I can either copy my entire Super User blog post, or just post a link to it. Read my answer here: http://blog.superuser.com/2011/03/28/iron-cladding-your-wi-fi-network/

Happy reading!

WPA2 is fine - the password needs to be secure enough (see here).

You can also enable the MAC Filter, which adds security against non-hackers who don't know about sniffing.

You should also check that you are using for the router the manufacturer's latest firmware.

If the router in question doesn't seem secure enough, you might look into upgrading the firmware to DD-WRT/Tomato/OpenWRT (if possible).

Cut-and-paste from a similar topic on the IT Security StackExchange:

• Use WPA2 with AES encryption. This is also commonly referred to as WPA2-CCMP or WPA2-RSNA. For a home network, you'll likely be using the "Personal" or "PSK" option for this, which may be called "WPA2-Personal" or "WPA2-PSK". If your network is a bit more advanced, and you know how to build a RADIUS server, you'll likely be looking for "WPA2-Enterprise".
• Use a RADIUS server if you can, for authentication. This is for very advanced users only, though.

• Create strong passwords:

  • 12 characters or more
  • Use all character types (uppercase, lowercase, numeric, non-alphanumeric)
  • Do not use any dictionary words
  • Do not make passwords related or similar to:

    • User IDs
    • Network's SSID
    • Any device hostnames
    • Each other (no two user passwords should be similar, and admin accounts should not have passwords similar to any user accounts)

• If you must use a PSK, make it as strong as you can tolerate. Absolute minimum would be to follow the password guidelines above. My personal preference is a 63-character, randomly-generated code.

• Configure MAC address filtering on your AP. While this is a relatively minor roadblock, it's also a relatively painless one. The only time this becomes a hassle is when you want to join a new device to the network for the first time, or if you do a factory reset of the router after having accumulated a large list of guest devices.
• If it is an option, configure your router's management interface to use HTTPS only.
• If it is an option, disallow access to the router's management interface over wireless connections. This way, only someone who is physically wired into the router can make configuration changes.
• Turn off wireless devices (including your AP) when they are not in use. This will limit the availability of your SSID, authorized MAC address, and sample packets (for offline brute-force attacks) to potential attackers - the only inaudible signal is one that isn't there.
• Use HTTPS wherever it is available. This will add another layer of encryption onto your data transmissions, making your already nearly-impossible-to-crack signal that much more impossible-to-crack.
• Use a VPN service while on wireless. This will add yet another layer of encryption onto your data transmissions, making your already impossible-to-crack signal require God-like powers to break.