I need to upgrade my home WiFi router. While I have a couple performance things in mind, my question for this group is about what security features I should look for. Also, what tips are there for setting up accounts? What else am I forgetting to consider or completely unaware of? Thanks!
Thank you for the question! This is a big topic.
First, let me just point out something that I think is useful to know. You can purchase the “wifi” part separately from the “router” - it’s called a wireless access point. That’s what I have at my house. The primary advantage to separation is that you can repair/replace/upgrade the parts independently. Or have multiple wifi points to cover more area (as I do), but a single router. I’m not suggesting you do this, it’s just useful to understand as you shop and explore device options.
Given that you are in the market for a new device, let’s start with the purchase. Once that decision has been made, we can talk about how to lock it down as much as possible, because it will depend on the specific router quite a bit.
Most routers targeted at consumers are not what I would consider great security. But it’s what most people have because of price. As of today, the cheapest option for a router that I can enthusiastically support in terms of it’s security is the Peplink B-One for $299 (there’s a coupon at amazon right now for $50 off, so it’s actually $249). Peplink is the brand of router that I have used for about 15 years I think.
For a consumer router option, it’s a tough call, but I’d probably suggest ASUS, something like this for $100.
Or if you need cheaper, you could go TP-Link. Although if you want to go that low, I’d be happy to send you a TP Link router that was given to me recently by someone who upgraded their router. I’d give it to you for shipping cost. 
Let me know what you think.
Okay, that is helpful. Certainly a cheaper price is always nice, but I’d definitely like to get some security features if the price difference isn’t crazy. All three options seem to satisfy the 1Gb connection I’m looking for. Can you summarize the security features? Also, is there any security gained by having separate devices for the WAP and router? BTW, a secondary goal is to not need my current Wi-Fi extender to get to the garage. I assume that means mesh or just something more powerful than what I have now.
There is no security advantage of having your WAP (wireless access point) separate from your router. Why do you want to get rid of your wifi extender? If you need it now, you will likely continue to need two devices to have strong wifi coverage. A mesh isn’t quite the same as what you have in your extender, but it still means multiple devices.
As far as the security features goes, here are the big ones. Specifically the ones that are most relevant to consider at the time of purchase. This ended up as a huge post, and I may have more to add later, so don’t necessarily consider this exhaustive.
1 - Bugs. One of the most common ways hackers get into any device is through bugs. The ideal then is to have few bugs, and have them fixed quickly and to get those fixes onto consumer devices promptly. Some brands have a great record - peplink is one.
As an additional note here, I would love for the router to automatically update it’s firmware, like our phones do these days, and I know some effort is being done towards this end, but I have never personally owned a router that did this. Even my peplink I have to manually update for now. I mention this because if you are trying to have good security, you need to keep your router firmware updated, and it will likely have to be done manually.
2 - Do you need a cloud based (meaning, not on the router itself) account to use it? The answer I want is no. Sadly, the answer to this is all too often a yes these days, especially with mesh based systems. I don’t think any of the three routers I linked do, but this is definitely an item I would always double check before making a purchase.
3 - Remote administration of the router. Meaning, you don’t have to physically be connected to the network to make changes to the router settings. You do not want this. This is one of the worst security ideas ever. Some routers have this enabled by default. I think there may even be some where you can’t turn it off. If you need a special app to manage your router, this is a huge red flag - despite the fact that an app is generally lauded as a feature.
4 - Guest networks. A significant security increase can come from the use of isolated guest networks. You need to make sure they are acutally isolated though. Meaning that the devices on one network can’t talk to the devices on the other, but they all can access the public internet. This is useful not only for actual guests, but for devices at your house that you want to access the internet, but don’t need access to your laptop or phone for example.
A more advanced form of guest networks is VLANs. Not something I would necessarily recommend or even mention to most people, but it’s something you could manage easily enough.
5 - DNS over HTTPS. You’d like to have a router that supports this. I’ll expound on this more later, when we get into actually configuring the router.
Those are the main security things I can think of to consider at purchase time. There are many settings to look at tweaking after the purchase, but I think most new routers support the rest of the big security features I can think of right now. There are so many router brands and so many settings and I certainly don’t keep current with all of them.