How to Secure Your Minecraft Server?
You upload your files, start the server, and just want to play. Unfortunately, there are organized groups and automated bots on the web constantly scanning IP addresses for easy targets. They exploit the lack of basic security, log into accounts with high permissions, and destroy servers.
After a successful attack, the perpetrators often leave a message offering to restore the map for a ransom or demanding you do something, like record a specific video. Do not agree to this under any circumstances. If you don't have a backup, you will have to start everything from scratch.
What is a DDoS attack and what are we responsible for?
A DDoS attack involves artificially generating massive network traffic from thousands of different devices. Imagine a million people suddenly trying to enter a small shop at once. The shop gets blocked, and no one can make a purchase.
We take this problem off your shoulders. We provide advanced Anti-DDoS protection that filters out fake traffic before it even reaches your server. However, you need to know that our shield protects the network infrastructure. Everything else, meaning configuring the game itself and blocking unwanted players, is entirely on your side.
The Most Effective Protection
The best and simplest way to cut yourself off from most attacks is to only let verified people with a genuine copy of the game onto the server.
To do this, open the server.properties file and set these two values:
- online-mode=true
- white-list=true
This way, only players with authorized Mojang accounts can join, provided you approve them first using the whitelist add nick command.
What if you have to use online-mode=false?
We get it, sometimes friends want to play on non-premium accounts. By setting online-mode=false, you disable official verification. This leaves your server highly vulnerable to attacks. Anyone can log in under your nickname and take over your operator permissions.
If you have to go this route, drop the following tools into your plugins/ folder:
- Player Authentication: Install a login plugin like LibreLoginProd or AuthME. Every player will have to set up a password upon their first entry.
- Bot Filtering: Attackers can flood the server with hundreds of fake accounts in seconds to overload the CPU. Use the Sonar plugin, which will quickly block this.
- Reverting Damage: Install the CoreProtect plugin (anti-griefing). This tool logs every broken and placed block. Even if someone ruins your map, it takes just one command to restore a specific area to its pre-attack state.
Exploit Protection (Crashing)
Even with good login security, a player using a modified game client might join the server. These players often use exploits by sending corrupted network packets to intentionally lag or completely crash the server.
If you see someone messing around like this, a great solution is installing the LPX (LimitPacketExploit) plugin. It is a powerful tool that works in the background and filters player packets. If LPX detects someone sending an unnatural amount of data or trying to exploit game vulnerabilities, it will automatically block those packets and kick the intruder from the server before anything breaks.
Mods and Security
If your server runs on modded engines and you only have a few basic mods installed or none at all, consider switching to standard plugin-supporting engines (like PaperMC). Securing a pure modded server in non-premium mode is very difficult. Alternatively, opt for ready-made, verified, and large modpacks, which often come with built-in security patches.
Backups
A backup is the only sure guarantee that your hard work will not go to waste. Set up daily, automatic saves of your entire server. You can do this in our panel by going to the Schedule tab. In case of any failure or a successful attack, you recover all files from the previous day. You can find a detailed guide and more information on this topic here.
What to watch out for?
The most common mistake that leads to the immediate destruction of map files and a server crash is recklessly granting operator permissions using the /op command. If you play on a non-premium server without a well-configured authentication plugin (like AuthME) and leave OP permissions for yourself or a friend, you are literally handing the attackers the keys to your server. Someone just logs in using your nickname, bypasses the missing password, and uses admin commands to wipe the world in a fraction of a second. Instead of using /op, always configure permissions using a rank manager, such as the LuckPerms plugin.