Enabling MAC address filtering/restriction is the ultimate security measure, equivalent to putting a fingerprint scanner on your front door. You ultimately have control over who can and cannot access your router.
Granted, one can spoof a MAC address much like someone could cut off you finger and use it to get into your house or use something like out of a movie with a fake fingerprint, but hiding the SSID, MAC filtering, WPA2 with AES, and AP isolation (if you know how to use it) make your network as secure as most you will find.
If you have the resources, investing in a server running RADIUS or some other type of VLAN routing table software add further levels of abstraction to your network security.
Granted, one can spoof a MAC address much like someone could cut off you finger and use it to get into your house or use something like out of a movie with a fake fingerprint,
Oh my dear Lord... no. PLEASE don't pass on this information anymore. MAC address filtering isn't even a good security measure, much less anything approaching "the ultimate." And while I can only imagine the logistics involved in securing a finger and using it before said owner of the finger complains or turns up missing, overcoming a MAC filter is as simple as capturing the MAC address from the air and setting it on the device you wish to access the network. I can do that here from my desk, no movies effects, bolt cuttters or bloody appendages involved.
WPA2 with AES
This on the other hand is the good advice.