48 items

Home Network Security Audit

Most home networks run on settings configured years ago — default credentials unchanged, firmware unpatched, and smart devices sharing a network with laptops holding financial records. This 90-minute audit tells you exactly what to check, where to find each setting, and what to change, with no IT background required. For more background and examples, see the guidance below; for built-in tools and options, use the quick tools guide.

Author

Checklistify Editorial Team

Last Updated

Checklist Items

0 done•48 left•9 of 10 sections collapsed

Locate your router admin panel URL, username, and current password

Check the sticker on the bottom or back of your router for the admin URL (typically 192.168.1.1 or 192.168.0.1), default username, and default password. Open a browser on any device connected to your home network and navigate to that URL — you should see a login screen. If you have never changed these credentials, you are almost certainly still using factory defaults, which are publicly documented for every router model and exploitable by any device already on your network. Store the admin URL in your password manager before proceeding.

Change router admin username from default

Many routers default to 'admin' as the username. If your router allows username changes (check under Administration or Management settings), change it to something non-obvious. Not all routers support this — skip if the option is not present. Changing the username adds a second unknown for anyone attempting to brute-force access to your admin panel from a device already connected to your network.

Set a strong, unique router admin password (16+ characters)

This is not the same as your Wi-Fi password — it controls access to your router's configuration panel itself. Use a 16+ character password with a mix of character types, stored in your password manager. Default admin passwords ('admin', 'password', or the last 8 digits of a serial number) are published in manufacturer documentation and are the first combination automated scripts try. Any device already on your network can reach the admin panel IP — this credential protects your entire configuration from anyone who has already connected.

Disable remote management and remote admin access

Remote management allows access to your router's admin panel from the public internet, not just from inside your home. Unless you have a specific need to administer your router remotely, disable this immediately. Find it under Advanced > Administration > Remote Management (labels vary by brand). When enabled, automated scanners detect this within minutes of it being exposed — this is among the most commonly exploited misconfigurations in home routers and is frequently used to install persistent firmware-level malware.

Enable HTTPS-only access to admin panel

Some routers offer admin panel access over HTTPS (encrypted) in addition to or instead of HTTP (unencrypted). If this option exists in your Administration or Access settings, enable it. Without HTTPS, any device on your network can intercept your admin session credentials using a passive packet capture — including a compromised smart TV or IoT device on the same network segment. This is particularly relevant if your IoT devices are not yet isolated.

Set admin panel session timeout to 10–15 minutes

An open admin panel session left unattended is a liability — physical access to your computer or a session-hijacking attack from another device on the network could take over your configuration silently. Set the timeout in Administration settings so the session expires automatically after inactivity. This also applies during the audit itself: do not leave the admin panel open in a browser tab while you step away.

Check your router's current firmware version and compare to the latest release

Navigate to router admin > Advanced > Firmware Update (exact path varies by brand and model). Note the version currently installed. Visit the manufacturer's support page and search your exact model for the current stable release. Firmware updates are the primary mechanism manufacturers use to patch security vulnerabilities — an unpatched router may have known, publicly disclosed vulnerabilities that automated scanners search for across the entire internet. Also check your manufacturer's security advisory page (search '[brand] security advisories') for any listed CVEs affecting your model specifically.

Update router firmware to the latest stable version

Most routers allow you to update directly from the admin panel — click 'Check for Updates' or 'Update Firmware'. Alternatively, download the firmware file from the manufacturer's website and upload it manually. Do not interrupt power during the update; a failed flash can brick the router. The router will restart automatically after a successful update, taking 2–5 minutes. After reconnecting, navigate back to the firmware page and verify the new version number matches what you intended to install.

Enable automatic firmware updates if your router supports it

Asus, Netgear Orbi, Eero, and Google Nest routers all offer automatic firmware updates in their settings. If yours does, enable it — auto-updates ensure critical security patches are applied promptly without requiring you to manually check. If your router does not support auto-updates, add a calendar reminder to check manually every 3 months, since manufacturers release security patches on unpredictable schedules.

Verify your router model is still receiving manufacturer security support

Search '[your router model] end of support' on the manufacturer's website or look for a product lifecycle page. Router manufacturers typically support models for 3–5 years after release. Once a model reaches end-of-life, it stops receiving security patches — any vulnerability discovered afterward will never be fixed regardless of how thoroughly you complete this audit. If your router is end-of-life, plan replacement as a priority action, not an optional future step.

#10

Update firmware on all mesh network nodes and access points

If you use a mesh Wi-Fi system (Eero, Netgear Orbi, TP-Link Deco, Google Nest), each node may need to be updated independently. Check the companion app or admin panel for all nodes — a single outdated satellite node creates a vulnerability that bypasses the security of an updated primary router. Most mesh systems update all nodes simultaneously through the companion app, but verify the version number on each node individually to confirm.

#11

Set Wi-Fi encryption to WPA3 or WPA2/WPA3 mixed mode

Go to Wireless > Security settings. WPA3 is the current gold standard and prevents offline dictionary attacks against your Wi-Fi password — a class of attack that WPA2 is vulnerable to even with a strong passphrase. If all your devices were purchased in the last 4–5 years, WPA3-only is appropriate. For older devices that do not support WPA3, use WPA2/WPA3 mixed mode, which offers WPA3 to capable devices while maintaining compatibility. WPA2-AES is the acceptable minimum. WPA (TKIP) and WEP are cryptographically broken — if either is present, disable it immediately and do not use it as a fallback mode.

#12

Change Wi-Fi password to a strong passphrase (20+ characters)

Use a passphrase of 20 or more characters — a string of 4–5 unrelated words with separators is both strong and memorable (e.g., 'tangerine-orbit-shelf-morning'). Avoid passwords containing your street address, surname, router brand, or ISP name — these are among the first guesses in targeted local attacks. Store the new passphrase in your password manager before saving it to the router. You will need to reconnect every device in your home after this change, which takes 20–30 minutes in households with many devices — plan accordingly.

#13

Change Wi-Fi network name (SSID) from its default value

Default SSIDs like 'NETGEAR_5G_2847' or 'ASUS_RT-AX88U' immediately reveal your router's model number to anyone scanning nearby networks. With that information, an attacker can look up known vulnerabilities for your exact model in seconds. Change the SSID to a neutral name that does not identify your address, household name, or router brand. Avoid names that imply high-value contents ('HomeOffice', 'SecurityCameras') or include any address detail.

#14

Disable WPS (Wi-Fi Protected Setup)

WPS was designed to simplify device connections via an 8-digit PIN or physical button press. Its PIN implementation has a fundamental cryptographic flaw: the PIN is verified in two 4-digit halves, reducing possible combinations from 100 million to roughly 11,000. Tools like Reaver and Bully exploit this to determine the correct PIN via brute force in 4–10 hours, then derive your full Wi-Fi password — regardless of how strong it is. Disabling WPS in your wireless settings eliminates this attack vector entirely. You lose only the convenience of button-press pairing, which no device actually requires for normal operation.

#15

Review 2.4 GHz, 5 GHz, and 6 GHz band configurations

Each frequency band is a technically separate network with its own security settings — both (or all three, for Wi-Fi 6E routers) must use the same strong encryption mode and passphrase. Some routers silently default to weaker encryption on the 2.4 GHz band for backward compatibility. If your bands have different SSIDs, ensure each is inventoried in this audit. Verify that the password and security mode are consistent across every active band — a secured 5 GHz network does not protect you if the 2.4 GHz band runs WPA with a weak password.

#16

Enable Protected Management Frames (PMF / 802.11w)

PMF protects Wi-Fi management frames — the low-level signals used to connect, disconnect, and authenticate devices — from being forged by an attacker. Without PMF, an attacker within radio range can send crafted deauthentication frames to forcibly disconnect your devices. PMF is required for WPA3 and optional for WPA2. Enable it if all your devices support it (most devices from 2015 onward do). If enabling PMF on 'Required' mode causes older devices to fail to reconnect, switch to 'Optional' mode, which still protects capable devices while allowing older ones to connect.

#17

Verify Wi-Fi transmit power is appropriate for your property size

Transmit power controls how far your Wi-Fi signal extends beyond your home. An unnecessarily high setting broadcasts your network into neighboring properties and public spaces, expanding the pool of people within range who can attempt connections or passively monitor traffic patterns. Find the setting under Wireless > Advanced (may be expressed as a percentage or dBm value). For most single-family homes, medium or 75% power is sufficient. In apartment buildings especially, this setting meaningfully reduces your network's exposure to adjacent units.

#18

Enable a dedicated guest Wi-Fi network for visitors

A guest network connects visitor devices to the internet without giving them access to your main network, shared drives, NAS devices, printers, or other connected hardware. Enable it under Wireless > Guest Network and assign a distinct password separate from your main Wi-Fi. Set the guest network to 'Internet access only' and disable any option that allows guest devices to communicate with the main LAN. The practical benefit: a visitor's malware-infected laptop cannot reach your home server, shared storage, or other computers — it can only reach the internet.

#19

Enable AP/client isolation on the guest network

AP Isolation (also called Client Isolation or Device Isolation) prevents devices on the guest network from communicating directly with each other or reaching the main network. Without this, two devices on the guest network can communicate freely — and a compromised IoT device could use another guest network device as a stepping stone. This setting is typically under Wireless > Guest Network > Advanced. Verify it is explicitly enabled, not merely implied by the guest network being active — the two settings are independent.

#20

Move all IoT and smart home devices to the guest or a dedicated IoT network

Smart TVs, video doorbells, security cameras, smart speakers, thermostats, smart bulbs, robot vacuums, gaming consoles, and connected appliances should all live on the guest or IoT network — never on the same segment as computers and phones holding sensitive data. IoT devices frequently have weak security architectures, infrequent firmware update cycles, and sometimes hard-coded credentials embedded in firmware. A compromised smart TV on an isolated network cannot communicate with your laptop or NAS; on a flat network, it can probe every other connected device freely. This single change has the highest security-to-effort ratio in this entire checklist.

#21

Confirm guest network cannot reach the router admin panel

Some router firmware incorrectly allows guest network clients to access the admin panel. Test this explicitly: connect a device to your guest network and attempt to navigate to your router's admin URL (192.168.1.1 or similar). The admin panel should be completely inaccessible. If you can reach it from the guest network, your router has a firmware misconfiguration — search for an update that addresses this, or use a properly isolated VLAN for IoT devices instead of relying on the guest network feature.

#22

Pull the full list of currently connected devices from router admin

Navigate to router admin > Connected Devices, Device List, or DHCP Client List (label varies by brand). This shows every device with an active connection. Take a screenshot before making any changes — this is your audit baseline. Households with many smart home devices routinely see 30+ entries. Each entry shows at minimum a MAC address (a hardware identifier unique to each network interface) and usually a device name or hostname. If your router shows only MAC addresses with no names, you will need to cross-reference with each physical device's settings.

#23

Identify and label every device on the connected devices list

Match each listed device to a physical device you own. On Android, find your MAC address under Settings > About Phone > Status > Wi-Fi MAC Address. On iPhone, go to Settings > General > About > Wi-Fi Address. On Windows, run 'ipconfig /all' in Command Prompt and look for 'Physical Address'. On macOS, go to System Settings > Network > Wi-Fi > Details. Devices with generic hostnames like 'android-4f7a2c' or 'ESP_2A8F' are normal but require extra investigation — the 'ESP' prefix typically indicates a cheap smart home device using an Espressif microcontroller chip. Flag any device you cannot positively identify within 5 minutes.

#24

Investigate and block or remove all unrecognized devices

An unrecognized device could be a neighbor connecting to your network (particularly if WPS was previously enabled), a device you forgot about, or an unauthorized user. The most reliable resolution: change your Wi-Fi password, which disconnects every device simultaneously, then reconnect only your known devices one by one — time-consuming but definitive. For a less disruptive approach, use MAC address filtering to block a specific device, though be aware that MAC addresses can be spoofed, making this a softer barrier than a password change.

#25

Check DHCP lease history for recently connected but currently offline devices

Some routers maintain a DHCP lease table showing devices that connected recently but are not currently active. Review this list for unfamiliar entries. A neighbor's device that connected once when WPS was enabled may appear here even if it is not currently online. This historical list gives a more complete picture than the active-only devices view and can surface devices that connect intermittently rather than continuously.

#26

Enable detailed device hostname display in router admin

Most modern routers display device hostnames alongside MAC addresses. If yours shows only MAC addresses, check router settings for options to enable mDNS or hostname resolution. Alternatively, a network scanning app (Fing for iOS/Android) can identify devices by manufacturer using MAC address prefix lookups — each manufacturer is assigned a unique OUI prefix, making it possible to determine that an unknown device is made by Belkin, Amazon, or Samsung without a readable hostname. Proper device naming makes every future audit significantly faster.

#27

Assign static IP addresses (DHCP reservations) to important devices

For computers, NAS drives, and printers, use DHCP reservation to assign a fixed local IP address — done in router admin > DHCP Settings > DHCP Reservation using each device's MAC address. Fixed IPs make firewall rules, port forwarding, and device monitoring far more reliable. A device that receives a different IP after a restart can silently break a firewall rule you created for it, leaving a security gap that looks correct on paper but has no effect in practice.

#28

Confirm router's built-in SPI firewall is enabled

Go to Security or Firewall in router admin. The Stateful Packet Inspection (SPI) firewall analyzes incoming traffic and blocks packets that are not part of an established, legitimate connection originating from inside your network. It should be enabled by default but verify explicitly — some configurations disable it for gaming performance, and firmware updates occasionally reset this setting. This is your primary barrier against unsolicited inbound connections from the internet, separate from software firewalls on individual devices.

#29

Disable UPnP (Universal Plug and Play)

UPnP allows devices on your network to automatically open ports in your router's firewall without your knowledge or approval. It was designed for convenience with gaming consoles and media servers but is routinely abused by malware to create persistent backdoors that survive even after the infected device is cleaned — because the port forwarding rule remains in the router. Disable UPnP in Security or Advanced settings. If a gaming console or Plex server stops working, manually configure only the specific port forwarding rules that application needs rather than re-enabling UPnP globally.

#30

Audit all existing port forwarding rules and remove unused ones

Navigate to router admin > NAT > Port Forwarding (or similar). List every active rule: the external port, protocol (TCP/UDP), and the internal device IP it points to. For each rule, confirm you understand why it exists and that the destination device still occupies that IP. Port forwarding rules create direct pathways from the public internet to specific devices inside your home network. An outdated rule pointing to a device that was replaced or assigned a new IP is an open door leading somewhere unpredictable.

#31

Review router system logs for unusual connection attempts

Most routers maintain a system log accessible under Administration > Log or System > Log. Look for patterns rather than individual entries: repeated failed login attempts to the admin panel, sustained connection attempts on closed ports from the same source IP, or unexpected outbound connections to unfamiliar external addresses at regular intervals. Blocked admin login attempts using default usernames are common background noise; dozens of attempts per hour from a single IP indicate active credential stuffing. Export the log and save it alongside your audit documentation.

#32

Disable Telnet and SSH access to router unless actively used

Some routers allow command-line administration via Telnet (completely unencrypted — credentials are visible in plaintext to any packet sniffer on your network) or SSH (encrypted). Unless you are actively using these for advanced administration, disable both in Advanced or Administration settings. An open Telnet port is a significant exposure: any device on your network can intercept Telnet session credentials without special privileges or tools.

#33

Disable or properly secure any built-in VPN server

Many modern routers support running a VPN server (OpenVPN, WireGuard, PPTP). PPTP is cryptographically broken and should be disabled regardless of use. If you configured an OpenVPN or WireGuard server but no longer use it actively, disable it — an unused, potentially misconfigured VPN service is an attack surface that gains you nothing. If you actively use a home VPN server, verify it uses current certificates, strong pre-shared keys, and was not left on default configuration after initial setup.

#34

Review IPv6 firewall settings if IPv6 is active

If your ISP provides IPv6 connectivity, verify that your router's firewall applies equivalent rules to IPv6 traffic. Many home router firewall configurations were designed primarily for IPv4, and IPv6 traffic can sometimes bypass rules set up with only IPv4 in mind — giving IPv6-addressed devices unexpected direct internet exposure. Check your firewall settings explicitly for IPv6 coverage. If you do not use IPv6 and your ISP does not require it, disabling it in WAN settings simplifies your firewall configuration.

#35

Replace ISP default DNS servers with privacy-respecting alternatives

Your ISP's default DNS servers log every domain lookup from your household — every website, app, and connected service any device contacts. This data is collected, retained, and in many jurisdictions shared with or sold to data brokers. Set DNS in router admin > WAN Settings > DNS to: Cloudflare (1.1.1.1 / 1.0.0.1) for speed and privacy; Quad9 (9.9.9.9 / 149.112.112.112) for privacy plus automatic blocking of known malicious and phishing domains; or Google (8.8.8.8 / 8.8.4.4) for maximum reliability. Quad9 is the best default for households with children — it silently blocks malware distribution and phishing domains before any device on your network can reach them.

#36

Enable DNS-over-HTTPS or DNS-over-TLS at the router level

Standard DNS queries — even to privacy-respecting servers — travel unencrypted between your router and the resolver, meaning your ISP and any network eavesdropper can see every domain lookup in transit. DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) encrypt these queries end-to-end so only the DNS resolver you chose can see the content. Check your router's WAN or DNS settings for DoH or DoT options — Asus routers support this natively, as do Eero and some TP-Link models. Both Cloudflare (1.1.1.1) and NextDNS support encrypted DNS resolution.

#37

Consider router-level DNS filtering for malware and phishing protection

NextDNS and Pi-hole block known malicious domains, phishing sites, ad networks, and trackers at the DNS level for every device on your network — before any connection is made. This protects devices that cannot run browser extensions: smart TVs, gaming consoles, IoT devices, and phones. NextDNS offers a free tier (300,000 queries per month, sufficient for most households) configured via a single URL pasted into your router's DNS settings. Pi-hole requires a dedicated device (Raspberry Pi or similar) but offers granular control over blocklists and per-device query logging.

#38

Place router in a physically secure, non-public location

A factory reset — performed by holding the reset button for 10–30 seconds — erases all your configuration changes and restores default credentials in under a minute. This takes less time to perform than reading this sentence aloud. A router accessible to visitors, service workers, or children during gatherings is a router that can be reset and reconfigured by anyone with brief physical access. Place it in a utility room, home office, or enclosed cabinet.

#39

Photograph router sticker and store the image securely

The sticker on your router contains the model number, MAC address, serial number, and factory default credentials — everything required for a factory reset and fresh reconfiguration. Take a clear photograph and store it in your password manager as an attachment or in an encrypted notes app. Do not store this in an unsecured photo album or a cloud gallery that syncs automatically without encryption. This photograph becomes essential if you ever need to recover from a reset during a stressful outage.

#40

Disable the physical WPS button function if firmware allows

Even after disabling WPS in the software settings, many routers can have it temporarily re-enabled by pressing the physical button on the device. Check your firmware settings for an option specifically to disable the physical button's WPS function — this is a separate control from the software WPS toggle. Particularly relevant if your router is in a shared or accessible area where someone might press it without understanding what it does.

#41

Confirm software firewalls are active on all computers

Windows Defender Firewall and macOS Application Firewall (System Settings > Network > Firewall) should both be enabled. The router firewall protects against external inbound threats from the internet. Device-level firewalls protect against lateral attacks originating inside your own network — for example, a compromised smart home device probing your laptop's file sharing or RDP ports. Both layers serve distinct purposes and neither substitutes for the other.

#42

Enable automatic OS updates on all computers and mobile devices

A fully secured router is undermined the moment a device with unpatched vulnerabilities connects to it. Enable automatic updates on Windows (Settings > Update & Security > Advanced Options), macOS (System Settings > General > Software Update > Automatic Updates), iOS (Settings > General > Software Update > Automatic Updates), and Android (Settings > Software Update). Security patches for critical vulnerabilities are often released within days of public disclosure — manual update cycles leave a window of exposure that automated attackers are calibrated to exploit.

#43

Check all smart home device apps for available firmware updates

Open the companion apps for Ring, Nest, Arlo, Philips Hue, SmartThings, Amazon Alexa, and any other smart home platform. Check device settings for firmware updates — these are separate from app updates and are rarely surfaced prominently. Smart home manufacturers do release security patches, but unlike smartphones, they do not notify users in an obvious way. Check each app manually at least twice per year. A compromised camera on your IoT network is still a camera inside your home with audio and video capture.

#44

Change default admin credentials on all smart home devices

Every smart home hub, NAS drive, IP camera, network printer, and smart home controller has its own web admin interface — typically accessible via the device's local IP address found in your router's device list. Default credentials ('admin/admin', 'admin/1234', or printed on a sticker) are published in product manuals and searchable online in seconds. Access each device's admin panel and change the password to a unique credential stored in your password manager. A NAS drive with default credentials and file sharing enabled is functionally a public server accessible to every device on your network.

#45

Record all changes made during this audit with dates and version numbers

Create a dedicated entry in your password manager or an encrypted notes app — not a plain text file or sticky note. Record: firmware version number after the update, references to where each new credential is stored (not the credentials themselves in plain text), which devices were moved to the IoT or guest network, and any items flagged as 'Needs Attention' with planned resolution dates. This documentation is essential for the next audit and for any emergency where someone else needs to manage the router.

#46

Store all router credentials and emergency procedures in a password manager

Create a single organized entry containing: router admin URL, admin username and password, main Wi-Fi SSID and passphrase, IoT or guest network SSID and passphrase, factory reset procedure for your specific router model, and the location of the router sticker photograph. At least one other trusted adult in your household should know this entry exists and how to access it. An internet outage that requires a factory reset should not escalate into a crisis because the credentials are inaccessible.

#47

Schedule next full audit and event-triggered review reminders

Set a recurring calendar reminder for 12 months from today for a routine re-audit. Additionally, create separate reminders to run an immediate review if any of the following occur: acquiring a new router or mesh system, changing ISP or moving to a new home, adding a significant number of new smart home devices, a household member's device being infected with malware, your ISP reporting unusual outbound traffic from your IP address, or your router model appearing in a security advisory or news story about a vulnerability.

#48

Which threats are actually targeting your network right now?

The items in this checklist do not carry equal risk. Understanding how attackers actually prioritize home networks helps you decide where to focus first if you cannot complete everything in a single session.

🚨 Automated, constant — running 24/7

Botnets continuously scan the public internet for routers with default admin credentials, unpatched firmware, and exposed remote management ports. This is not targeted at you specifically — it is automated scripts sweeping every IP address in sequence. You are not a victim being chosen; you are a number in a range being checked. These attacks succeed in seconds when the right conditions are met, and they never stop running.

⚠️ Proximity-based — requires being nearby

Wi-Fi password brute-force and WPS exploitation require physical proximity to your signal. Dense apartment buildings and urban neighborhoods substantially elevate this risk. Shared parking lots, building lobbies, and adjacent units are all well within range. These attacks are slower than automated internet scanning but can run passively for hours without the attacker remaining physically present.

💡 Lateral movement — after an initial foothold

Once inside a flat, unsegmented network — through a compromised device, a shared password, or a trusted guest — an attacker can probe every other connected device. File sharing ports, Remote Desktop, SMB shares, and NAS admin panels are all visible and reachable. Network isolation does not prevent the initial compromise; it converts the compromised device from a launchpad into a dead end.

📝 Passive surveillance — ongoing and invisible

Unencrypted DNS queries and ISP traffic logging do not grant access to your devices, but they enable continuous monitoring of every household member's online activity — every domain your devices contact, timestamped. This requires no active attack, affects every device automatically, and continues indefinitely unless you change the DNS configuration at the router level.

📖 600,000 routers, one bad week

In 2016, the Mirai botnet compromised over 600,000 home routers and cameras — all running factory-default credentials. Those devices were marshaled to generate enough traffic to simultaneously take down Twitter, Netflix, Reddit, and Amazon for millions of users across North America and Europe. The device owners had no idea their hardware was involved. Most noticed only that their internet felt sluggish. ISPs detected the anomalous outbound traffic; the owners assumed a local outage. The entry point in virtually every case: the admin password was still "admin".

📖 The pivot problem on flat networks

A recurring pattern in reported home network intrusions: an attacker gains access to a smart home device through a default credential or unpatched vulnerability, then uses that foothold to scan the same network for higher-value targets. On a flat network, a smart TV can see open file sharing ports, NAS admin panels, and printer interfaces without any elevated access. The IoT device was the door; the unprotected network architecture was the hallway. Isolating IoT devices does not make the camera unhackable — it makes the camera a dead end instead of a springboard to everything else.

Audit or replace? A decision framework

Before investing 90 minutes in configuration, confirm the router is worth configuring. Hardening a device with an unpatched critical vulnerability or no guest network capability produces a false sense of security — thorough configuration cannot compensate for fundamental hardware or software limitations.

Factor	Audit it	Replace it
Router age	Under 5 years	5+ years old
Last firmware release from manufacturer	Within 12 months	2+ years ago
Known unpatched CVE on this model	None found	Yes, critical severity
WPA3 encryption support	Supported	WPA2 maximum
Guest network capability	Available	Not supported
Manufacturer support status	Active	End-of-life declared

Three or more Replace signals: replace before auditing. A Wi-Fi 6 router with active manufacturer support (Asus AX series, TP-Link Archer AX, Eero Pro 6) runs $80–$150 — roughly one year of a single streaming subscription.

🔍 Three external checks before you open the admin panel

These tools give you an outsider's view of your network in under 10 minutes and can fundamentally shift your priorities before you change a single setting.

Shodan.io — what the internet sees when it looks at your IP

Find your public IP address at whatismyip.com, then search it at shodan.io. A properly secured home router returns zero results — no open ports, no service banners, no device fingerprinting. Any open ports listed (common home router offenders: 8080, 23, 22, 7547, 443) mean your router or a device behind it is reachable from the public internet. Shodan findings take priority over the normal audit sequence — address them before anything else.

nvd.nist.gov — check your exact router model for published vulnerabilities

Search your router's exact model number at the National Vulnerability Database. Filter by severity score. A CVSS score of 9.0 or above on your specific model with no corresponding patch in the current firmware is a replace-immediately signal — no configuration change compensates for a remotely exploitable, unauthenticated vulnerability in the router's core software. This check takes 2 minutes and tells you immediately whether the audit is even worth running.

haveibeenpwned.com — check whether household credentials are already exposed

Enter every email address used by household members at haveibeenpwned.com. If an address appears in a breach that included passwords, and those passwords were reused anywhere in your household — on the router admin panel, on Wi-Fi-connected accounts, or on any service accessed from home devices — you may already be compromised through credential stuffing rather than a network-level attack. Old breaches from 5+ years ago frequently surface here, and the credentials from those breaches remain in active use by automated attack tooling today.

🚨 If you suspect you are already compromised

Warning signs: admin login credentials that suddenly do not work, devices behaving abnormally without explanation, internet speeds significantly slower than your subscribed plan, or an ISP notification about unusual outbound traffic from your address. If any apply, run this sequence before the audit — not alongside it.

1
Physically disconnect sensitive devices from the network immediately.
Use mobile data for banking and email until the audit is complete. On a router-level compromise, unencrypted traffic from every connected device may be readable by whoever controls the router. This is not overcaution — it is the appropriate response to an unknown threat with an unknown scope.
2
Factory reset the router.
Some router malware — notably VPNFilter, which affected over 500,000 devices in 2018 — persists across standard reboots in non-volatile storage but is eliminated by a full factory reset. Hold the physical reset button for 10–30 seconds (check your model's instructions — duration varies). This clears all configuration, including any backdoors installed by the attacker. Reconfigure from scratch using this checklist immediately after.
3
Change passwords on all accounts accessed from that network.
Do this from a device using mobile data — not from any device that was connected to the compromised network during the incident. Prioritize email (the master key to every other account via password reset), banking, cloud storage, and any service with saved payment methods. Treat any unencrypted traffic sent during the compromise window as potentially captured.
4
Contact your ISP.
ISPs can provide outbound traffic logs, temporarily block your IP from participating in known botnet traffic patterns, and advise if your address appears on industry blacklists. Some ISPs proactively detect when a customer's IP is active in botnet behavior and can share the timeline of that activity — a useful input when trying to understand the scope of the incident. They are a significantly underused resource during home network emergencies.

🧮 Where your 90 minutes actually goes

First-time audits consistently run longer than expected — not because individual steps are technically demanding, but because discoveries along the way require investigation. This breakdown includes contingency time for what you are likely to find.

External pre-audit checks (Shodan, NVD, HIBP)10 min

Admin credentials and remote access settings10 min

Firmware update including router restart15 min

Wi-Fi settings and reconnecting all devices20 min

Guest and IoT network setup and device migration15 min

Connected device identification and cleanup20 min

Firewall, DNS, and audit documentation15 min

Contingency for unexpected findings+30 min

The connected device section alone regularly runs 30+ minutes in households with 15 or more devices. Identifying every ESP module, smart plug, and forgotten tablet by MAC address is genuinely slow work — but it is the section most likely to surface something you did not know was there.

Master This Checklist Quickly

Every important button and option for this pre-made checklist, shown in a glance-friendly format.

Start Here

1
Click any item row to mark it complete.
2
Use the note row under each item for quick notes.
3
Use the tool row for undo, redo, reset, and check all.
4
Use Save Progress when you want to continue later.

Checklist Row Tools

UndoRedoResetCheck allCollapse/Expand sectionsShow/Hide detailsInline notes

Top Action Buttons

Open all sharing and export options in one menu.

Email DraftContinue on another devicePrint or Save as PDFPlain Text (.txt)Word (.docx)Excel (.xlsx)

Add & Ask

Open one menu for apps and AI guidance.

NotionTodoist CSVChatGPTClaude

Copy and customize

Create a new editable checklist pre-filled with your chosen content.

Save Progress

Adds this checklist to My Checklists and keeps your progress in this browser.

Most Natural Usage

Track over time

Check items -> Add notes where needed -> Save Progress

Send or export

Open Share -> Choose format -> Continue

Make your own version

Copy and customize -> Open create page -> Edit freely