How to Tell if Someone Hacked Your Router (and What to Do Next)

Your home router is the gateway to everything you do online. Every device in your house—from your phone to your smart TV—depends on it to connect to the internet.

But here’s something many people don’t realize: routers can be hacked. And when they are, the consequences can affect every device on your network.

In recent years, government agencies like CISA and the FBI have issued multiple warnings about compromised home routers. Cybercriminals and even state-sponsored hackers have been actively targeting these devices to steal data, redirect your web traffic, and spy on your activity.

The good news? There are clear warning signs you can watch for. In this guide, you’ll learn how to spot if your router has been hacked, what steps to take immediately, and how to protect yourself going forward.

1. Test Your Admin Login

Try logging into your router with your known password.

🚨 Warning sign: If your password doesn’t work or you get locked out, someone may have changed it. This is one of the clearest indicators of a compromised router.

You may also notice settings are greyed out or locked even after you successfully log in—another red flag that someone has tampered with your router’s configuration.

2. Check Your DNS Settings

Navigate to your router’s DNS settings (usually under “Internet” or “WAN” settings). You’ll see one or two IP addresses listed—these are your DNS servers.

Write down the addresses and verify them against your ISP’s DNS servers (call your provider or search online). For example, Xfinity’s default DNS servers are 75.75.75.75 and 75.75.76.76.

🚨 Warning signs to look for:

• DNS servers set to unfamiliar IP addresses you can’t verify.
• Excessive pop-ups appearing across all your devices.
• Being sent to unexpected websites when you try to visit legitimate sites.

DNS hijacking is one of the most common router attacks. When attackers change your DNS settings, they can redirect your traffic through malicious servers, intercept passwords, and deliver malware.

3. Review Connected Devices

Look for a section in your router settings called “Connected Devices,” “DHCP Client List,” or “Device List”. This shows every device currently connected to your network.

You’ll see device names, IP addresses, and MAC addresses (unique hardware identifiers). Compare this list to your household’s known devices—phones, laptops, tablets, smart TVs, gaming consoles, etc.

🚨 Warning sign: Unfamiliar device names or MAC addresses you don’t recognize on your network.

If you spot unknown devices, disconnect them immediately and change your Wi-Fi password.

4. Run a Network Security Check on Your Phone

Use Certo for iPhone or Android to scan for man-in-the-middle attacks and network security issues.

🚨 Warning sign: Certo detects that your network is under attack or that you’re experiencing a MITM attack.

This provides a quick device-side check that something isn’t right with your network—especially useful if you’re not comfortable digging through router settings.

Fig 1. The Certo app detecting a compromised network.

5. Inspect Admin Accounts and Access Controls

Look for the admin accounts section in your router settings.

🚨 Warning sign: Additional admin accounts you didn’t create, or unknown user accounts with administrative privileges.

Make sure there’s only one admin account—yours. If you see extras, your router could have been compromised by someone who created a backdoor for future access.

6. Check Remote Management Settings

Verify whether remote management is enabled. This setting is usually found under “Administration” or “Management” settings.

🚨 Warning sign: Remote management (WAN access) is turned on when you didn’t enable it, or it’s accessible from the internet without your knowledge.

Unless you specifically need remote access and have secured it properly with strong authentication, this should always be disabled. Exposed remote management is a common entry point for attackers.

7. Review Port Forwarding and UPnP

Find your router’s “Port Forwarding,” “Virtual Server,” or “NAT/Gaming” section. This shows any rules that allow external internet traffic to reach specific devices on your network.

Also check for UPnP settings, usually found in the same area. UPnP automatically creates port forwards when devices request them—convenient for gaming consoles and smart home devices, but also exploitable.

Review any active port forwarding rules and UPnP mappings. For each one, ask yourself: Did I create this? Do I recognize the device or service?

🚨 Warning signs:

• Port forwarding rules pointing to unknown devices or ports.
• UPnP mappings for services you don’t use.
• Rules that keep reappearing after you delete them.

8. Look for Unfamiliar Network Names

Check the wireless settings to see what SSIDs (network names) are broadcasting from your router.

🚨 Warning sign: A guest network or additional SSID you didn’t create.

Attackers sometimes enable guest networks or add new SSIDs as a persistence mechanism, allowing them continued access even if you change the main Wi-Fi password.

9. Verify Time Zone and NTP Settings

Check that your router’s time zone is correct and that the NTP server (the internet time server your router uses to stay accurate) looks legitimate.

Common legitimate NTP servers include those from your router manufacturer, your ISP, or public services like time.nist.gov or pool.ntp.org.

🚨 Warning sign: Your time zone or NTP (Network Time Protocol) server has been changed without your knowledge.

While less common, attackers sometimes alter these settings to cover their tracks in log files or interfere with security certificates.

10. Check Firmware Version and EOL Status

Find your router’s current firmware version (usually under “System” or “Administration”). Write it down, then search online for your router model to see if you’re running the latest version.

🚨 Warning signs:

• Firmware is severely outdated (more than a year old).
• Router is end-of-life (manufacturer no longer provides updates).
• Known vulnerabilities exist for your router model with no available patch.

Important: If your router is EOL, you should replace it as soon as possible. EOL routers are being actively exploited in the wild and no amount of configuration can fully protect them.

11. Review Router Logs

If your router keeps logs (many consumer routers have basic logging), check them carefully.

🚨 Warning signs:

• Repeated failed login attempts from unknown IP addresses.
• Configuration changes made at odd hours (e.g. when you were asleep).
• Unexpected reboots or disconnections.
• Connections from IP addresses you don’t recognize.

Many consumer routers don’t keep detailed logs, but if yours does, enable logging and review it regularly.

12. Test for Certificate Warnings Across Devices

On your phone, laptop, or tablet, visit several major websites (your bank, Google, Facebook, etc.).

🚨 Warning sign: Security certificate warnings or TLS/HTTPS errors appearing on multiple trusted websites across different devices.

This is a strong indicator of a man-in-the-middle attack, often facilitated by router compromise. If one device shows errors, it might just be a problem with that specific device—but if multiple devices show the same warnings, suspect the router.

13. Watch for Performance Issues

Beyond your router’s settings, you may have noticed some unusual behavior in your day-to-day use:

🚨 Warning signs:

• Router feels unusually hot to the touch.
• Frequent random reboots.
• Internet speeds are consistently slow (after ruling out ISP issues).

While these can be symptoms of aging hardware, they can also indicate your router is being used for malicious purposes like cryptocurrency mining or as part of a botnet.

What to Do If Your Router Is Hacked

If you’ve confirmed (or strongly suspect) your router has been compromised, follow these steps immediately:

Step 1: Disconnect from the Internet

Unplug the WAN/internet cable from your router. This isolates your network while you work on fixing the problem.

Keep the power on so you can access the admin panel and document the current state.

Step 2: Document the Compromise

Before making any changes, take screenshots of the compromised settings. This creates evidence of what was altered and can help you spot similar issues in the future.

Take photos or screenshots of:

• Current DNS setting
• Port forwarding rules
• UPnP mappings
• Admin accounts
• Any suspicious settings or unfamiliar configurations

Step 3: Factory Reset Your Router

Locate the small reset button on your router (usually requires a paperclip to press). Hold it for 10-30 seconds until the lights flash.

This will erase all settings, including the attacker’s changes—but also your Wi-Fi name, password, and any custom configurations.

Step 4: Update Firmware BEFORE Reconnecting

This is critical. If possible, download the latest firmware from the manufacturer’s website onto a USB drive before reconnecting to the internet.

If your router supports offline/USB firmware updates, install it now. Otherwise, reconnect briefly to download the update, then disconnect again while you reconfigure everything.

Step 5: Secure Reconfiguration

Now it’s time to set up your router properly from scratch:

Change the Admin Password

Never use the default router password. Create a new strong, unique admin password (at least 12 characters, mix of letters, numbers, and symbols) and store it in a password manager.

Set Up Wi-Fi Security

• Use WPA2-AES or WPA3 encryption.
• Create a strong Wi-Fi passphrase (15+ characters).
• Change your SSID (network name) to something unique (but don’t include personal info).

Disable Unnecessary Features

• Turn off remote management (WAN access).
• Disable WPS (especially PIN mode).
• Disable UPnP, or if you need it, monitor the mappings closely.

Set Trusted DNS Servers

Point your router to reliable DNS servers:

• Your ISP’s DNS (call them to get the addresses).
• Google DNS: 8.8.8.8 and 8.8.4.4.
• Cloudflare DNS: 1.1.1.1 and 1.0.0.1.

Avoid using unknown DNS servers.

Set Correct Time Zone and NTP

Make sure your router’s clock is set correctly. This is important for logs and security certificates.

Enable Guest Network (Optional)

If you have visitors or IoT devices, create a guest network to keep them separate from your main devices. This adds an extra layer of security.

Step 6: Update Your Passwords

Change passwords for important accounts (especially if you’ve accessed them from your network recently):

• Email
• Banking
• Social media
• Cloud storage

Step 7: Reconnect and Monitor

Plug the internet cable back in and monitor your network closely for the next few weeks:

• Check admin settings weekly.
• Review connected devices regularly.
• Watch for any signs of tampering.
• Consider scheduling weekly router reboots.

Step 8: Run regular network scans

Run a free scan with Certo on your iPhone or Android device while connected to your Wi-Fi. This will confirm your network is clean and not subject to man-in-the-middle attacks.

Certo will also scan the device itself for vulnerabilities and insecure configurations.

Wrapping Up

Your router is the foundation of your home network security. When it’s compromised, everything you do online is at risk—from your banking to your private messages.

The encouraging news is that most router hacks are preventable. By changing default passwords, keeping firmware updated, and disabling unnecessary features, you can dramatically reduce your risk.

If you’re dealing with a compromised router right now, don’t panic. Follow the steps in this guide to clean and secure your device. And if your router is old or no longer supported by the manufacturer, seriously consider replacing it.

Your digital safety is worth the investment—and with tools like Certo AntiSpy, you can quickly verify that your network is secure and your devices are protected.

FAQs

Can someone hack my router without the password?

Yes. Attackers can exploit vulnerabilities in outdated firmware, abuse WPS flaws, or target routers with remote management enabled. If your router is end-of-life or has known security issues, it can be compromised even with a strong password.

How often should I reboot my router?

According to guidance from NSA and CISA, weekly reboots can help clear non-persistent malware. However, rebooting is NOT a substitute for firmware updates and proper security configuration.

Do I need to change both my admin password and Wi-Fi password?

Yes, absolutely. The admin password controls access to your router’s settings, while your Wi-Fi password controls who can join your network. Change both to long, unique passwords and store them in a password manager.

Is UPnP safe to leave enabled?

Generally, no. UPnP is convenient but poses security risks. Research has shown it can be abused to create unauthorized port forwards and facilitate attacks. Disable it unless you have a specific need, and if you must keep it on, regularly audit the active mappings.

Should I use a VPN on my router?

A VPN can add privacy by encrypting your traffic, but it won’t fix a compromised router. Clean and secure your router first, then consider a VPN for additional privacy protection if desired.

What’s the difference between WPA2 and WPA3?

WPA3 is the newer, more secure Wi-Fi encryption standard. It provides better protection against brute-force attacks and improves security for open networks. If your router and devices support it, use WPA3. Otherwise, WPA2-AES is still secure.

How do I know if my router is end-of-life?

Check the manufacturer’s website for your router model. Look for the support page or a list of end-of-life products. If your model isn’t listed anymore or if the last firmware update was several years ago, it’s likely EOL.

Will a factory reset remove all malware?

A factory reset will remove most router compromises, including changed settings and unauthorized accounts. However, in rare cases, sophisticated malware can persist in the router’s firmware. If problems continue after a factory reset and firmware update, the router should be replaced.