I audit networks professionally, and home networks are almost always in worse shape than the small-business ones — not because homeowners are careless, but because nobody ever handed them a list. This is that list: a complete home network security checklist, 25 steps, ordered so the highest-impact items come first. Steps 1–10 work on any router made in the last decade. Steps 11–19 need gear with VLAN support. Steps 20–25 are the pro tier.

Do the first ten this weekend. Seriously — they take about two hours total and eliminate the attack paths I actually see exploited.

How to Use This Checklist

Tier Steps Gear required Time
Baseline 1–10 Any router ~2 hours
Segmented 11–19 VLAN-capable gateway (UniFi, OPNsense, etc.) ~1 evening
Professional 20–25 Same, plus discipline Ongoing

Tier 1: Baseline — Do These on Any Router (Steps 1–10)

☐ 1. Change the router's admin password. Not the Wi-Fi password — the one that opens the settings page. Default and printed-on-the-sticker credentials are in every scanning tool on earth. Make it 16+ random characters, store it in a password manager (Bitwarden is free; 1Password is $36/year and worth it for families).

☐ 2. Update the firmware, then turn on auto-updates. The majority of real-world router compromises exploit vulnerabilities that were patched months or years earlier. If your router is end-of-life and no longer receives firmware — check the vendor's support page — replace it. An unpatched router isn't a savings; it's a liability with antennas. A $129 UniFi Cloud Gateway Ultra beats a "free" router that last saw an update in 2022.

☐ 3. Disable WPS. Wi-Fi Protected Setup — the push-button pairing feature — has a PIN mode with a design flaw that's been trivially brute-forceable since 2011. Some routers keep the PIN method active even when the button is off. Kill the whole feature.

☐ 4. Disable UPnP. Universal Plug and Play lets any device on your network open inbound ports through your firewall, silently, with zero authentication. Malware loves it. Game consoles are the usual reason people leave it on; forward the two or three ports your console needs manually instead. Five minutes of setup versus a permanently self-opening firewall — easy call.

☐ 5. Disable remote (WAN-side) administration. Your router's settings page should be reachable only from inside your network. While you're in there, also disable Telnet and confirm nothing answers on the WAN side — grc.com/shieldsup is a free way to check from outside.

☐ 6. Use WPA3 (or WPA2-AES) with a long passphrase. WPA3 if all your gear supports it, WPA2/WPA3 transitional mode if not. Never WEP, never WPA-TKIP. Make the passphrase a four-word diceware phrase — long beats clever, and you'll be able to read it out loud to guests. Which you mostly shouldn't do, because:

☐ 7. Set up the guest network — and actually use it. Client isolation on, "access local network" off. Every visitor's phone goes here. Their devices carry whatever they've picked up from every other network they've joined; your NAS doesn't need to meet any of that.

☐ 8. Change your DNS to a filtering resolver. This is the highest security-per-minute step on the list. Point your router's DNS at a filtering service and every device in the house gets malware-domain and ad blocking with zero software installed:

  • NextDNS — my default recommendation. Free for 300k queries/month (fine for most homes), $19.90/year unlimited. Per-device logs, threat-intel feeds, parental controls.
  • AdGuard DNS public resolvers (94.140.14.14) — free, zero-config. Or self-host AdGuard Home on a $50 Raspberry Pi if you want full local control.
  • Quad9 (9.9.9.9) — free, nonprofit, malware-blocking only, no account. The set-and-forget option.

☐ 9. Inventory every device on your network. Open your router's client list and identify every single entry. Anything you can't name gets investigated, then blocked. You cannot defend what you don't know exists — this is Asset Management 101, and it applies to your house.

☐ 10. Check for exposed ports and services. Run ShieldsUP (grc.com) or scan your public IP with an online nmap. The answer should be: nothing open. Found something? UPnP probably did it (see step 4), or an old port-forward you forgot. Delete forwards you can't explain.

Tier 2: Segmentation — VLANs and Isolation (Steps 11–19)

These require a gateway that speaks VLANs. My recommendations by budget are in Best Home Network Setup for 2027; the short version is any UniFi gateway from the $129 Cloud Gateway Ultra up through the UniFi Dream Machine Pro does everything below.

☐ 11. Create an IoT VLAN and move the junk onto it. Smart plugs, bulbs, TVs, speakers, robot vacuum, the Wi-Fi air fryer someone gifted you. Internet access: yes. Access to your main network: no. The average IoT device stops receiving security patches roughly two years after release and then lives on your network for a decade. Segmentation assumes compromise — because you should.

☐ 12. Punch only the holes you need. Casting and discovery break across VLANs by design. Don't respond by allowing everything — allow specifically: an mDNS repeater for Chromecast/AirPlay discovery, plus a firewall rule letting your Trusted VLAN open connections to IoT, never the reverse. Established/related traffic flows back automatically. One-way glass.

☐ 13. Put cameras on their own VLAN — ideally with no internet at all. If you run a local NVR (see Best Home Security Cameras for 2027), your cameras never need to talk to the internet. Block their outbound entirely. A camera that can't phone home can't leak footage, join a botnet, or ship telemetry to whoever built its firmware. This single rule is why security folks prefer local recording.

☐ 14. Isolate your work-from-home machine. Your employer's laptop is managed by people who aren't you, running agents you can't audit. Its own VLAN, internet-only. This protects your home from your employer and your employer from your home — everybody wins.

☐ 15. Set DHCP reservations for infrastructure. NVR, NAS, printers, APs — fixed addresses. Firewall rules that reference devices by IP are worthless if the IP wanders.

☐ 16. Disable your ISP router's Wi-Fi and extra services. If you've put your own gateway behind the ISP box, bridge the ISP box entirely. Xfinity's equipment, for example, broadcasts a public "xfinitywifi" hotspot from your modem by default unless you opt out or run your own. Your network should have exactly one router and exactly one set of radios you control.

☐ 17. Turn on your gateway's IDS/IPS. On UniFi it's Settings → Security → Threat Detection — Suricata-based, free, and on a gigabit connection the throughput cost is negligible. Start in detect-only for two weeks, review what it flags, then switch to block. It won't stop a targeted attacker; it will absolutely catch commodity scanning, known-exploit traffic, and that one IoT device beaconing somewhere it shouldn't (I've caught exactly this at client sites — most memorably a smart TV connecting to an unregistered domain every 30 seconds).

☐ 18. Watch for lateral movement, not just intrusions. The IDS alert that matters most isn't "internet scanned your WAN" (constant, boring, blocked). It's a port scan from inside — VLAN 20 probing VLAN 1 means something in your house is compromised and looking around. On UniFi, internal interfaces are covered by threat detection; make sure alerting is actually on and going somewhere you'll see it.

☐ 19. Log to somewhere, and glance at it monthly. Perfect is a syslog target or UniFi's built-in flows/insights. Acceptable is opening the dashboard once a month and asking: any new devices? Any weird top-talkers? Any device suddenly uploading gigabytes at 3 a.m.? Detection begins with knowing your baseline.

Tier 3: Professional Habits (Steps 20–25)

☐ 20. Never expose services by port forwarding — use WireGuard. No forwarded ports to your NAS, your NVR, your Home Assistant. Exposed home services get found by Shodan within days and brute-forced continuously forever. Instead, run the WireGuard VPN server built into your gateway (free on UniFi), install the app on your phone, and reach everything as if you were home. One UDP port, modern crypto, connects in under a second. Tailscale (free for personal use) is an even easier alternative that requires zero open ports.

☐ 21. Turn off cloud remote access you don't use. Every "manage from anywhere!" feature is an authentication surface. If you have WireGuard (step 20), you don't need the vendor cloud portal, the NVR's P2P mode, or the NAS's QuickConnect. Off, off, off.

☐ 22. Enable 2FA on everything that manages your network. Ubiquiti account, ISP account, DNS provider, domain registrar if you have one. An attacker who owns your ui.com account owns your firewall politely, through the front door. Use an authenticator app or hardware key — not SMS.

☐ 23. Put the network on a UPS. Availability is a security property. A $60–80 CyberPower CP800AVR keeps the gateway, a switch, and cameras up through outages — which, not coincidentally, is when you most want cameras recording. It also prevents the dirty shutdowns that corrupt NVR drives.

☐ 24. Back up your configs. UniFi does scheduled automatic backups — confirm they're on, and export a copy off-device quarterly. Rebuilding a segmented network from memory is a lost weekend; restoring a backup is ten minutes.

☐ 25. Re-audit twice a year. Set a calendar reminder. Firmware current? Client list clean? Any firewall rules or port forwards you can't explain? New IoT gifts that snuck onto the wrong VLAN over the holidays? (This one's real — December is when segmentation goes to die.) Thirty minutes, twice a year.

The Five Findings I Hit in Almost Every Audit

After enough home network audits, you stop being surprised. These five show up over and over, so check yours against the list:

  1. A forgotten port forward to a dead device. Set up in 2021 for a Minecraft server or an old DVR, still open, now pointing at whatever device inherited that IP. Every forward you can't explain gets deleted today — see steps 10 and 20.
  2. The router before the router. An ISP gateway still routing in front of the owner's "real" router: double NAT, two firewalls nobody fully controls, and usually an ISP-managed Wi-Fi network still broadcasting from the first box. Step 16 exists because of how often I find this.
  3. The 2019 firmware. A midrange router that has never once been updated, because updates were manual and the owner reasonably never thought about it. Half the time the model is past end-of-life and can't be fixed, only replaced.
  4. Everything on one flat network. The work laptop, the NAS with the family photos, forty IoT devices, and the kids' school Chromebooks, all one happy broadcast domain. Fixing this is steps 11–14, and the full walkthrough with firewall rules is in the Home Network VLAN Guide.
  5. An NVR or NAS exposed to the internet — either by a port forward "so I can check the cameras from work" or by a vendor P2P cloud feature nobody remembers enabling. This is the single scariest common finding. The fix is a proper VPN, which takes twenty minutes and is covered in depth in Best Home VPN Setup.

None of these people were careless. Every one of these networks was set up reasonably by a smart person who was never handed a checklist. That's the entire reason this page exists.

The Threat Model, Briefly

You are not defending against the NSA, and pretending you are leads to burnout, not security. You're defending against three realistic things: automated scanning that exploits anything unpatched and exposed (steps 2, 4, 5, 10, 20), commodity malware and phishing payloads landing on one device and spreading (8, 11, 17, 18), and untrustworthy-by-design devices you willingly plugged in (11, 13, 21). Every step above maps to one of those. Nothing on this list is theater.

Where to Start

Print this, do steps 1–10 this weekend, and you're ahead of 90% of households. If your current router can't do steps 11+, that's your sign — the Best Home Network Setup for 2027 has complete builds starting at $496, and UniFi vs eero vs Orbi explains why the mesh kit at Costco can't run half this checklist.

Want it done for you? A network audit and hardening pass is Ryno Systems' bread and butter. Get in touch.