How to secure your UniFi controller

Published onby Iron

If you've been rocking a UniFi setup for a while, you probably know how awesome it is to have all your network devices managed in one place. But as awesome as it is, there's one thing that should be top of mind: security.

Whether you're managing a home network or a sprawling enterprise setup, keeping your UniFi controller locked down is crucial.

Let's Dive In!

Table of Contents

Start with a solid password

This one might sound basic, but you'd be surprised how many people overlook it. Your UniFi controller’s password is the first line of defense. If you're still using the default credentials, it's time to change them ASAP.

Tips for a strong password:

  • Go for a combination of uppercase, lowercase, numbers, and symbols.
  • Make it long—at least 12 characters.
  • Avoid using easily guessable words or phrases (no "password123" nonsense).

And don't forget to change it regularly. A good rule of thumb is every 3 to 6 months.

Enable two-factor authentication (2FA)

Passwords are great, but adding an extra layer of security is even better. That's where two-factor authentication (2FA) comes in. It requires a second piece of information (like a code sent to your phone) before you can log in.

To enable 2FA on your UniFi controller:

  1. Log in to your controller.
  2. Navigate to your account settings.
  3. Find the 2FA section and follow the steps to link your phone.

Every time you log in, you’ll need to input a code from your phone—just one more thing that stands between your network and would-be intruders.

Regularly update your UniFi controller software

Keeping your software up-to-date is like brushing your teeth—do it regularly, and you'll avoid a lot of problems down the line. UniFi frequently releases updates that patch security vulnerabilities and improve overall performance.

To update your UniFi controller:

  1. Go to your UniFi Network Controller dashboard.
  2. Check for updates in the settings section.
  3. If there's an update available, install it immediately.

And if you’re running a version of UniFi that’s older than 7.5.187, you’ll want to upgrade pronto due to a serious security vulnerability that was patched in that update【5†source】.

Lock down remote access

Having the ability to manage your network from anywhere is super convenient, but it’s also a potential security risk. If you don’t need remote access, it’s best to disable it.

To disable remote access:

  1. Go to the settings in your UniFi Network Controller.
  2. Find the remote access settings.
  3. Toggle it off.

If you do need remote access, consider setting up a VPN. This way, you can securely connect to your network without exposing it to the world.

Limit who can log in

If you’re managing a large network, chances are you’re not the only one with access to the UniFi controller. But you don’t want just anyone poking around in there. It’s essential to manage permissions and limit who can log in.

UniFi lets you set different roles for different users:

  • Super Admin: Full access to everything.

  • Limited Admin: Access to most features, but can’t delete anything critical.

  • Read-Only: Can view settings but can't make changes.

Assign roles based on what people actually need to do. And if someone leaves your organization or no longer needs access, remove their account immediately.

Use HTTPS for secure communication

When accessing your UniFi controller’s interface, make sure you’re using HTTPS. This encrypts the data sent between your browser and the controller, making it much harder for anyone to intercept.

If your controller isn’t set up for HTTPS by default, you can enable it:

  1. Go to the settings in your UniFi controller.
  2. Navigate to the Site settings.
  3. Enable "Use HTTPS" under the controller settings.

Monitor and audit your controller

You can't fix what you don’t know is broken, right? Regularly monitoring your UniFi controller helps you spot anything fishy before it becomes a problem.

UniFi controllers come with built-in logging features. You can monitor:

  • Login attempts: Keep an eye on failed logins—they could indicate someone is trying to brute-force their way in.

  • Changes in settings: Any unexpected changes should be investigated.

  • Connected devices: Make sure you recognize every device on your network.

And don’t just rely on the logs. Regularly audit your network settings and configurations. You might spot a misconfiguration or find something that needs tightening up.

Secure your backups

Backing up your UniFi controller is a no-brainer. But it’s just as important to secure those backups. Imagine if someone got their hands on a backup of your UniFi controller—it's like handing them the keys to your network.

Secure your backups by:

  • Storing them in a secure, encrypted location.
  • Regularly checking and updating your backup strategy.
  • Making sure that only trusted users have access to backups.

Use VLANs to segment your network

If you’re managing a network with multiple types of devices (like IoT devices, guest Wi-Fi, and company laptops), consider using VLANs (Virtual Local Area Networks). VLANs help you segment your network, so even if one part gets compromised, the rest remains secure.

Setting up VLANs:

  1. Go to your UniFi controller settings.
  2. Navigate to the Networks section.
  3. Create new VLANs and assign them to the appropriate devices.

For example, you can create a VLAN just for IoT devices. These devices are often less secure, so keeping them on a separate network helps protect the rest of your devices.

Disable unused services

The more services running on your UniFi controller, the more potential entry points there are for attackers. If you’re not using a particular service or feature, disable it.

For example, if you’re not using SNMP (Simple Network Management Protocol), turn it off. Go through your UniFi controller’s settings and disable anything you don’t need. This reduces the attack surface and makes your network more secure.

Regularly review user accounts and permissions

It’s easy to forget about old accounts or permissions that are no longer needed. Over time, these can become security risks. Make it a habit to regularly review who has access to your UniFi controller and what they can do.

Delete any accounts that are no longer needed, and tighten up permissions where necessary. This helps ensure that only the people who absolutely need access have it.

Consider using Private Pre-Shared Keys (PPSK)

If you’re managing a Wi-Fi network with multiple users, consider using Private Pre-Shared Keys (PPSK). PPSK allows each user or device to have a unique Wi-Fi password. This way, if one password is compromised, it doesn’t affect the entire network【5†source】.

How to set up PPSK:

  1. Access the Wi-Fi settings in your UniFi controller.
  2. Enable the PPSK option.
  3. Assign unique keys to each user or device.

PPSK is particularly useful in environments where multiple users need access to the Wi-Fi but you don’t want them all sharing the same password.

Final Thoughts

Securing your UniFi controller isn’t rocket science, but it does require some attention to detail. By implementing these practices, you can significantly reduce the risk of unauthorized access and keep your network running smoothly. Remember, security is an ongoing process, not a one-time setup. Regularly review your settings, update your software, and stay informed about the latest security threats.

If you’re looking for a hassle-free way to manage your UniFi Controller in the cloud with all these security features baked in, we’ve got you covered at UniHosted.

We host UniFi Controllers in the Cloud

Are you ready to take your UniFi Network to the next level? Deploy a UniFi Cloud Controller in minutes and manage your network from anywhere.

Deploy Now

Free tier available

Get the best support

Join 1660+ customers

No credit card required