Today’s routers are loaded with features that make them easier for everyday consumers to use. However, some of these features are vulnerable to hackers, so I always turn off these router settings for better security.

Wi-Fi Protected Setup (WPS) sounds like a fantastic idea on paper. It lets you authenticate wireless devices on your network by simply pushing the WPS button on your router. Then, you go to a client device and press its WPS button. Voilà, it’s connected, all without needing to enter a Wi-Fi password.

router_WPS_button

The ease of WPS is what makes it so tempting—especially if you’re using one of those routers from your ISP that comes with a long and tedious default password. But after learning network security steps, I always disable it in my router’s admin panel.

How come? Malicious users can hijack WPS with ease and gain entry to your wireless network. That’s because WPS:

tplink disable WPS setting

The better solution is old-fashioned: require a strong Wi-Fi password withWPA2 or WPA3(if you have a more recent router). These protocols have more difficult-to-crack encryption and security implementations.

Routers are the gatekeepers to your home network and protect it from the roaming bot gangs of the interwebs. But that protection can be frustrating when it’s overzealous. In the past, multiplayer games often failed to connect if you didn’t open the right ports on your router. Major bummer.

asus router disable upnp

Opening ports correctly was never as straightforward as it sounded. Does the software need a single port or a range? And should they be opened forTCP or UDP?

When Universal Plug and Play (UPnP) appeared around 2000, it looked like the hero that saved the day. Here’s a simplified explanation of how UPnP works:

apple airport router express base

I had an intense but brief fling with UPnP when it first arrived. But that affair has ended, and I always disable UPnP now. Where did the love go?

UPnP is dangerousbecause a rogue program can take advantage of the protocol’s rich feature set to open ports without your knowledge—effectively circumventing the protection of your router’s firewall.

asus router disable nat-pmp port trigger

Luckily, most apps today are programmed to function as intended, even when UPnP is disabled. For the few cases that won’t—like accessing your Plex media server away from home—it’s safer to set up a port forwarding rule for only what you need.

The network engineers at Apple recognized the security risks with UPnP and devised an alternative solution for their apps called Network Address Transversal Port Mapping Protocol. NAT-PMP has a similar goal to UPnP, except that NAT-PMP:

NAT-PMP was first introduced by Apple in 2005. After all this time, the protocol is still only commonly used by Apple software, which is baked into apps like FaceTime. That doesn’t mean only Apple users are affected: NAT-PMP is often enabled by default on many mainstream router brands like ASUS and NETGEAR.

So, did Apple succeed in tightening security with NAT-PMP? To an extent, yes, but it’s still not enough. I always disable NAT-PMP (sometimes listed as “port triggering”), and I recommend you do the same.

NAT-PMP also uses flawed logic to let apps control which ports to open on your router. This is fine when Apple AirPlay requests it, but it’s not so great when Trojan App XYZ figures out how to fake authentication to get the same privileges.

NAT-PMP security vulnerabilities have affected millions of devices. It’s simply safer to turn the feature off. Even with it disabled, my mobile and Apple TV 4K apps still work just fine. For the rare hiccups,use port forwardinginstead.

Maturing into a security-first mindset can sometimes mean giving up what’s easiest. Maybe you’ll decide it’s time to eliminate these three security risks.