"Never use public WiFi" — you have probably heard this a hundred times. Coffee shops, airports, hotels. The anxiety of wondering "is this safe?" every time you connect gets exhausting.
Here is the truth: public WiFi in 2026 is significantly safer than it used to be. But not all risks have disappeared. This article breaks down what has changed, what threats remain, and the concrete steps to protect yourself.
Public WiFi Is Safer Than It Used to Be
Let us start with facts. As of 2026, around 90% of web traffic is encrypted with HTTPS. This is a completely different landscape from a decade ago.
Attacks Neutralized by HTTPS
The most feared public WiFi attack was the Man-in-the-Middle (MITM) attack. An attacker positions themselves between you and the router, intercepting all traffic. In the HTTP era, passwords and credit card numbers traveled in plain text — anyone sniffing WiFi packets could read everything.
Now HTTPS is the default. Communication between your browser and the server is encrypted with TLS, so even if someone intercepts the traffic, they cannot read the contents.
HSTS (HTTP Strict Transport Security) has further reduced the effectiveness of SSL Stripping attacks, which tried to downgrade HTTPS connections to HTTP. Google, Amazon, banking sites — all major services enforce HSTS.
So "Public WiFi = Instant Danger" Is Outdated
For normal web browsing, the risk of having your data stolen on public WiFi is low. "Connecting to free WiFi will get your passwords stolen" was true in the HTTP era, not today.
Two Threats That Still Work
HTTPS neutralized many attacks, but two remain effective in 2026.
1. Evil Twin Attacks
An attacker sets up a fake WiFi access point with the exact same name as the legitimate one. If a cafe's WiFi is called "CafeWiFi_Free," the attacker creates an identical SSID. Your device connects to whichever signal is stronger.
Once connected to the fake WiFi, the attacker controls all your DNS requests. They know every site you try to visit. HTTPS still protects the content of your communications, but where you are going is fully exposed.
2. Fake Captive Portals
When you connect to public WiFi, you often see a login page asking you to accept terms of service. That is a captive portal.
Combined with an Evil Twin attack, this page can be faked. "Sign in with your Google account to use this WiFi" — a convincing fake login page that harvests your email and password. Since real captive portals exist on legitimate WiFi networks, users enter their credentials without suspicion.
Real-World Arrests You Should Know About
These are not theoretical risks. People have been arrested and sentenced.
Australian Airport Evil Twin Case (2024)
A 44-year-old man from Western Australia set up fake WiFi networks at Perth, Melbourne, and Adelaide airports, as well as on domestic flights, using a portable wireless device. Passengers who connected were redirected to fake login pages that harvested email and social media credentials. In November 2025, he was sentenced to 7 years and 4 months in prison.
He targeted airports and planes — places where people desperately want WiFi. All he needed was an SSID matching the legitimate network name.
UK Train Station WiFi Hack (2024)
Free WiFi at 19 major UK railway stations operated by Network Rail (including London Euston and Manchester Piccadilly) was compromised. Users were redirected to malicious pages displaying Islamophobic messages referencing past terror attacks. The attack was an insider job at the WiFi management company.
This case shows that even the WiFi operator itself can be a risk vector.
Five Things You Can Do Without a VPN
You can significantly reduce your risk without a VPN. Start with these settings.
1. Disable Auto-Connect for WiFi
Turn off the feature that automatically connects to previously joined networks. Evil Twin attacks exploit auto-connect, so disabling it alone makes a big difference.
- iOS: Settings → WiFi → tap the network → toggle "Auto-Join" OFF
- Android: Settings → Network → WiFi → Saved networks → disable auto-connect
- Windows 11: Settings → Network → WiFi → Manage known networks → toggle "Connect automatically" OFF for each network
- macOS: System Settings → WiFi → toggle "Ask to join networks" ON
2. Enable HTTPS-Only Mode
Your browser blocks or warns about non-HTTPS pages. If a fake captive portal runs on HTTP, you will get a warning.
- Chrome: Settings → Privacy and Security → Security → "Always use secure connections" ON
- Firefox: Settings → Privacy & Security → "HTTPS-Only Mode" → "Enable in all windows"
3. Enable DNS over HTTPS (DoH)
Encrypting DNS requests prevents leaking which sites you visit.
- Chrome: Settings → Privacy and Security → Security → "Use secure DNS" → select Cloudflare (1.1.1.1)
- Android 9+: Settings → Network → Private DNS → enter
one.one.one.one
4. Verify the SSID Name
Before connecting, ask the staff for the exact network name. If you see both "CafeWiFi" and "CafeWiFi_Free," ask which one is real. Simple but effective.
5. Enable Two-Factor Authentication (2FA)
Even if your password leaks, 2FA protects your account. Set it up on Google, GitHub, AWS — every important service. A password manager also helps detect phishing because it will not auto-fill on a fake domain. NordPass is a solid option for this.
What Only a VPN Can Protect You From
The steps above handle most risks. But some scenarios require a VPN.
If you connect to an Evil Twin. Once you are on a fake network, the attacker sees all your DNS requests. Even with DoH enabled, the attacker may override your DNS settings through the fake network's DHCP. With a VPN, all traffic goes through an encrypted tunnel — the attacker sees nothing but encrypted data.
If you want to hide connection metadata. HTTPS encrypts content, but the ISP or WiFi operator can still see which domains you visit. A VPN hides this metadata.
If you handle sensitive data for work. Accessing internal company systems over public WiFi without a VPN is a risk most security policies will not tolerate. Even without a corporate VPN, a personal VPN encrypts the connection as a baseline defense.
In short, a VPN is the only way to guarantee safety in the worst case.
Why NordVPN
There are many VPNs, but three things make NordVPN the best fit for public WiFi protection.
1. Auto WiFi protection. NordVPN can automatically activate when you connect to an untrusted WiFi network. No manual toggling — the moment you join a cafe's WiFi, the VPN turns on. This is the most important feature for public WiFi safety because the biggest risk is forgetting to enable it.
2. Threat Protection Pro. NordVPN Threat Protection Pro blocks malicious sites, ads, and trackers automatically. A fake captive portal may be flagged as a phishing site, adding another layer of defense.
3. NordLynx speed. Public WiFi is already slow. Legacy VPN protocols make it worse. NordLynx (based on WireGuard) minimizes speed loss to the point where you forget the VPN is on.
Wrapping Up
| Threat | Without VPN | With VPN |
|---|---|---|
| MITM (traffic sniffing) | Mostly safe thanks to HTTPS | Fully prevented |
| Evil Twin | Reduced by disabling auto-connect | Fully prevented |
| Fake captive portal | HTTPS-Only mode warns you | Fully prevented |
| DNS request leaks | DoH encrypts requests | Fully prevented |
| Metadata leaks | No mitigation | Fully prevented |
Public WiFi is no longer a "never use it" situation. Enabling HTTPS-Only mode, DoH, and disabling WiFi auto-connect will handle most everyday risks.
But Evil Twin attacks cannot be fully prevented without a VPN. If you use public WiFi regularly, setting up NordVPN's auto WiFi protection is the simplest and most reliable defense. Configure it once, and you never have to think about it again.