Coffee shops, airports, hotels, and libraries offer free Wi-Fi that millions of people use daily. The convenience is undeniable, but public networks come with real security risks. Anyone on the same network can potentially intercept your traffic, and fake hotspots are trivially easy to set up. Here’s how to stay safe without giving up the convenience.
Understand the Risk
On a public Wi-Fi network, you’re sharing the airwaves with every other connected device. Without proper encryption, an attacker using freely available tools like Wireshark can capture unencrypted traffic — including login credentials, emails, and browsing history. “Evil twin” attacks go further: an attacker creates a fake hotspot with a name like “Starbucks Free WiFi” and routes all your traffic through their device.
Use a VPN
A Virtual Private Network encrypts all traffic between your device and the VPN server, making it unreadable to anyone on the local network. This is the single most effective protection on public Wi-Fi. Reputable options include Mullvad, ProtonVPN, and IVPN. Avoid free VPNs — they often monetize your data, which defeats the purpose.
Verify HTTPS Everywhere
Before entering any credentials or sensitive information, confirm the site uses HTTPS (look for the padlock icon in your browser’s address bar). HTTPS encrypts the connection between your browser and the website, protecting your data even on an insecure network. Most modern browsers warn you when a site isn’t using HTTPS — take those warnings seriously.
Avoid Sensitive Transactions
Even with a VPN and HTTPS, it’s wise to avoid accessing banking, making purchases, or entering social security numbers on public Wi-Fi. Save those activities for your home network or cellular data. The risk may be small, but the potential consequences of interception are high.
Forget the Network After Use
Your phone remembers Wi-Fi networks and automatically reconnects to them. This means if an attacker later creates a fake hotspot with the same name (like “Airport Free WiFi”), your phone will connect automatically without asking. After using a public network, go to your Wi-Fi settings and choose “Forget This Network.”
Disable Auto-Connect and File Sharing
Turn off automatic Wi-Fi connection in your device settings so your phone doesn’t silently join open networks. Also disable file sharing, AirDrop (on iOS), and Nearby Share (on Android) while on public networks — these features can be exploited to send malicious files or discover your device.
Use Your Phone as a Hotspot Instead
If you have a generous cellular data plan, using your phone’s mobile hotspot is inherently safer than public Wi-Fi. The connection is encrypted between your phone and the cell tower, and you control who connects to your hotspot. It’s the simplest way to avoid public Wi-Fi risks entirely.
Keep Your Software Updated
OS and browser updates frequently patch vulnerabilities that attackers exploit on public networks. Running outdated software is like leaving a window open — all the locks in the world won’t help if there’s an unpatched entry point.
A Public Wi-Fi Checklist
Before connecting, confirm the network name with the business or venue. Attackers often rely on names that look plausible, such as “Free Airport WiFi” or “Hotel Guest.” If there are several similar networks, ask which one is official instead of guessing.
After connecting, avoid accepting prompts that ask you to install certificates, browser extensions, VPN profiles, or device management profiles. A normal guest Wi-Fi portal may ask for an email address or room number, but it should not need deep control over your device.
While connected, keep your session narrow. Open the specific sites you need, use HTTPS, avoid downloading unknown files, and disconnect when you are done. Public Wi-Fi becomes riskier when you leave it running in the background for hours.
What To Do If Something Feels Off
Disconnect immediately if your browser starts showing certificate warnings, familiar sites look different, login pages ask for unusual information, or your VPN repeatedly drops. Switch to cellular data, change important passwords from a trusted network, and review recent account activity.
If you entered banking, email, or password manager credentials on a suspicious network, treat it as urgent. Change the password, revoke unfamiliar sessions, and enable two-factor authentication if it is not already active. The faster you respond, the less useful any captured information becomes.
What I Would Do In Practice
For casual browsing, I would use public Wi-Fi only with automatic updates enabled, file sharing disabled, and a trustworthy VPN running. For anything involving money, identity documents, work systems, or password changes, I would use cellular data or wait until I am on a network I control.
The simple rule is this: public Wi-Fi is fine for low-stakes browsing, but it should not become your default place for sensitive work.
Device Settings Worth Checking
On laptops, set public networks as untrusted when the operating system asks. This usually disables network discovery and file sharing. On phones, disable auto-join for open networks you do not use regularly, and remove old hotel, airport, and cafe networks after trips.
Also review Bluetooth and nearby sharing settings. They are not the same as Wi-Fi, but public places are exactly where you want fewer unsolicited connection options, not more.