By disabling remote console access, the WiFi router’s administration can only be done locally. Enabling HTTPS-only access further strengthens access control by mitigating man-in-the-middle attacks, as well as eavesdropping attacks.
If the Administration Console is remotely accessible, it can be compromised by hackers who can then take complete control of the router.
By specifying that the administrative console cannot be managed from the internet (or WAN) side of the WiFi router, the hackers will have to compromise the LAN side instead. This means they need to be locally present in order to hack the router, rather than half a world away in another country. However, this feature can be re-enabled by the hackers through a combination of attack strategies, as the CIA’s Cherry Blossom program demonstrated.
For most home and small/home office situations, there is really no reason to allow remote administrative access to the WiFi router. All administration of the WiFi router should be done locally.
If you really, really, really have to allow remote administrative console access, then a couple of additional security precautions can be taken, including:
- Set the Remote Admin Port to something other than the default for the WiFi router.
- Use HTTPS to ensure that you are actually talking to your router, and not being redirected to a fake site to steal your password.
- If the WiFi router allows it, then limit remote administration to a specific IP address via the Inbound Filtering function.
While these precautions can be overcome by a good hacker, it will definitely make it harder for them. If you are vigilant, you may even be able to spot their attempts. Either way, it’s a great idea to change some of the settings like the administrative password and the administration port periodically.