with a passphrase of at least 8 characters
8
RANDOM characters
(to include minimum one of each type : lowercase, uppercase,number,special char)
Not much point telling him to switch from WEP if he's still going to expose himself to a simple dictionary attack.
Also if using WPA, because it's used as part of the cryptographic process, you would be wise to disable SSID broadcast and change the default SSID, preferably to something non-obvious.
(one of many useful places you can find 8 random characters....
https://www.grc.com/passwords.htm)