‑Fi Protected Setup)

Advanced > Advanced Setup > Wireless Settings > WPS

Expected: WPS is disabled for all bands.
Disable UPnP unless you truly need it

Advanced > Advanced Setup > UPnP

Expected: UPnP is Off (or limited) to reduce unexpected port exposures.
Review and lock down DNS settings

Internet/WAN Setup > Domain Name Server (DNS) Address

Expected: DNS servers are trusted (ISP or reputable) and cannot be changed by unknown devices.

TP-Link

Set a strong admin password (router login)

Advanced > System Tools > Administration (or Password)

Expected: Admin password is long and unique; device is not using factory defaults.
Update firmware (online upgrade if available)

Advanced > System Tools > Firmware Upgrade

Expected: Router is updated to the newest firmware for your exact hardware version.
Disable Remote Management / Remote Access

Advanced > System Tools > Administration > Remote Management

Expected: Remote management from WAN is disabled.
Use WPA2‑AES or WPA3 and disable weak modes

Wireless > Wireless Settings > Security

Expected: No WEP or WPA/TKIP; Wi‑Fi password is strong and not reused.
Disable WPS

Advanced > Wireless > WPS

Expected: WPS is disabled to reduce brute‑force risk.
Confirm SPI firewall is enabled

Advanced > Security > Firewall / SPI Firewall

Expected: SPI firewall is On; inbound WAN traffic is blocked by default.
Disable UPnP (or audit port mappings)

Advanced > NAT Forwarding > UPnP

Expected: UPnP is Off or you have reviewed all active mappings and recognize them.

ASUS

Change the admin login password

Administration > System > Router Login Name/Password

Expected: Admin password is strong and unique; login name is not left as default if adjustable.
Update firmware

Administration > Firmware Upgrade

Expected: Router is running the latest stable firmware (auto-update enabled if supported).
Disable remote access features you don't use

WAN > DDNS / Administration > System > Enable Web Access from WAN

Expected: Web access from WAN is Off unless you explicitly need it and have restrictions in place.
Set WPA2‑AES or WPA3 and separate guest Wi‑Fi

Wireless > General (2.4GHz/5GHz/6GHz) + Guest Network

Expected: Main Wi‑Fi uses WPA2‑AES/WPA3; guests use Guest Network without LAN access if possible.
Disable WPS

Wireless > WPS

Expected: WPS is Off to reduce attack surface.
Disable UPnP unless required

WAN > Internet Connection > Enable UPnP

Expected: UPnP is Off (or you have verified all port forwards are expected).
Review DNS settings and enable DNS security if available

WAN > Internet Connection > DNS Server + AiProtection/Parental Controls (model dependent)

Expected: DNS is set to trusted resolvers; suspicious DNS changes are avoided or blocked.
Ensure firewall is enabled and block unsolicited inbound traffic

Firewall > General

Expected: Firewall is enabled; inbound WAN access is blocked by default.

FAQ

Do I need technical skills to follow this checklist?

No. Each step is written as a short “where to find it” path plus an expected result. If you get stuck, use your router model’s official manual.

Is rebooting my router enough?

Rebooting can interrupt some threats, but it is not a complete fix. You still need to update firmware, change default credentials, and disable risky features like remote management and WPS.

What if my router is old or no longer supported?

If your router no longer gets security updates, replacement is usually the safest option. Unsupported devices are commonly targeted because known vulnerabilities remain unpatched.

Get future checklist updates

No spam. This is a placeholder form for the MVP.

Next: read the NSA event timeline

Understand recent router warnings and why simple steps like rebooting help—but don’t replace firmware updates and strong passwords.

Open NSA event page