Wireless printers are one of the most overlooked security vulnerabilities in home and small business networks. Here is how to lock them down properly.
Printers are treated as furniture - plugged in once, connected to the network, and forgotten. But a wireless printer is a network-connected device running its own operating system, often with an embedded web server, open ports, and default credentials that have never been changed. Security researchers have demonstrated repeatedly that printers can be exploited to access other devices on the same network, intercept print jobs, or serve as a persistent entry point for attackers.
Whether you are running a small office or managing devices for remote workers, these seven steps will significantly reduce the risk posed by wireless printers.
1. Update the Firmware
Printer firmware updates fix known vulnerabilities and are released regularly by manufacturers including HP, Canon, Epson, and Brother. Most printers have an option in their embedded web interface to check for and install firmware updates. Enable automatic updates where available. If your printer model is no longer receiving firmware updates from the manufacturer, it is a legacy device that should be replaced.
Many businesses that conduct thorough patch management for servers and workstations have never updated the firmware on a printer they have owned for five years. That gap is exactly what attackers look for.
2. Change the Default Admin Password
Every printer ships with a default administrator password - often something as straightforward as “admin,” “1234,” or the printer’s model number. These defaults are publicly documented and widely known. Change the admin password immediately on any new printer, and review existing devices to confirm their passwords have been updated. Store the credentials in your business password manager.
The printer’s embedded web interface (usually accessible by entering the device’s IP address in a browser) is where most administrative functions are managed. If you have never logged in there, it is worth exploring what is exposed.
3. Disable Unused Protocols and Ports
Printers often come with a range of connectivity services enabled by default - Telnet, FTP, older printing protocols, cloud print services, and Wi-Fi Direct. If you are not using these, disable them. Each open service is an additional attack surface. In the printer’s web interface, review the network services and protocols section and disable anything your environment does not require.
Wi-Fi Direct in particular deserves attention. It allows devices to connect directly to the printer without going through your router, which bypasses your network security controls entirely. Disable it unless you have a specific need for it.
4. Place the Printer on a Separate Network Segment
Network segmentation limits what a compromised printer can reach. If your printer sits on the same network as workstations, servers, and NAS devices, an attacker who gains access through the printer can move laterally to higher-value targets. Place printers on a dedicated VLAN or at minimum a separate Wi-Fi network (most modern routers support multiple SSIDs), with firewall rules that permit printing traffic but block the printer from initiating connections to other devices on the network.
5. Restrict Who Can Print
Most business printers support access controls that limit which users or devices can send print jobs. Configure these controls so that only authorised devices on your network can print. If your printer supports PIN or badge-based printing (where jobs are held in a queue and only released when the user physically authenticates at the device), enable it. This prevents sensitive documents from sitting in an output tray for hours.
6. Disable the Embedded Web Server If Not Needed
The embedded web server on a network printer allows remote configuration through a browser. If your printer is managed locally and you do not need remote administration, consider disabling the web server entirely. This removes the most accessible administrative interface from potential attackers. On HP printers, this is typically found under the networking section of the EWS; other manufacturers have equivalent settings.
7. Monitor the Printer on Your Network
If you have network monitoring tools, include printers in scope. Unusual outbound connections, unexpected data volumes, or print jobs queued at odd hours are worth investigating. Many small businesses have no visibility into what their printers are doing on the network - they are simply assumed to be inert.
Even basic router logs can show you if a printer is attempting to connect to external addresses it has no business contacting.
Printers Are Not Harmless
The perception that printers are low-risk devices persists because attacks against them rarely make headlines. But in a small office or home office environment - where the printer sits on the same flat network as business data - the risk is real. The steps above are not complex and most can be completed in under an hour.
If you want a network security review that covers all your connected devices - including the ones that get ignored - contact the CX IT Services team. We cover the full picture, not just the obvious targets.
