Xiaomi routers are among the most popular home networking devices due to their combination of affordable prices, stable operation and extensive customization options, but factory security options often leave much to be desired: Standard passwords like admin or 12345678, protocol enabled WPS, weak-encryption WPA2-PSK (AES) As a result, your network becomes vulnerable to hacking, connecting neighbors or even DDoS attacks.
In this article, we will analyze how to completely reconfigure the protection of the Xiaomi router - from the basic password change to advanced settings like filtering through the Internet. MAC-Addresses, deactivating vulnerable protocols and protecting against external attacks. 4A/4C/4Q, AX1800/AX3000/AX3600/AX6000, and also for firmware based on MiWiFi ROM We will focus on the typical mistakes that users make when setting up security, and explain why some βtipsβ from the Internet can only worsen the protection.
1. Preparation for changing security settings
Before you start setting up, make sure you have:
- π‘ Physical access to the router (if you need to reset via the Reset button).
- π Stable power β do not change settings during a thunderstorm or unstable stress.
- π± Device for connecting (PC, smartphone or tablet) with a browser (Chrome, Firefox, Edge).
- π Current login data to the administrator panel (logins / passwords from the sticker on the router).
If you forget the password from the control panel, you'll have to do a hardware reset.
- Press and hold the Reset button (usually located on the back) for 10-15 seconds.
- Wait until the indicators on the router blink and light up in standard mode.
- Connect to the network. Xiaomi_XXXX (without password) and enter the panel at the address 192.168.31.1 or miwifi.com.
β οΈ Warning: Reset will return the router to factory settings, including the network name (SSID) All the connected devices will have to reconnect.
2. Change of the standard administrator password
The first thing you need to do is change the username and password to log into the control panel. By default, many Xiaomi models use:
- Login: admin
- Password: admin or blank.
To change them:
- Open your browser and type in 192.168.31.1 or miwifi.com.
- Enter current data (from the sticker on the router, if not changed).
- Go to the System Settings section β Device management (or Advanced) β System β Password in English-language firmware).
- Create a complex password (at least 12 characters, with numbers, capital letters and special characters: MiR0ut3r!2026#Sec.
- Save the changes and restart the router.
β οΈ Note: Do not use passwords associated with your name, date of birth or network name (SSID). Attackers can pick them up by brute force.
π‘
If the router supports two-factor authentication (2FA), Turn it on in your Xiaomi account settings. SMS-code at each entrance to the control panel.
3. Set up Wi-Fi network security
The most critical part is protecting the Wi-Fi network itself. By default, Xiaomi routers often use outdated settings that are easy to crack.
Type of encryption
Go to the Wi-Fi settings β Security and choose:
- π WPA3-Personal (The best option is if all your devices support).
- π WPA2/WPA3 Transition Mode (if there are old gadgets that do not support the WPA3).
- β Don't use it. WPA, WEP Open Network β They are hacked in minutes.
Wi-Fi password
Password requirements:
- π Length: 12-20 characters.
- π’ Composition: capital and lowercase letters, numbers, special symbols (!@#$%).
- β Exclude: names, dates, words from the dictionary, network name (SSID).
Example of a strong password: K1tch3n-W1F1!2026#X.
Hiding the network (SSID)
Enable the Hide option SSID (Hide SSID) It doesn't make the network invisible to the hackers, but it reduces the number of random connections. SSID manually.
Installed WPA3 or WPA2/WPA3 Transition Mode|
Wi-Fi Password Long β₯12 characters|
Unplugged. WPS|
Hidden. SSID (optionally)|
Administrator password changed-->
4. Disconnecting Vulnerable Functions
Many Xiaomi routers by default include features that make it easier to connect but reduce security.
4.1. WPS (Wi-Fi Protected Setup)
Protocol WPS It allows you to connect to the network without entering a password, by pressing a button on the router. PIN-It only takes a few hours for the brute force code to go. WPS Wi-Fi section β WPS or advancedd β Wi-Fi β WPS Settings.
Remote control
Remote Management allows you to control your router over the Internet, which is convenient but dangerous: if your administrator password is weak, hackers can gain full control. β Remote control.
4.3. UPnP (Universal Plug and Play)
UPnP automatically opens ports for devices on the network (such as games or torrent clients), which creates a risk of unauthorized access. β NAT β UPnP if you donβt use functions like DLNA or online gaming.
| Function | Risk | Recommendation |
|---|---|---|
| WPS | Selection PIN-code in 4-10 hours | Turn it off completely. |
| Remote control | Hacking the administrator password | Turn it off if you don't have to. |
| UPnP | Automatic port opening | Disable or restrict |
| Guest network | Access to the local network | Set up device isolation |
Filtration by MAC-address
Filtration by MAC-Addresses allow only certain devices to connect. This is not a panacea (attackers can substitute for the device). MAC), but adds an extra layer of protection.
How to set up:
- Find it. MAC-Addresses of your devices: On Android: Settings β The phone. β General information β MAC-Wi-Fi address. On iOS: Settings β Wi-Fi β β On Windows: run the ipconfig command. /all into CMD.
Wi-Fi β Filtration MAC
Advanced β Wireless β MAC Filter
Allow only those who are
Allow
MAC
Save the settings and restart the router.
β οΈ Note: If you connect a new device (such as a guestβs smartphone), it will be MAC You'll have to add it manually. For temporary guests, it's better to use the guest network.
How to bypass filtration MAC?
6. Guest network setup
The guest network allows you to provide access to the Internet without risk to the main network.
- Go to Wi-Fi. β Guest network.
- Enable the guest network and set a separate name (SSID), for example Guest_Xiaomi.
- Set a separate password (not the same as the main network!).
- Enable the option to Isolate guest devices (AP Isolation, so that guests donβt see your devices on the local network.
- Limit speed (optional) to Capacity Control.
7. Protection against DDoS and external attacks
Xiaomi routers are often targeted for DDoS attacks or port scanning, to minimize the risks of:
7.1. Firewall settings (Firewall)
Enable the built-in Firewall:
- Go to Advanced. β Security β Firewall.
- Turn it on. SPI Firewall (Stateful Packet Inspection).
- Activate DDoS protection if you have this option.
- Disable Ping from the external network (Ignore Ping from option) WAN).
Update to firmware
Outdated versions of firmware contain critical vulnerabilities that are actively exploited by hackers. 2023 A vulnerability was discovered in Xiaomi routers (CVE-2023-23456), It allows you to run code remotely. Update your firmware regularly:
- Go to System Settings β Firmware update.
- Click Check for updates.
- If a new version is available, install it.
β οΈ Warning: Do not interrupt the upgrade process! If the router shuts down during firmware, it may turn into a "brick" (restore via a computer). TFTP).
8 Additional security measures
For maximum protection, we also recommend:
- π Change your passwords regularly (every 3-6 months).
- π‘ Turn off Wi-Fi overnight (if not needed) via Advanced schedule β Schedule.
- π‘οΈ Use it. VPN on the router (if the model supports, for example) AX6000).
- π Monitor Connected Devices in Advanced β DHCP β Client List.
If your router supports OpenWRT or Padavan, consider installing custom firmware, which gives you more options for setting up security, such as:
- Blocking ads through AdBlock.
- Setup VLAN isolation.
- Installation Fail2Ban to block suspicious connections.
π‘
Even with maximum security settings, the router is not 100% secure. Always keep an eye on connected devices and update your firmware!