A hacked router usually does not show a clear warning. Suspect the router when websites redirect to strange login pages, DNS servers change without your permission, unknown devices appear on Wi-Fi, the admin password stops working, or your ISP/security tool warns that your home IP is sending suspicious traffic. Start from a clean device, check the router settings, reset and patch the router if anything looks changed, then scan the computers and phones before reconnecting them.
Signs Your Router May Be Hacked
- Banking, email, or cloud login pages redirect to unfamiliar domains, certificate warnings, or fake sign-in pages.
- The router DNS or DHCP DNS servers are not the ones you or your ISP configured.
- Remote management, port forwarding, UPnP, or a VPN/proxy feature is enabled when you did not enable it.
- Unknown devices keep joining the network, even after you remove them.
- The router admin password, Wi-Fi name, or Wi-Fi password changed unexpectedly.
- Your public IP is blocked by websites, flagged for spam, or associated with proxy/botnet abuse.
- Settings return after you fix them, which can mean an infected device, weak admin password, exposed router panel, or unsupported firmware.
What Attackers Usually Change
| Router area | Why it matters |
|---|---|
| DNS and DHCP DNS | Malicious DNS can send laptops and phones to attacker-controlled pages before you notice the real domain was intercepted. |
| Admin account | A reused, default, or leaked router password lets an attacker keep control even if the Wi-Fi password is strong. |
| Remote management | If the admin panel is reachable from the internet, router bugs and password attacks become much more dangerous. |
| Port forwarding and UPnP | Unexpected open ports may expose cameras, NAS devices, game servers, or a compromised PC to the internet. |
| Firmware | Old firmware and end-of-life routers may stay vulnerable even after you change passwords. |
| Connected devices | Compromised PCs, phones, smart TVs, or IoT devices can reintroduce bad DNS/proxy settings after a router reset. |
Check the Router in a Safe Order
- Use a clean device. If one Windows PC is acting strangely, log in to the router from another trusted device or a freshly updated phone, not from the suspicious PC.
- Open the router admin panel. Use the local gateway address shown by your device, such as
192.168.0.1or192.168.1.1. Do not follow links from pop-ups or emails. - Check DNS first. Look at WAN, LAN, and DHCP DNS fields. If you see unfamiliar resolvers, attacker-looking IP addresses, or values you cannot explain, write them down before changing anything.
- Turn off risky access. Disable remote management from WAN, WPS, and UPnP unless you have a specific need and understand the exposure.
- Review port forwarding. Remove rules you did not create, especially rules exposing cameras, NAS, remote desktop, SSH, web admin panels, or random high ports.
- Update firmware. Install the latest vendor firmware. If the router no longer receives security updates, plan to replace it.
- Change credentials. Set a unique router admin password and a new Wi-Fi passphrase. Use WPA3 Personal when supported, or WPA2 Personal with AES. Avoid WEP and weak mixed legacy modes.
- Reconnect devices carefully. Add devices back in small groups and watch whether DNS, proxy, or port settings change again.
If the Router Was Already Changed
If DNS, remote admin, port forwarding, or admin credentials were changed without your permission, treat the router as compromised rather than merely misconfigured.
- Disconnect the router from the internet for a short maintenance window.
- Factory reset the router using the vendor instructions.
- Install current firmware before restoring normal use.
- Configure DNS, Wi-Fi security, admin password, and remote-management settings manually. Avoid restoring an old backup unless you are sure it was created before the compromise.
- Scan Windows computers before reconnecting them. Malware or a browser hijacker can change proxy, DNS, or router settings again.
- Change important account passwords from a clean network if you saw fake login pages, certificate warnings, or email/banking redirects.
For Windows cleanup, scan the machines that used the network with Gridinsoft Anti-Malware, then check whether DNS or proxy changes return. If redirects continue after the router reset, use the DNS troubleshooting after malware guide and compare symptoms with DNS spoofing vs DNS hijacking.
Why Router Hacking Still Matters in 2026
Router compromise is not only a local Wi-Fi problem. In 2026, the UK National Cyber Security Centre warned that APT28 exploited vulnerable routers to overwrite DHCP/DNS settings and redirect selected traffic through attacker-controlled DNS infrastructure, enabling credential theft attempts against web and email services [1]. The FBI also reported that AVrecon malware infected routers and IoT devices across about 163 countries, with access to compromised devices sold as residential proxies [2].
That is why modern router safety is broader than “use a strong Wi-Fi password.” A victim may have a perfectly strong Wi-Fi passphrase but still be exposed through old firmware, remote admin, a vulnerable router model, malicious DNS, UPnP rules, or a compromised smart device.
Prevention Checklist
- Enable automatic firmware updates when your router supports them.
- Use WPA3 Personal, or WPA2 Personal with AES if WPA3 is not available.
- Disable WPS, remote management from the internet, and UPnP unless you truly need them.
- Use a unique admin password that is different from the Wi-Fi password.
- Put guests and risky smart devices on a guest or IoT network.
- Review connected devices and port-forwarding rules monthly.
- Replace routers that are out of support, especially if they are exposed to the internet or handle work accounts.
FAQ
Can a router be hacked if I use WPA2 or WPA3?
Yes. WPA2 or WPA3 protects the Wi-Fi link, but attackers can still target old firmware, default admin passwords, remote management, WPS, vulnerable services, or a compromised device already inside the network.
Does changing the Wi-Fi password fix a hacked router?
It helps only if the problem was unauthorized Wi-Fi access. If DNS, admin credentials, firmware, or port-forwarding rules were changed, reset and update the router, then reconfigure it manually.
Should I replace the router?
Replace it if the vendor no longer ships security updates, if settings keep returning after a factory reset, if the model is listed in a current advisory, or if the admin interface was exposed and you cannot confirm it is clean.
Can malware on my PC change router settings?
Yes. Malware can try default router passwords, abuse saved browser credentials, change local DNS/proxy settings, or push you toward a fake router login page. Scan the PC before trusting the network again.
References
- National Cyber Security Centre. “APT28 exploit routers to enable DNS hijacking operations.” NCSC, 7 April 2026. https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operations
- Federal Bureau of Investigation. “AVrecon Malware-Infected Routers Exploited as Residential Proxies by SocksEscort.” FBI FLASH, 12 March 2026. https://www.fbi.gov/file-repository/cyber-alerts/avrecon-malware-infected-routers-exploited-as-residential-proxies-by-socksescort.pdf
- Federal Trade Commission. “How To Secure Your Home Wi-Fi Network.” FTC Consumer Advice, accessed 7 June 2026. https://consumer.ftc.gov/node/78375
