Step 1: WPA2
I think it's common networking knowledge that there really is no excuse to not use any encryption method other than WPA2. In all but the oldest wireless devices, just about all modern wireless clients support it.
Step 2: Change Default Passwords
You never want to set up a new router and leave the default password of either the SSIDs (if the router came preconfigured) or to the admin account, which gives access to the router's management software. In fact, I like to change even the Guest Account default settings, if I enabled Guest Account and the router has guest credentials set up.
Changing the admin password, is usually found in the "System" or "Administration" areas of the interface. Changing the SSID's passphrase is typically under "Wireless Settings." By the way, you see the password I have set in the image below? Don't use that one. That's just a router for testing, my home router has a much stronger password. For some good advice on creating passwords, give Password Protection: How to Create Strong Passwords", a read.
Step 3: Change the Default SSID name
I can't tell you how many times, I'll look at wireless networks in range and see SSIDs such as "NETGEAR095," essentially, SSIDs that are preconfigured and easily give away the make of the router. When I see this, I also think perhaps the person who set up the router left the default admin credentials to the router's software. Someone with strong intent could access an unsecured network, and with a quick web search, discover the default password to the admin account just by knowing the type of router. Give your network a name that does not reveal the make or model of your router.
Step 4: Device Lists
Most routers have a device list that shows the wired and wireless clients currently connected. It pays to periodically take a look and familiarize yourself with your router's device listing. Years ago, you would only see a list showing a connected client's IP address, MAC address, and maybe the hostname.
Newer router interfaces are getting fancier. The most recent interface on the Cisco Linksys routers shows all of this information plus an icon of the type of client that's connected ( a picture of a bridge, a NAS, a computer…and so on). I've met with vendors who are also releasing cloud and mobile apps that let you remotely see what or who is connected to your network and alert you when a device connects. If this is an important feature for you, you can expect to see a lot innovation in intrusion detection and home networks soon.
Step 5: Turn off Guest Networking
I've never tested a router out-of-the box that had guest networking on by default. If I did—that router would not get a very high review rating. Guest networking allows others to access your routers, and by default it's usually unsecure access (although you can typically add security). That said, if you inherited your router from someone else, it pays to make sure guest networking is turned off (or at least secured) when you set the router up for your use. Doing so, requires usually nothing more than ticking off a checkbox in the router's interface.
Step 6: Enable MAC Address Filtering
Creating a filter by MAC address allows you to grant or deny access to your wireless network based on the specific device being connected. A common scenario for good security is to only grant access to the MAC addresses of only your own devices. You have to enter the MAC address manually for each client in just about any router I've tested, so you'll need to gather that information first. Of course, you can also get the MAC addresses from the device list as mentioned earlier, if they are connected.
Step 7: Use WPS With Caution
Personally, I don't use WPS (Wi-Fi Protected Setup) on my home network. I find it does not work consistently across wireless devices. Add to the fact that a security issue was discovered with the PIN method of connecting via WPS, and it makes me want to stay far from the feature (for more on the security issue check out "Wi-Fi's Protected Setup Woes". To their credit, router manufacturers have been doing a good job of securing WPS on their equipment; however, I would still use it sparingly. Some wireless extenders I've tested can really only connect to a router via WPS, but for other devices; connect them manually.
Step 8: Keep Your Firmware Up to Date
I think a lot of users can forget about this one. Periodically, router vendors will create and post new firmware for their products to their sites. Sometimes, this firmware can patch security holes. Routers keep getting easier and easier to update; newer ones will notify you when new firmware is available and some will allow you to do the entire firmware update without leaving the router's interface—a feature that always gets a favorable rating from me. Don't forget to keep client wireless adapters patched for the same reason, as well.
Step 9: Use Firewall Settings
Most routers have some sort of firewall or WAN protection to guard the device from Internet threats. Higher-end dual-band routers tend to have more advanced firewall and security features (though you can throw a third-party, open-source software tool like Tomato on an old cheap router, which can add advanced functionality, too.) For example, the Cisco Linksys AC1750 has settings that allow you to enable firewall protection for both IPv4 and IPv6 traffic, as well as filter potential threats such as anonymous Internet requests.
One caution though, if you use port forwarding to set up remote access back into your home LAN, enabling some WAN filtering, may cause problems with the remote access—as I discovered once. Still, that should not discourage most users to use the SPI firewall capabilities and WAN threat security features found in most wireless routers. Many of these security features can be enabled with a click. Advanced users can even use a feature found in lots of routers—setting up firewall rules to block specific types of services such as IDENT or Telnet from coming through your router.
Step 10: Hide the SSID
Hiding the name of your wireless network (the SSID) is also referred to as preventing the SSID from broadcasting. Now, hiding the SSID is not in and of itself, a security measure. Snoopers still have ways to detect wireless signals in a given area. However for most other would-be leeches, not having your Wi-Fi network's name broadcasted, is a good way to prevent anyone from jumping on. The downside, is you will have to manually type in the name when you want to connect a device—especially tedious for friends who drop by and want to connect to your Wi-Fi.
With these settings, you really don't need to be well-versed in networking. You just need to get familiar with the features and interface in your router to create a more secure network.
