I always disable these 3 settings on my router: Here’s why
Today’s routers are loaded with features that make them easy to use for everyday consumers. However, some of these features are vulnerable to hackers, so I always turn off these router settings for better security.
1 WPS
Wi-Fi Protected Setup (WPS) sounds like a fantastic idea on paper. It allows you to authenticate wireless devices on your network by simply pressing the WPS button on the router. Then you go to the client device and press its WPS button. Voilà, it’s connected, all without having to enter the Wi-Fi password.
The simplicity of WPS makes it so tempting—especially if you’re using one of those routers from your ISP that comes with a long, wordy default password. But after learning more about the actual network security steps, I always disable them in my router’s admin panel.
how? Malicious users can easily hijack WPS and gain access to your wireless network. That’s because WPS:
- It communicates using a PIN, which is trivial to brute force.
- It has vulnerabilities in its design that often cannot be patched.
A better solution is the old fashioned one: require a strong Wi-Fi password with WPA2 or WPA3 (if you have a newer router). These protocols have more complex encryption and security implementations.
2 UPnP
Routers are the guardians of your home network, protecting it from the roaming bots of the interwebs. But this protection can be frustrating when overzealous. In the past, multiplayer games often failed to connect unless you opened the correct ports on your router. Big mess.
Opening ports properly has never been as easy as it sounds. Does the software need a single port or range? And should they be open to TCP or UDP?
When Universal Plug and Play (UPnP) appeared around 2000, it looked like a hero to save the day. Here is a simplified explanation of how UPnP works:
- Your software requests permission for the ports it needs.
- Your router’s UPnP feature will open these ports automatically.
I had an intense but brief flirtation with UPnP when it first arrived. But that issue is over and I always disable UPnP now. Where did the love go?
UPnP is dangerous because a rogue program can take advantage of the protocol’s rich feature set to open ports without your knowledge – effectively bypassing your router’s firewall protection.
Fortunately, most applications these days are programmed to work as intended even when UPnP is disabled. For the few cases where this isn’t the case—like accessing your Plex media server from outside the home—it’s safer to set up a port forwarding rule for just what you need.
3 NAT-PMP
Apple’s network engineers recognized the security risks of UPnP and designed an alternative solution for their applications called Network Address Transversal Port Mapping Protocol. NAT-PMP has a similar goal to UPnP, except that NAT-PMP:
- It is more narrowly focused on port mapping only.
- It has stricter security implementations.
NAT-PMP was first introduced by Apple in 2005. After all this time, the protocol is still commonly used only by Apple software baked into apps like FaceTime. This doesn’t mean only Apple users are affected: NAT-PMP is often enabled by default on many common router brands such as ASUS and NETGEAR.
So has Apple succeeded in tightening security with NAT-PMP? To some extent yes, but still not enough. I always disable NAT-PMP (sometimes listed as “port triggering”) and recommend you do the same.
NAT-PMP also uses flawed logic to allow applications to control which ports are opened on your router. That’s fine when Apple AirPlay asks for it, but not so great when Trojan App XYZ figures out how to fake authentication to get the same permissions.
NAT-PMP vulnerabilities affect millions of devices. It’s just safer to turn the feature off. Even with it turned off, my mobile app and the Apple TV 4K app still work fine. For rare hiccups, use port forwarding instead.
Achieving a safety-first mindset can sometimes mean giving up what’s easiest. You may decide it’s time to eliminate these three security risks.