When the internet was in its infancy and home networks were complicated things to set up correctly, every device on your network had a public-facing IP address. This made it easy for game servers, FTP servers, and other services that you might want to use. This was fine, mostly, but it did mean that your devices were exposed to the wider internet and also that IPV4 addresses were going to run out unless something was done.

This led to the invention of Network Address Translation (NAT), which essentially makes your home network devices look like they have static IPs to services on the internet when you really only have one IPV4 address of your router. But it was still a pain to set up, so UPnP (Universal Plug and Play) came along to sort out the messy networking discovery parts for you.

Zero-configuration is good for the user until it becomes a problem, and manufacturers of Wi-Fi routers have created one by letting UPnP work at the WAN level. When it was first designed, UPnP was supposed to stay on your home network, which would have kept you safe. But with WAN access, devices can be plugged into your home network and open ports straight to the internet without your approval or knowledge. While some older services and gaming consoles need it enabled for multiplayer, it's (mostly) safer to turn it off.

4 It's a security nightmare (even if it's cool)

Router manufacturers enable UPnP by default because it makes their life easier

Universal Plug and Play (UPnP) is a fantastic feature, in theory. The ability to have your network-attached devices find each other, and the remote servers they might need for essential data is a modern marvel. It combines TCP/IP, HTTP, XML, and SOAP to automatically open and shut ports through your router and firewall so that devices can directly communicate. This helps everything from IoT devices to smart speakers, streaming services, and game servers connect and get data with zero input needed by the user.

That zero setup process is also its biggest weakness because there are no checks and balances to stop malicious devices or software from using UPnP to open any ports it needs and using your home network to send out your data or combine your devices into a botnet for attacking servers. It doesn't use any authentication at all, which would be fine if it only dealt with devices inside your LAN, but many routers expose UPnP to the WAN side and that spells trouble.

Turn it off, and it'll make your home network safer. You might notice one or two devices or services have issues afterward, and it's fairly simple to do some port forwards for those individual things instead of letting your whole network get controlled by whatever.

3 No control over what's opening ports

This is fine if you trust the devices but what if it's an IoT device or gets infected with malware?