Skip to main content
Can a Router Get a Virus? How to Tell, Fix It, and Lock It Down

Can a Router Get a Virus? How to Tell, Fix It, and Lock It Down

Topic Security
Published
Updated
Author
Read Time 8 min
Table of Contents

Your router can be targeted by malware and malicious configuration changes, and the result is often bigger than a single infected laptop: the attacker may try to control where your traffic goes, what devices can connect, or which settings you can change.

If you’re troubleshooting general connectivity issues (not security), start with this internet connection troubleshooting guide first so you don’t chase “hacking” when it’s just signal or ISP problems.

Quick take (30 seconds)

  • If your router settings changed and you didn’t change them, treat it as suspicious.
  • Rebooting helps in some situations, but “secure recovery” usually means updating firmware, reviewing key settings, and sometimes factory resetting.
  • Most real-world router compromises succeed because remote management is exposed, passwords are weak/reused, firmware is outdated, or risky convenience features are left on.

What “router malware” actually means

In practice, “router virus” usually falls into one (or more) of these buckets:

  • Malware on the router itself (the router’s firmware/software is running something it shouldn’t).
  • Malicious settings changes (DNS changed, remote admin turned on, port forwards added, unknown admin accounts created).
  • A compromised device inside your home that uses the router’s features (like UPnP or port forwarding) to expose services to the internet.

For a documented example of router-targeting malware and what defenders recommended at the time, see the FBI public service announcement about VPNFilter.

And if you want a deeper technical explanation of what a modular router malware campaign looked like in the wild (at a high level), Cisco Talos published a practitioner-friendly write-up on how VPNFilter worked and why routers were targeted.

Signs your router may be compromised

None of these signs is “proof” on its own, but multiple signals together are a strong reason to act.

  • You’re redirected to unexpected sites, or you see certificate warnings on websites that normally work.
  • DNS settings changed (or you see unfamiliar DNS servers configured on the router).
  • Remote administration is enabled and you didn’t enable it.
  • New port forwarding rules or “DMZ” settings appear without your involvement.
  • Your Wi‑Fi password suddenly stops working, or unknown devices appear in the connected-device list.
  • Frequent drops or instability that don’t match your usual ISP pattern (especially if paired with other red flags above).

Beginner note: “Slow internet” alone is not a reliable hack indicator; it overlaps with congestion, Wi‑Fi interference, and ISP issues.

Step-by-step: contain, clean, recover

Step 1: Contain the situation

  1. If you can, disconnect suspicious devices from Wi‑Fi (or power them down) so you reduce ongoing risk while you investigate and get rid of the virus attack.
  2. Use a single known-good device (ideally your phone on cellular, or a trusted laptop) for account changes and router work.

Step 2: Log in and do a “settings integrity check”

Focus on the settings that attackers most often abuse:

  • Admin access: Confirm only you have an admin account; change the admin password to a unique, long passphrase.
  • Remote management: Turn it off unless you truly need it.
  • DNS servers: Confirm they’re what you intended (ISP defaults or your chosen trusted provider).
  • Port forwarding / DMZ: Remove rules you don’t recognize.
  • Wi‑Fi security: Prefer WPA3-Personal if all your devices support it; otherwise use WPA2 (AES).

For a vendor-neutral baseline of home-router hardening steps (including remote admin and UPnP guidance), follow the official checklist in NSA’s Best Practices for Securing Your Home Network.

Step 3: Update firmware (this matters more than most “scanner” advice)

Firmware updates patch known vulnerabilities. If your router supports automatic updates, enable them; if not, set a recurring reminder to check.

Step 4: Decide whether to factory reset

Factory reset is often the cleanest recovery option when you see suspicious settings changes you can’t confidently explain.

Use factory reset when: you find unknown admin users, persistent DNS changes you can’t undo, mystery port forwards, or you can’t trust the current configuration.

Don’t rely on reset alone when: the device is end-of-life and no longer gets updates; in that case, replacement is often the more secure “fix.”

Step 5: Re-secure after reset (most people skip this)

  1. Change the router admin password (not just the Wi‑Fi password).
  2. Rename the Wi‑Fi network if it reveals router brand/model, and set a strong Wi‑Fi passphrase.
  3. Disable remote administration unless you have a specific need.
  4. Decide on UPnP: disable it if you don’t need it; if you do need it for gaming or device discovery, limit risk by updating devices and segmenting less-trusted devices.

For a balanced, non-alarmist view of UPnP mitigations (including segmentation ideas), see the Canadian Centre for Cyber Security’s UPnP guidance.

Hardening checklist (keep this as your “default state”)

  • Use WPA3 when available: The Wi‑Fi Alliance’s overview of modern Wi‑Fi security options (including WPA3) is a good baseline for non-specialists.
  • Separate guests and IoT: Use a guest network for visitors, and (if your router supports it) isolate smart home devices; see IoT device security basics for home networks.
  • Turn off what you don’t use: Remote administration, unnecessary port forwards, and optional features that widen the attack surface.
  • Replace end-of-life gear: If your router no longer receives security updates, plan a replacement.
  • Reboot on a schedule: A periodic reboot can help disrupt certain non-persistent threats and keeps many home networks stable.

Advanced note (for readers who want the technical reference): Android’s platform documentation summarizes WPA3 and Enhanced Open at a high level, which is useful when you’re checking device compatibility.

Decision tree: what should you do next?

If you observe… Do this first Then
Only “slow internet,” no settings changes Run standard connectivity troubleshooting If issues persist, check firmware updates and Wi‑Fi security settings
DNS changed / redirects / new port forwards Disconnect suspicious devices; log into router and document changes Update firmware; factory reset if you can’t fully explain and reverse changes
Admin lockout or unknown admin accounts Factory reset Re-secure (admin password, WPA3/WPA2-AES, disable remote admin, review UPnP)
Router is end-of-life (no updates) Minimize exposure (disable remote admin, tighten Wi‑Fi security) Replace router; rebuild with hardened defaults

Troubleshooting after cleanup

  • Websites still redirect: Re-check router DNS, then flush DNS/cache on your devices, then re-test from a different device/network.
  • Smart devices stopped working: If you disabled UPnP or changed networks, re-pair devices on the new SSID or move them to a dedicated network.
  • Gaming/NAT issues appeared: If you turned off UPnP, you may need manual port forwarding for specific games (only for the device that needs it), and you should review those rules periodically.

FAQ

Can a router “get a virus” the same way a PC does?

Not exactly, but routers can be compromised through vulnerabilities, exposed management, weak passwords, or risky configuration features.

Is rebooting my router enough?

Sometimes it helps, but a secure recovery usually means firmware updates, a settings review, and (when in doubt) a factory reset followed by re-hardening.

What passwords should I change first?

Start with the router’s admin password (the one that controls settings), then change your Wi‑Fi passphrase, then update any important website/app passwords if you suspect credential exposure; keep your broader account hygiene current with practical online safety habits.

Should I disable remote management?

Yes, unless you have a specific need and know how to lock it down; if you’re unsure, don’t expose router administration to the internet.

Should I disable UPnP?

If you don’t need it, disabling reduces risk; if you do need it, segment less-trusted devices and keep firmware and devices updated.

Do I need antivirus for my router?

Antivirus is useful on computers and phones, but router compromise is usually found by checking router settings, firmware status, and connected devices (and resetting when trust is lost).

When should I replace my router?

If it no longer receives security updates, if it can’t run modern Wi‑Fi security settings, or if you can’t restore trust after a suspected compromise, replacement is reasonable.

What else should I secure on my network?

Smart home devices and older computers are common weak links; this internal explainer can help readers reduce risk across the whole home: how firmware vulnerabilities affect everyday devices.

Related reading: if you’re using any kind of remote access tool (for work or home support), understand the trade-offs in this internal guide on remote access and why it must be locked down.

📅 December 24, 2021 ✎ Updated: Dec 24, 2021 📱 Security
Daniel Odoh

About the Author

Daniel Odoh

This author writes practical tech guides, product breakdowns, and helpful explainers for everyday readers.

View all posts by Daniel Odoh →
Comments

Be the First to Comment