How to Secure Your Home Assistant Setup: A 2026 Hardening Checklist

Home AssistantHome SecurityTroubleshootingRaspberry PiIoT Devices

Smart Home Guide logo

This post may contain affiliate links. As an Amazon Associate we earn from qualifying purchases. Disclosure.

Securing Home Assistant comes down to one rule above all others: never expose port 8123 directly to the internet. I learned that the slightly hard way, watching failed-login attempts pile up in my logs within hours of opening a port. Home Assistant holds the keys to your locks, cameras, and alarms, so it deserves real hardening, not just a password. After running my own instance through every mistake in the book, here's the checklist I'd give anyone.

Bottom line: The biggest Home Assistant security wins are: enable two-factor authentication, never port-forward 8123 directly, keep the OS and add-ons updated, take automated encrypted backups, and put IoT devices on a separate network. The official Home Assistant docs recommend MFA and a reverse proxy as baseline practice.

If you're still setting things up, start with our Home Assistant setup guide, then come back to lock it down.

Why Does Home Assistant Need Hardening?

Home Assistant controls physical security devices, so a compromised instance is a compromised home. Unlike a random web app, an attacker who gets in can unlock your door, disable your cameras, or watch your feeds. That raises the stakes well beyond a typical self-hosted service.

The most common mistake is also the most dangerous: forwarding port 8123 straight from the router to Home Assistant. The moment you do, automated bots start hammering the login. According to the official Home Assistant securing checklist, exposing the instance without a reverse proxy and MFA is the single biggest avoidable risk.

So how do you get remote access safely without that open port? That's most of what this guide covers.

Step 1: Turn On Two-Factor Authentication

Enabling multi-factor authentication is the single highest-value thing you can do, and it takes two minutes. Home Assistant supports TOTP (the same six-digit codes as Google Authenticator or Authy) natively under your profile settings. Once on, a stolen password alone won't get anyone in.

Add it for every user account, not just yours. A guest or family account without MFA is the weak link an attacker looks for. While you're in there, ditch any short or reused passwords. A password manager makes long unique passwords painless.

This one step blocks the overwhelming majority of credential-stuffing attempts. Do it before anything else on this list.

Step 2: Never Expose Port 8123 Directly

Direct port-forwarding is the cardinal sin, so route remote access through something safer instead. You have three solid options, in rough order of safety.

  • VPN (most secure): A WireGuard or Tailscale tunnel means your phone joins your home network. Nothing is exposed publicly at all.
  • Reverse proxy with TLS: An Nginx or Cloudflare Tunnel front-end adds HTTPS and can layer on extra authentication.
  • Nabu Casa Cloud: The official paid remote-access service. It funds the project and handles TLS and tunneling for you with zero config.

For the reverse-proxy route specifically, our guide to hardening with Nginx and Cloudflare walks through the full setup. For the broader comparison of remote methods, see how to access Home Assistant remotely. I run Tailscale because it's the least effort for the most safety.

Step 3: Keep Everything Updated

Outdated software is how known vulnerabilities get exploited, so updates are a security task, not just a feature one. Home Assistant ships monthly core releases, and the OS, Supervisor, and add-ons all update independently. Check the updates panel regularly and apply them after a quick backup.

Don't blindly auto-update core the day a release drops, though. Breaking changes happen. My rhythm is to wait a few days, skim the release notes for breaking changes, take a backup, then update. That balances security against the risk of a broken automation at the worst moment.

Add-ons deserve the same attention. An abandoned add-on that never patches is a liability sitting inside your trusted network.

Step 4: Automate Encrypted Backups

A backup is both a recovery tool and a security control, because ransomware and bad updates are threats too. Home Assistant has built-in full and partial backups, and you should schedule them, encrypt them, and store a copy off the device. A backup that lives only on the same SD card disappears when the card dies.

I run a nightly automated backup that uploads an encrypted archive to cloud storage through an add-on. When my SD card finally corrupted, I was back up on new hardware in 20 minutes. Without that, it would have been days of reconfiguration.

Encrypt the backups. They contain your tokens, passwords, and config, so an unencrypted backup in cloud storage is its own vulnerability.

Step 5: Vet Your Add-ons and Custom Integrations

Every add-on and HACS integration runs code inside your trusted instance, so trust is a real security decision. Official and community-vetted add-ons are generally safe, but a random custom integration from an unknown repo has full access to your data and devices.

Before installing, check the source. Is it actively maintained? Does it have real users and a public repo? Our roundup of best HACS integrations sticks to well-established ones. The convenience of a niche integration isn't worth handing device control to code you can't vouch for.

This is the step people skip because add-ons feel harmless. They aren't. Treat each one as code you're inviting inside the gate.

Step 6: Segment Your Network

Putting IoT devices on a separate network limits the blast radius if one device is compromised. Cheap smart plugs and cameras are rarely well-secured, and you don't want a hacked $10 bulb sitting on the same network as your laptop and Home Assistant. A separate VLAN or a guest network is the fix.

The idea is simple: IoT devices talk to Home Assistant, but not to your computers or each other, and not out to the wider internet unless they need to. Even a basic router's guest network is better than nothing. A managed switch with VLANs is the full version.

Is it overkill for a few bulbs? Maybe. Is it sensible once you're running cameras and locks? Absolutely. The segmentation contains a breach instead of letting it spread.

What About Monitoring for Trouble?

Hardening keeps attackers out, but monitoring tells you when something's wrong, so the two go together. Home Assistant can watch itself: alert on repeated failed logins, on a new device joining your IoT network, or on the instance going unreachable when it shouldn't be.

A few monitors I keep running:

  • Failed-login alert: Notify me if the auth log records several failed attempts in a short window, which is the earliest sign someone's probing.
  • New-device alert: Flag when an unknown MAC address joins the network, so a rogue device doesn't go unnoticed.
  • Update reminder: A weekly nudge listing pending core, OS, and add-on updates so patching never slips.
  • Backup confirmation: A notification when the nightly backup succeeds, and a louder one when it fails.

None of this needs extra hardware. It's a handful of automations using the entities Home Assistant already exposes. The point is simple: a hardened system you never check can still drift, and a quiet alert beats discovering a problem after the fact.

Frequently Asked Questions

Is it safe to access Home Assistant remotely?

Yes, if you avoid direct port-forwarding. Use a VPN like Tailscale or WireGuard, a reverse proxy with TLS, or the official Nabu Casa Cloud. All three give encrypted remote access without exposing port 8123 to the internet, which is the setup that attracts automated attacks within hours.

Does Home Assistant support two-factor authentication?

Yes. Home Assistant has built-in TOTP multi-factor authentication, compatible with apps like Authy and Google Authenticator. Enable it per user under profile settings. It's the single highest-value security step and blocks nearly all password-only attacks, so turn it on for every account before anything else.

How often should I back up Home Assistant?

Nightly, automated, and encrypted, with a copy stored off the device. Home Assistant's built-in backups can be scheduled and uploaded to cloud storage through an add-on. Always take a fresh backup before applying core or OS updates, since that's when a restore is most likely to be needed.

Do I need a separate network for smart home devices?

It's strongly recommended once you run cameras or locks. A separate VLAN or guest network keeps poorly-secured IoT devices away from your computers and contains any breach. It's not strictly required for a couple of bulbs, but it's one of the highest-value steps for a serious setup.

Your Home Assistant Hardening Checklist

Work through these in order and your instance goes from soft target to genuinely hardened:

  • Enable TOTP two-factor authentication on every account.
  • Remove direct port-forwarding; use a VPN, reverse proxy, or Nabu Casa.
  • Apply core, OS, and add-on updates on a deliberate schedule, after a backup.
  • Schedule nightly encrypted backups stored off the device.
  • Vet every add-on and HACS integration before installing.
  • Segment IoT devices onto their own VLAN or guest network.

Security isn't a one-time switch; it's a posture you maintain. But the steps above are mostly set-and-forget, and they move you past the mistakes that actually get people compromised. The exposed port is the one that bites hardest, so if you do nothing else today, close it and put a VPN in front. Building out the rest of your system? Our best smart home hub guide covers the controller decisions that sit underneath all of this.