I Audited My TP-Link Router With Claude: Here's What I Found

Most people set up their router once, click through the wizard, and never look at the admin panel again. Same router, same defaults, for years.

I had Claude open my TP-Link router's admin page over Chrome DevTools MCP and walk every single security setting. Took about 8 minutes. Found four things worth changing.

What was already solid

Before getting to the gaps, credit where it's due: the defaults on this router are actually decent.

• Firmware was current and auto-update was on
• Remote management was off (no internet-exposed admin panel)
• WAN ping response was off (router invisible to internet scanners)
• TP-Link Cloud account was unbound (no cloud remote-control attack surface)
• CWMP/TR-069 was off (historically a massive attack vector)
• DMZ off, no port forwarding rules, no VPN servers running
• Wi-Fi password was 24 characters of mixed garbage

If you bought a TP-Link in the last few years, you're probably starting from a similar place.

The four gaps worth fixing

1. Local Management was HTTP only

The admin login was sending my password in cleartext over the LAN. Any compromised device on my network, a smart bulb, a guest's phone, an old laptop, could sniff the admin password on the next login.

Fix: System > Administration > toggle "Local Management via HTTPS" on. After that, log in via https://192.168.0.1. Your browser will complain about a self-signed cert. Accept it once.

2. Wi-Fi was WPA2 only, not WPA2/WPA3

WPA2 is fine. WPA3 is better, though: it adds protection against offline dictionary attacks against your password. Mixed mode keeps WPA2 fallback so older devices still connect.

Fix: Wireless > Wireless Settings > change Security to WPA2/WPA3-Personal. If something old stops connecting (a Ring doorbell from 2018, an old printer), flip back.

3. WPS was on

WPS lets you pair devices by PIN or button press. The PIN method has known brute-force weaknesses. I don't use it. Most people don't.

Fix: Wireless > WPS > disable.

4. SIP ALG was on

Not a security issue, but worth knowing: TP-Link's SIP ALG is famous for mangling VoIP traffic. If you've ever had a Zoom Phone or OpenPhone call drop or sound weird, this is often why.

Fix: Security > ALG > SIP ALG off.

What I left alone

A few things looked like findings but weren't worth changing:

• UPnP was on with two active port mappings. Both were Tailscale punching NAT. Disabling UPnP would force Tailscale to relay through DERP servers, which is slower for no real benefit since I trust the devices on my network.
• Local Managers set to "All Devices." Could restrict admin to specific IPs, but that breaks the moment a device gets a new DHCP lease.
• Hidden SSID, MAC filtering, changing the LAN subnet. All security theater. Trivially bypassable, real maintenance cost.

The order to do it in

If you do nothing else, do these in this order:

1. Local Management via HTTPS: biggest win, 2 minutes
2. WPA2/WPA3 mixed: 2 minutes, no re-pairing
3. Disable WPS: 30 seconds
4. Disable SIP ALG (only if you use VoIP): 30 seconds

Total: under 5 minutes for a meaningful tighten without breaking anything.

The meta-lesson

The setting that mattered most, HTTPS for local admin, was off by default. Every other security-positive thing was either also off-by-default (cloud account, remote management) or on-by-default (firewall, auto-update). The router vendor isn't on your side or against you. They're optimizing for "works out of the box for Grandma." That means you have one job: 5 minutes, once, after install.

I had Claude do the audit because routers have 30+ pages of settings and I'd never click through all of them manually. The MCP browser bridge turned it into a conversation. If you want to try it yourself, the prompt is basically: "Open my router admin and walk every security-relevant setting. Tell me what to tighten without breaking usability."