Top10VPN is editorially independent. We may earn commissions if you buy a VPN via our links.

How to Stay Safe on Public WiFi Networks

Simon Migliano is a recognized world expert in VPNs. He's tested hundreds of VPN services and his research has featured on the BBC, The New York Times and more.

Fact-checked by JP Jones

Our Verdict

Connecting to a public WiFi network without taking necessary precautions is dangerous. You risk giving hackers access to your web browsing activity or account details, and your web traffic may be vulnerable to interception or manipulation. The prevalence of HTTPS has mitigated many of these risks, but changing your browsing behavior and using a Virtual Private Network (VPN) is still recommended to stay absolutely safe on free WiFi and public WiFi networks.

How to use public WiFi safely

With a growing global network of more than 350 million hotspots, free public WiFi has become a necessary tool for millions of internet users every day.

Companies often overstate the risks of public WiFi in order to sell security products. In truth, public WiFi is not as dangerous as it’s made out to be. Thanks to the rise of HTTPS, you’re safer on a public WiFi network than ever before.

But, public WiFi isn’t risk-free. When you access an insecure network without taking necessary precautions, you risk giving a hacker access to your browsing activity, sensitive account details, and more.

Summary: The Dangers of Public WiFi Networks

Despite the prevalence of HTTPS, Public WiFi networks still pose the following risks:

  • Unencrypted WiFi: If you can connect to a WiFi hotspot without a password, anyone can intercept your unencrypted traffic.
  • HTTP Websites: Most websites today use HTTPS encryption, but those that don’t will leave your data and device vulnerable.
  • Man-in-the-Middle (MitM) Attacks: A hacker can intercept your internet traffic to insert malicious code or redirect your traffic
  • Fake Hotspots & Evil Twin Attacks: These are malicious hotspots set up to steal data from connected devices and compromise them.
  • DNS Spoofing: This attack diverts your web traffic to a malicious website.
  • Session Hijacking: This attack uses unsecured cookies to take control of your online accounts.

Fortunately, there are several easy steps you can take to mitigate the dangers of public WiFi and protect your personal information. With a little preparation, you can connect to free WiFi without worrying about the dangers it might present.

Summary: How to Stay Safe on Public WiFi Networks

Here’s how to protect your information when using free or public WiFi networks:

  • Use a VPN: Protect yourself by encrypting your internet traffic with a safe virtual private network (VPN).
  • Change Your Browsing Behavior: Only connect to password-protected networks, avoid sharing any sensitive details, and ask for the official WiFi name wherever possible.
  • Change Your Device Settings: Disable automatic WiFi connection, turn on your device’s firewall, and stay up to date with software updates.
  • Enable Two-Factor Authentication: Secure your accounts from password theft by adding an extra layer of authentication for logging in.

In this guide, we will explain the real risks of using public WiFi, and the measures you can take to protect yourself.

Are Public WiFi Networks Safe to Use?

Public WiFi is safer than it’s ever been. Thanks to the rise of HTTPS encryption and encrypted WiFi hotspots, it’s much harder for attackers to intercept and change your data than it used to be.

However, some security risks remain. If you connect to a compromised WiFi hotspot, an attacker may be able to see your web activity or hack your device.

In some cases, attackers may be able to hack a free WiFi router in order to divert all traffic to malicious clones of banking or shopping websites. This would enable them to steal your login details when you try to use those services through that public WiFi router.

There’s also a privacy risk, even when using legitimate public WiFi. The WiFi operator may still be able to monitor and record the websites you visit and share this information with third parties.

Does a VPN Protect You on Public WiFi?

Using a VPN protects your internet traffic on public WiFi networks by encrypting
all the traffic leaving your device. If someone tries to monitor or intercept your web traffic while you’re connected to a VPN server on an unsecured network, all they’ll see is a meaningless combination of letters and numbers.

Testing NordVPN's encryption using Wireshark.

We used Wireshark to check that NordVPN kept our internet traffic encrypted and secure.

This prevents the WiFi operator from seeing your browsing activity, and it also prevents attackers from manipulating your internet traffic or coordinating an attack.

The Real Dangers of Public WiFi Networks

Free WiFi networks are much more secure than they used to be. However, public WiFi doesn’t come without risks. If you don’t take necessary precautions, your traffic may still be vulnerable to interception and manipulation by attackers.

illustration of 5 different dangers that you face using public wifi

Despite the rise of HTTPS, public WiFi networks still pose some risks in 2024.

If the WiFi hotspot is compromised or operated by an attacker, your data and device security could be at risk.

Here’s a more detailed list of the real dangers posed by public WiFi networks in 2024:

Unencrypted WiFi Networks

Most public WiFi networks are now password-protected, which means they’re encrypted. If you’re connected to a password-protected network and a user outside of the network intercepts your connection, they won’t be able to decrypt your data in order to understand it.

If you connect to a free WiFi network without a password, you’re using an unsecured connection without encryption, which is much less secure. In this case, everything you do online can be captured and understood by other people within range.

Even if you’re connected to a password-protected network, there are still potential risks. Firstly, the person running the access point can still intercept and understand what you’re doing, so you’re relying on the network owner being trustworthy.

Secondly, it’s still technically possible to intercept and decipher your web traffic on a password-protected WiFi network. It all depends on the security of the WiFi network.

For example, on a network using WEP encryption, all data is encrypted with the pre-shared key you used to get on the network (i.e. the WiFi password). That means everyone on the network can decipher everyone else’s traffic without a problem.

It’s a little more difficult on WPA-PSK or WPA2-PSK networks, which use individual, per-session encryption keys. However, it’s not impossible. Those keys are derived from the pre-shared key (the WiFi password), which still poses a potential risk.

Windows WiFi network settings.

WPA2-PSK networks are more secure as it uses individual encryption keys.

On WPA-Enterprise or WPA2-Enterprise networks, all the per-client per-session keys are derived completely independently, which means it’s impossible to decode other users’ traffic. In this case, an attacker would have to set up a fake hotspot to gain access to your data.

HTTPS vs HTTP Websites

Most websites today use an encrypted connection called HTTPS, which uses TLS (Transport Layer Security) to secure the information passing between your device and a web server.

HTTPS is an encrypted version of the HTTP protocol, a basic internet standard for accessing web pages. It stops most third parties from seeing what you’re doing on a website, and also stops them inserting malicious code into your web traffic.

If the website you’re visiting is HTTPS-enabled, you’ll see a padlock in the top left-hand corner of your browser’s address bar:

HTTPS address bar.

HTTPS has made public WiFi — and the Internet as a whole — much safer. However, HTTPS does not guarantee that you’re safe online, especially on public networks. You’re still vulnerable to some Man-in-the-Middle attacks, phishing, certificate authority issues, and to any vulnerabilities in SSL/TLS.

Most importantly, HTTPS won’t protect your DNS queries, which can be intercepted and manipulated to redirect you to an alternative server under their control. For this reason, we recommend using HTTPS in combination with a VPN.

EXPERT TIP: HTTPS confirms that your connection is encrypted, but it is not a guarantee that you’re connected to the website you think you are. Even if you see a padlock in your address bar, make sure you haven’t been diverted to a domain with a different but similar-looking name.

HTTPS will prevent the WiFi network provider from seeing the individual pages you visit, but they will still see the domain names of the websites you’re browsing.

The most popular websites are all secured using HTTPS today, but you should look out for sites that aren’t. An attacker could easily monitor your activity or insert malicious code into unencrypted (HTTP) web traffic, and it can be monitored and logged by the WiFi provider, too.

Sites that have a secure connection may not default to it, either: Google reports that 3 out of the top 100 non-Google websites don’t. To stay safe on those sites, you’ll need to use a VPN or a browser extension that forces HTTPS connections.

Worryingly, 5% of Google’s visitors do not use HTTPS because the devices or software they’re using are too old to support modern encryption standards. If you’re using an outdated device that doesn’t support HTTPS, consider upgrading if you can.

Man-in-the-Middle (MitM) Attacks

A Man-in-the-Middle (MitM) attack refers to any scenario in which a malicious third party interrupts or alters the communication between two systems.

When a MitM attack occurs on public WiFi, the attacker is interrupting the connection between your computer and the web server you’re trying to connect to.

How a man-in-the-middle attack works

Using public WiFi networks increases your risk of Man-in-the-Middle attacks.

On an unsecured network, attackers can alter key parts of the network traffic, redirect this traffic, or inject malicious content into an existing data packet.

An attacker could display a fake website or login form, replace links with malicious alternatives, add pictures, and much more.

Hackers can also trick people into revealing or changing their passwords, exposing highly personal information.

MitM attacks are popular with hackers because they are cheap, easy, and effective. All a hacker needs is something like the WiFi Pineapple — a portable device that looks a bit like a WiFi router, and costs just $120.00.

Hak5 WiFi Pineapple

The $120.00 WiFi Pineapple allows virtually anyone to exploit public networks to collect personal data.

These simple devices enable virtually anyone to create a fake WiFi access point and carry out a Man-in-the-Middle attack. They are commercially available and sold in most computer hardware stores.

The WiFi Pineapple can interface with hundreds of devices at a time. Security researchers use it to execute attacks on public WiFi networks in order to test how safe the network is and learn how to protect it against attacks.

However, it’s clearly a dangerous tool in the wrong hands. Attackers can easily use the WiFi Pineapple to gather sensitive personal data from unwitting public WiFi users.

The WiFi Pineapple can also be used to run SSLstrip, software that changes secure HTTPS requests to their insecure HTTP equivalent.

Modern browsers are designed so that web servers can tell browsers they should use HTTPS, which helps fight against this. However, this protection doesn’t take effect until your second visit to the site.

Fake Hotspots & Evil Twin Attacks

Fake hotspots or ‘Evil Twin attacks’ are among the most common and most dangerous threats on public WiFi connections. An attacker can use them to steal your unencrypted data and infiltrate your device.

To carry out this attack, an attacker simply imitates a public WiFi network with a seemingly legitimate name like ‘Free_Cafe_WiFi’ and waits for their victims to connect. Less sophisticated hackers may even choose names like ‘FREE INTERNET’ to entice people.

An Evil Twin attack is very easy to pull off — you can see this seven year-old doing it in 11 minutes.

WiFi Pineapples can even actively scan for SSID signals. These signals are used by phones to find and connect to known WiFi networks. Fake hotspots can impersonate a familiar network by copying those SSID signals.

This means that anyone with a WiFi Pineapple can trick your phone or laptop into connecting to a dangerous WiFi network just by being nearby. It appears to the user as if they’re connected to a network that they’ve previously connected to.

It is incredibly easy to fall for a fake WiFi hotspot. At the 2016 US Republican Convention, more than 1200 people connected to unknown free WiFi networks because they had targeted names like ‘I Vote Republican! Free Internet’. As a result, 68% of users at the convention exposed their identities when they connected.

These were fake networks set up in a test by Avast to make a point about public WiFi — but the consequences could have been severe.

Always be careful of auto-connecting to a network, particularly if its name or location seems suspicious.

DNS Spoofing

DNS Spoofing or ‘DNS cache poisoning’ is a specific type of Man-in-the-Middle attack designed to divert traffic away from legitimate servers and redirect it toward fake ones. This type of attack is particularly popular over unprotected public WiFi networks.

DNS queries are sent from your device every time you connect to a website. When you enter a URL into your browser’s address bar, you first contact a DNS nameserver which finds the matching IP address (e.g. 192.168.1.1) for the domain you’re looking for (e.g. example.com).

DNS spoofing is when a third party changes the entries in a DNS nameserver’s resolver cache. This is like changing the phone number in a directory — if someone altered the entry for ‘example.com’, any user trying to access that website would be sent to a different IP address specified by the hacker.

How a hacker has spoof a dns address and re-direct your connection toward a fake website

DNS Spoofing works by redirecting your traffic to fake servers.

In this way, attackers can send users to phishing sites that look almost identical to the intended destination. These websites are designed to trick users into entering sensitive data such as their username and password.

Often, public WiFi hotspots are operated by small businesses that do not have the technical knowledge to keep the router fully secure. They might not have changed the default password and probably haven’t updated the firmware.

Hackers can install malware on insecure routers. This malware sends all the DNS queries to their malicious server. The attacker can then divert traffic for legitimate websites toward malware and phishing websites.

Session Hijacking

Session hijacking is another type of Man-in-the-Middle attack that allows a malicious third party to gain full control of your online accounts. It is much less of a risk than it used to be, thanks to the rise of HTTPS.

Session hijacking involves the use of stolen session cookies to gain access to your online accounts

Hackers can steal your identity through session hijacking.

‘Sessions’ are temporary states established between two communicating devices, such as your device and a web server. The session is established using authentication protocols that ensure the devices know who each other are.

When you log onto a website you are assigned a session cookie — a file containing details about your interaction with the web server. As you browse the website, the server will ask your machine to authenticate itself by resending this cookie.

Session hijacking copies these cookies to impersonate your device and steal your identity.

The most valuable session cookies are those sent to users logging in to highly-secure websites, such as shopping or banking sites.

On an unsecured network, attackers can use specialized software called ‘session sniffers’ to identify and intercept your session cookies.

Session sniffing software is incredibly easy to access, even though it is illegal to use it for eavesdropping and data snooping.

How to Stay Safe on Public WiFi Networks

There are several steps you can take to protect your data and device on public WiFi networks.

In this section, we’ll talk you through using a VPN to encrypt your web traffic, how to change your browsing behavior, and how you can configure your device settings for better security.

1. Use a Virtual Private Network (VPN)

If you use public WiFi networks regularly, then a virtual private network (VPN) is the best investment you can make toward security and peace of mind.

A good VPN for public WiFi tackles all of the potential threats we’ve mentioned in this guide, regardless of the network you’re on. In short, a VPN keeps your browsing secure by encrypting your internet traffic, routing it through a secure tunnel, and masking your true IP address.

The ExpressVPN Windows application

A good VPN is the simplest way to stay safe on any internet connection.

VPNs create a secure tunnel between your device and a private VPN server. This server then forwards your traffic on to the website or application you’re accessing.

When you use a VPN, all of your web traffic is encrypted. If someone is monitoring your internet connection, all they’ll see is a meaningless combination of letters and numbers.

This stops even the WiFi operator from being able to monitor your activity, and prevents attackers from manipulating your web traffic. If the VPN has its own first-party DNS servers, your DNS requests cannot be spoofed or diverted either.

It’s still possible for a VPN to be hacked through vulnerabilities in its servers or connection protocols. It’s not a bulletproof tool for complete online security, but it’s still an essential part of any security-conscious user’s toolkit.

2. Change Your Browsing Behavior

While public WiFi is much safer than it used to be, you can’t totally eliminate the risk. Routers can get hacked remotely, and hotspots can be set up by hackers in busy places to harvest information.

As a result, it’s still necessary to be mindful of your online behavior when you’re using a network you’re not familiar with — especially if you’re not using a VPN service. It’s incredibly difficult to remove your personal information from the internet once it’s been exposed.

Here’s a list of things you should not do on public WiFi:

  • Use untrustworthy WiFi networks. WiFi provided by well-known hotels and cafes is going to be safer than a random hotspot, but there are still security risks. It’s easy to see how and why cafes or hotels pay for the WiFi they offer, but anyone providing a completely free WiFi service might be making money by exploiting your data.
  • Use unsecured WiFi networks. You’ll know a network is unsafe if it doesn’t require a password to join. Most legitimate free WiFi hotspots are password-protected and encrypted to protect your data.
  • Install software or certificates to access the hotspot. It should not be necessary to install any additional software to use a free WiFi network. If a network asks you to, that’s a red flag that there might be something suspicious going on.
  • Use services with sensitive data. If you must use public WiFi, avoid using services that risk your personal information, such as banking or shopping. Steer clear of submitting your personal details, as you risk exposing your account details to third parties.

Here’s a list of additional tips you can follow to reduce your risk:

  • Where possible, use an Internet service you already subscribe to. Some home broadband providers offer WiFi hotspots in public, which are typically more trustworthy.
  • Ask a member of staff what the correct WiFi name is in a restaurant or hotel. This is especially important if there are a number of networks with similar names in the vicinity. Remember, though, that a fake hotspot can use the same name as the real one. Hackers could force the real hotspot offline with a denial-of-service attack to drive users to their substitute.
  • It’s safer to use your mobile data than public WiFi. You can set up a mobile hotspot using your phone, so you can connect your computer to it over WiFi.
  • Look for HTTPS. Check for the padlock icon in the address bar, and make sure the website address is correct.
  • Log out of any services you use when you have finished, so that your session cookie expires. If you find yourself on a non-HTTPS website, log out straight away, too.

3. Change Your Device Settings

There are some simple adjustments you can make to your devices that will make them far less susceptible to attacks:

Turn Off Automatic WiFi Connection

One of the first things you should do is turn off automatic WiFi connections. This will stop your device from connecting to random open hotspots.

EXPERT TIP: Remember to delete public WiFi networks from your device. Keeping a lean WiFi network history reduces the risk that you’ll connect to a fake access point later on.

To turn off automatic WiFi connections on Windows:

  1. Navigate to the Settings menu.
  2. Click Network & Internet > Wi-Fi > Manage Known Networks.
  3. Select any network you don’t want to automatically connect to.
  4. Uncheck the option labeled ‘Connect Automatically When in Range’.
Windows WiFi settings.

How to disable automatic WiFi connections on Windows.

To turn off automatic WiFi connections on a Mac:

  1. Navigate to the System Preferences menu.
  2. Select ‘Network’.
  3. Select any network you don’t want to automatically connect to.
  4. Toggle the ‘ask to join networks’ switch to prevent automatic connection.
MacOS network settings.

How to disable automatic WiFi connections on a Mac.

To turn off automatic WiFi connections on an iPhone:

  1. Navigate to the Settings menu.
  2. Tap on the ‘WiFi’ option.
  3. Select any network you don’t want to automatically connect to.
  4. Toggle the ‘Auto-Join’ switch to prevent automatic connection.

Enable Your Firewall

A firewall is a network security feature that monitors the traffic flowing to or from your network. It allows or blocks traffic based on a set of predefined security rules, and helps to prevent unauthorized access to your device.

Most computers now use a firewall by default. If you’re not sure whether your firewall is on or off, it’s worth checking.

EXPERT TIP: We recommend installing trusted security software, too. Products like MalwareBytes offer real-time virus and ransomware protection, as well as malware and spyware cleanup tools.

To enable the firewall on Windows:

  1. Open the Start menu and navigate to Settings.
  2. Choose ‘Privacy & Security’.
  3. Select ‘Windows Security’ and then ‘Firewall & Network Protection’.
  4. Make sure the firewall is on.
How to enable the firewall on Windows

How to enable the firewall on Windows.

To enable the firewall on a Mac:

  1. Open the System Preferences menu.
  2. Choose ‘Security & Privacy’.
  3. Select the ‘Firewall’ tab at the top of the page.
  4. Unlock the window by clicking the lock in the bottom-left corner.
  5. Click ‘Turn On Firewall’ to enable the firewall.
MacOS firewall settings

How to enable the firewall on a Mac.

Software Updates

It’s important to keep your computer, laptop, or phone as up-to-date as possible. Fortunately, most software updates are enabled automatically.

Software updates usually contain security patches. These will protect you against known vulnerabilities that hackers can easily exploit.

It’s possible to trigger a fake software update on your computer if you’re on a public network. For this reason, you should never download software updates over public WiFi — particularly if the alert box pops up while you’re on that hotspot.

Make sure to disconnect and check for updates when you’re on a secure and private connection.

Disable Sharing

It’s best to turn off file sharing, Bluetooth and AirDrop on your device unless you intend to use them. Having them on all the time is unnecessary and increases the risk of malware-infected files finding their way into your system.

Enable HTTPS-Only In Your Browser

Modern browsers include HTTPS-Only mode, which automatically moves you to the secure HTTPS version of a website if you find yourself on the unencrypted HTTP version.

If you were previously using the HTTPS Everywhere browser extension to do this, you don’t need it any more. As of January 2023, it’s now deprecated and mostly redundant.

To enable HTTPS-Only mode in Firefox:

  1. Click the menu button and choose Settings.
  2. Select ‘Privacy & Security’.
  3. Scroll down to ‘HTTPS-Only Mode’.
  4. Use the radio button to enable HTTPS-Only Mode in all windows.

To enable HTTPS-Only mode in Chrome:

  1. Click the menu button and choose Settings.
  2. Select ‘Privacy & Security’.
  3. Select ‘Security’.
  4. Scroll down to ‘Always Use Secure Connections’.
  5. Click to toggle it on.

To enable HTTPS-Only mode in Edge:

  1. Visit edge://flags/#edge-automatic-https in your browser.
  2. Where it says Automatic HTTPS, choose ‘Enabled’.
  3. Click the button to restart your browser. It will keep your open tabs.
  4. Visit edge://settings/privacy in your browser.
  5. Scroll down to ‘Automatically Switch To More Secure Connections With Automatic HTTPS’.
  6. Select the radio button to ‘Always Switch From HTTP To HTTPS (Connection Errors Might Occur More Often)’.

Edge only offers HTTPS-Only as a developer feature for now, so hopefully it will become easier to enable and disable in the future.

To enable HTTPS-Only mode in Safari, Simply upgrade your browser to Safari 15 or later for macOS Big Sur and macOS Catalina. The browser automatically enables its HTTPS Upgrade feature.

Enable DNS over HTTPS

As we’ve already mentioned, your DNS requests are still exposed during HTTPS connections. DNS over HTTPS (DoH) is a technology designed to cover these cracks by encrypting your DNS queries.

However, it only works if you’re using a compatible DNS server, such as Google Public DNS or Cloudflare.

In Firefox, you can enable DNS over HTTPS in the browser’s ‘Network’ settings.

In Chrome, DNS over HTTPS is called Secure DNS and it is enabled in: Settings > Privacy & Security > Security.

In Edge, find the option in: Settings > Privacy, Search and Services > Security > Use Secure DNS.

4. Enable Two-Factor Authentication

Enabling two-factor authentication (2FA) on your online accounts goes a long way to protect you against data theft.

With 2FA enabled, even if a hacker manages to get hold of your usernames and passwords, they won’t be able to log in to your accounts without additional verification codes.

FAQs

How Do I Make Sure Public WiFi is Secure?

Always make sure you’re connecting to a legitimate WiFi network that’s password-protected. If you don’t know who’s operating the network, don’t connect to it.

The easiest way to make sure you are secure on public WiFi is to use a VPN, which will encrypt all of the traffic leaving your device.

Even if you’re connected to a compromised WiFi hotspot, a VPN will stop the hotspot operator snooping on your connection or manipulating your web traffic.

Can Public WiFi See Your Browsing History?

If you’re not using a VPN, the WiFi owner can see which websites you visit, even if they’re encrypted using HTTPS. If the sites don’t use HTTPS encryption, the WiFi operator can see every individual web page you visit, too. Most routers keep a log of the websites visited through them.