WPS – What It Is and Why to Disable It
WPS was designed to make connecting devices easier. It succeeded at that goal but introduced a serious security vulnerability. The button press method is mostly harmless; the PIN method is not.
What Is WPS?
WPS (Wi-Fi Protected Setup) is a feature that lets devices connect to a Wi-Fi network without entering a password. It works in two ways: a button press (press the WPS button on the router within 2 minutes of pressing it on the device) or an 8-digit PIN entered into the device.
The button-press method is convenient and relatively safe as it requires physical access to the router. The PIN method, however, has a well-documented vulnerability.
The WPS PIN Vulnerability
The 8-digit WPS PIN is not checked all at once — the router validates the first 4 digits separately from the last 4. This reduces the number of combinations needed from 100 million to just 11,000. An attacker within wireless range can try all 11,000 combinations in a few hours using freely available tools and crack the PIN to gain full access to your Wi-Fi network — regardless of how strong your Wi-Fi password is.
Many routers have WPS PIN enabled by default. Some only implement the push-button method, which is much safer. But the safest approach is to disable WPS entirely in the router wireless settings.
How to Disable WPS
Log in to your router admin panel at http://192.168.1.1. Find WPS settings in the Wireless section — it may be labeled Wi-Fi Protected Setup, WPS Settings, or just WPS. Set it to Disabled and save. The WPS button on the router becomes inactive. Devices will connect normally by entering the Wi-Fi password.
Disabling WPS does not affect your existing connected devices. It only prevents new connections via WPS. All devices that joined via WPS will stay connected normally until they reconnect.