Skip to main content
Security is often overlooked until it is too late. Here is how to armor your Minecraft server.

1. Exploit Protection (Crash)

Modified clients can send corrupt packets to crash the server.
  • Use PaperMC or Purpur: They have built-in security patches that the vanilla server does not have.
  • Do not give OP to anyone: Not even “as a joke”. OP has access to everything. Use a permission plugin like LuckPerms to give only necessary commands.

2. Auth Protection (For SP/Cracked servers)

If your server is in online-mode=false:
  1. Install AuthMeReloaded or a similar plugin.
  2. Configure protection against mass bot registrations.
  3. IMPORTANT: Prevent players from using commands before login (configure allowCommands: false in AuthMe config).

3. Network and Proxy Protection

If you use BungeeCord or Velocity:
  • Make sure to set up a firewall (like IPWhitelist or configuring iptables) so that players can connect ONLY via the proxy and not directly to backend servers (Spigot/Paper).
  • If you don’t do this, hackers can bypass login by entering directly into the backend server with an admin name!
  • Configure bungeecord: true in spigot.yml and enable IP forwarding in the proxy.

4. Anti-DDoS

Minecraft servers are often targets of DDoS attacks.
  • TCPShield or NeoProtect: Proxy services that filter traffic and hide your server’s true IP.
  • Cloudflare: Protect your website and, if possible, use their services for DNS.

5. Backup, Backup, Backup!

No protection is 100% foolproof.
  • Install an automatic backup plugin (e.g., DriveBackupV2) that saves data to Google Drive or other clouds.
  • Make regular backups before every major change.

6. Whitelist

For private servers among friends, the Whitelist is the best protection.
  • Activate it with /whitelist on.
  • Add players with /whitelist add <name>.
  • No one will be able to join if they are not on the list.
Guide created by HighMark - All information and contacts on my official website: Highmark.it