Ways to configure a router

First of all, you mention WPA and 'router'. I am assuming that you are not asking about a router but about a device with many functions build into one set of hardware. Probably: Modem/firewall/wirednetworkswich/access point/DHCP server/DNS server/etc etc".

• These devices often ship with default settings, which means that the first thing you want to do it to change the root/admin password. If it is possible to change the username then that is also a good idea.
  
  Do this even if the device shipped with a sensible looking password. The reason for this is that some devices shipped with a password based on their serial number. That is a lot better than admin/admin, but once the pattern is known people could still computer or guess these passwords.
• Next disable the Internet facing management interface. This is often already the default setting, but make sure that it is turned off.
• Thirdly, many devices ship with their manufacturers firmware, which is often not well tested. Or it may work fine but have known backdoors. So update to the latest safe firmware. Since these are not always updated by manufacturers it is a good idea to consider OpenWRT, tomatoe or similar.
• If there are services which you do not use then turn these off.
• If you use the 'router' as a fileserver with an external USB based pendrive or external harddisk then make sure there is a password on this.
• Do the same for all devices behind the router (and behind its firewall). Securing the 'router' is a good start. But defence in dept is better.
• Next configure the wireless part with a good, long password.
  • Do not use: Open (unencrypted)
  • Do not use: WEP (trival to crack).
  • Do not use: WPA
  • That leaves WPA2, which is not fully secure. WPA2 can be cracked in hours for about US $70 or Amazon computing time. At least that was the state years back; things will not have improved now that computers are even faster. It might be safe enough to save you from pranks by the neigbours, but anyone able to follow a script and willing to spent half a day has a good shot at cracking your WPA2 setup.

So much for things you should do, there are also a few things which you do not want to do:

• Do not use MAC-address filtering. It makes it harder for you and add no security at all. (The last because the MAC-address is broadcast though the air. Everyone can see which MAC-addresses do work. And everyone can fake their own MAC-address.).
• Do broadcast your SSID. If you do not broadcast it then:
  • It is still broadcast though the air. (So everyone can learn it if there is some traffic)
  • The periodtic beacon ('Hi, I am here, my name is SSID') will be turned off, making it slightly harder for you.
  • Nothing will stop me from putting up my own AP and claiming the same name. And if I have a stronger signal mine might just get preference. Combine this with an helpfull OS which automagically connects to an AP with no encryption and I am in a very nice position to snoop some of your traffic).
• Do not use WPS, or if you use it make sure your firmware does not suffer from implementation flaws.
  Reason: WPS uses an 8 digit pin. that is 10⁸ possible combinations, at guessable at low Wifi speeds. That sounds good enough. But the 8^th digit is a checksum, making it 10x as easy to guess. And manu implementations allowed you to sent 4+4 digits. If the first set was wrong they reported it. Thus rather than 100000000 passible passwords you only had (10500) possiblre password. With no rate limiting this is trivial to force. (also see the part where I say 'use an updated firmware').

Not all routers have the same functionality but as a rule of thumb you could do the following.

Firstly, you may want to bin the router provided by your ISP and buy one that allows you to have more granular control, and/or install open source firmware such as dd-wrt.

The general advice I tend to give is:

• Change the default setting on things like Admin usernames and password.

• Restrict what devices can connect to the router with MAC address filtering.

• Ensure that the web-interface is using HTTPS and is not reachable from the public internet.

• Disable Wi-Fi Protected Setup (WPA).

• Change the password that allows WiFi access regularly.

• Change your default admin password to something secure

• Use WPA2 for wifi access with a very long password which should be periodically changed.

• Set up MAC address filtering to allow only devices you trust.

• Disable remote admin tools

• Disable secondary SSIDs you are not using if they are supported

• Turn off SSID broadcast

• Turn off Wifi Protected Setup

• Some sources recommend changing the SSID to something to mislead attackers, so if your router is Belkin, change your SSID to 'Cisco'

• Enable the firewall if available

• Keep your firmware up to date

• Review logs periodically for suspicious activity

You can use servcies such as Shields Up to run basic testing of your network https://www.grc.com/shieldsup