1. Change the default password and user id – new one should be at least 16 characters long.
2. Turn off WPS
3. Turn off UPnP
4. Turn off NAT-PMP
5. Wi-Fi encryption should be WPA2 with AES.
6. Wi-Fi passwords should be strong and secure
7. Don’t use an SSID that identifies you.
8. Use a password protected Guest Network. Use it for guests and IoT devices.
9. Turn Off Remote Administration
10. Test for open ports.
11. Turn off Port forwarding…if you can
12. Check for new firmware monthly.
13. Get rid of the ISP provided equipment. It is vulnerable.
14. Change the DNS servers that your router gives out to attached devices. ISP assigned DNS servers are usually the default, and worst, option. Use DNS servers are 9.9.9.9 (from Quad 9, backed up by 149.112.112.112) and 1.1.1.1 (from Cloudflare backed up by 1.0.0.1).
15. Change the LAN side IP address of the router.
16. For routers with a web interface, lock down access to the router from the LAN side with 2fa.
17. Turn off Ping reply.
18. Turn off the wireless networks when not in use.
19. Block the ports used by Windows file sharing.
20. Block network printers from making any outbound connections.
21. If the router can send emails to you when certain error or security concern occur, use it.