Back to Blog
guides | | 14 min read

Minecraft Server Security: How to Protect Against Griefers, Hackers, and DDoS

A complete guide to securing your Minecraft server from griefers, hackers, DDoS attacks, and exploits. Covers WorldGuard, anti-cheat, authentication, backups, and more.

minecraft security ddos anti-cheat server-protection
Minecraft Server Security: How to Protect Against Griefers, Hackers, and DDoS

Running a Minecraft server is rewarding, but it comes with real responsibilities. The moment your server goes public, it becomes a target. Griefers want to tear down what your community built. Script kiddies run automated exploits. Competitors might launch DDoS attacks to knock you offline. And on cracked servers, fake accounts are a constant headache.

The good news is that protecting your server is achievable with the right tools and configuration. This guide walks through every layer of Minecraft server security, from basic plugin setup to network-level DDoS mitigation. By the end, you will have a clear action plan to harden your server against the most common threats.

1. Understanding the Threats

Before diving into solutions, it helps to know what you are protecting against.

Griefers are players who deliberately destroy builds, steal items, or flood chat. Some are opportunistic, others are organized. They exploit permissions gaps, exploit world protection holes, or simply get trusted by an admin before revealing their intent.

Hackers and cheaters use modified clients to gain unfair advantages. Common cheats include killaura (auto-attacking nearby players), fly hacks, speed hacks, X-ray texture packs (not a client mod, but still effective), and reach hacks. Some also use exploit bots that spam packet-level vulnerabilities.

DDoS (Distributed Denial of Service) attacks flood your server’s IP with traffic from thousands of machines simultaneously. The goal is to saturate your bandwidth or exhaust your server’s connection handling capacity until legitimate players cannot connect. DDoS attacks are more common than many server owners expect, especially on competitive servers.

Bot attacks involve waves of fake accounts connecting rapidly to spam chat, crash the server with unusual packets, or farm resources. These often accompany DDoS campaigns.

Exploits are bugs in Minecraft itself, in plugins, or in the Java runtime that attackers use to crash your server, execute arbitrary code, or duplicate items. Log4Shell in 2021 was a high-profile example that affected many Minecraft servers.

2. Anti-Griefing Setup

WorldGuard Regions

WorldGuard is the foundational anti-griefing plugin for Bukkit, Spigot, and Paper servers. It lets you define protected regions where only authorized players can build or interact.

Install WorldEdit first, then WorldGuard. To protect your spawn area:

//wand
// Select your region with left and right click
/region define spawn
/region flag spawn build deny
/region flag spawn use deny
/region addmember spawn <playername>

For a full server-wide build protection with exceptions:

/region flag __global__ build deny
/region define trusted_zone
/region addmember trusted_zone <playername>

Key flags worth setting globally:

/region flag __global__ pvp deny
/region flag __global__ tnt deny
/region flag __global__ mob-damage deny

CoreProtect for Rollbacks

CoreProtect logs every block placement, block break, chest interaction, and entity kill on your server. When griefing happens, you can roll back damage to any point in time.

After installing CoreProtect, the key commands are:

/co inspect           # Click a block to see its history
/co rollback u:<username> t:1h r:50    # Roll back a player's actions within 1 hour, 50 block radius
/co restore u:<username> t:1h r:50     # Re-apply those changes if needed

Set the database to MySQL rather than SQLite for large servers. The performance difference is significant once logs grow past a few million entries.

Claim Plugins

For survival servers, give players the ability to protect their own land with GriefPrevention or Lands:

  • GriefPrevention is battle-tested and lightweight. New players automatically get a claim shovel and protection starts immediately.
  • Lands offers a more modern UI with a web map, nations system, and chunk claiming.

For GriefPrevention, increase the default claim blocks new players receive to reduce friction:

# config.yml
claims:
  initialClaimBlocks: 500
  maxClaimBlocks: 10000
  claimBlocksEarnedOnKill: 0

3. Anti-Cheat Configuration

Choosing an Anti-Cheat Plugin

The most effective anti-cheat plugins for Paper and Spigot in 2026 are:

  • Grim Anti-Cheat (open source, highly accurate, simulation-based detection)
  • Spartan (paid, good detection breadth, easy config)
  • NoCheatPlus (older but still functional for basic checks)

Grim is recommended for most servers because it simulates player movement server-side to catch impossible movements rather than using heuristics. It has lower false positive rates than older plugins.

Reducing False Positives

False positives (flagging legitimate players) are the biggest complaint with anti-cheat. Mitigate them by:

  1. Setting violation thresholds conservatively. Do not auto-ban, auto-kick instead.
  2. Whitelisting staff accounts.
  3. Tuning ping-sensitive checks. Players with 200ms+ ping need looser thresholds.
  4. Reviewing /grim alerts before taking action rather than automating punishment.

A good grim/config.yml starting point for the movement checks:

checks:
  movement:
    speed:
      enabled: true
      maxVL: 10
      punishmentActions:
        - "warn %player% is moving abnormally"
    fly:
      enabled: true
      maxVL: 5
      punishmentActions:
        - "kick %player% Flying is not allowed"

4. Whitelist and Authentication

Online Mode

In server.properties, always keep:

online-mode=true

This forces Mojang authentication for every connecting player. If someone tries to join with a cracked client or a fake account using another player’s username, the session check fails and they are rejected. This single setting prevents almost all username spoofing.

AuthMe for Offline/Cracked Servers

If you run an offline-mode server (for cracked clients), you must run an authentication plugin. Without it, anyone can join as any username, including your own admin account.

AuthMe Reloaded is the standard choice. After installation:

# authme config.yml
settings:
  sessions:
    sessionTimeout: 10
  registration:
    force: true
    forceRegKick: false
  security:
    minPasswordLength: 6
    passwordHash: BCRYPT

Force players into a locked spawn area before they authenticate. AuthMe handles this automatically with its unLoggedInGroup permission feature and LuckPerms integration.

5. DDoS Protection Explained

What Is a DDoS Attack

A DDoS attack sends massive amounts of network traffic to your server’s IP address from hundreds or thousands of compromised machines. The traffic volume overwhelms your server’s network interface or the upstream connection at your data center. Players experience timeouts, lag, or complete inability to connect. The attack has nothing to do with Minecraft specifically. It targets the IP at the network layer.

How DDoS Protection Works

Proper DDoS mitigation happens at the network level, before traffic even reaches your server. Mitigation providers use:

  1. Traffic scrubbing - Incoming packets are routed through a filter that distinguishes legitimate Minecraft protocol packets from attack traffic.
  2. Rate limiting and blackhole routing - Abnormal traffic sources are blocked automatically.
  3. Anycast routing - Traffic is distributed across multiple data center nodes globally, diluting the attack volume.

This is why hosting provider choice is critical. A server running on a VPS with no DDoS protection will go down under even a modest attack of a few Gbps. The infrastructure behind your server matters more than almost any plugin you can install.

At CraftRift, DDoS protection is included on every plan at the network level, not as a paid add-on. The traffic scrubbing happens transparently before it reaches your Minecraft instance, so your server stays online even during active attacks.

What You Can Do at the Plugin Level

Network-level DDoS protection is handled by your host, but you can reduce the impact of smaller bot floods at the application layer:

  • Install BotSentry or TCPShield’s plugin to handle connection floods.
  • Set max-players conservatively in server.properties.
  • Enable prevent-proxy-connections: true in server.properties to block VPN connections (aggressive, but effective against bot farms).

6. Server Configuration Hardening

Open server.properties and review these security-relevant settings:

# Require Mojang auth
online-mode=true

# Prevent players from claiming op via console injection
enable-rcon=false

# Restrict RCON if you must use it
rcon.password=use_a_strong_random_password
rcon.port=25575

# Reduce connection flood impact
max-players=100
network-compression-threshold=256

# Disable query protocol if not needed by your panel
enable-query=false

# Prevent proxy bypass
prevent-proxy-connections=true

In config/paper-global.yml (Paper servers):

unsupported-settings:
  allow-perm-block-break-exploits: false
  allow-headless-pistons: false
packet-limiter:
  all-packets:
    action: KICK
    interval: 7.0
    max-packet-rate: 500.0

The packet limiter is particularly valuable as it caps the rate at which any single connection can send packets, choking off certain types of crash exploits.

7. Permission Setup with LuckPerms

Principle of Least Privilege

Every player should have only the permissions they need to perform their role. Default players should not have any administrative permissions. Even moderators should not have server restart or console access unless absolutely necessary.

LuckPerms is the standard permission plugin for modern Minecraft servers. A clean structure looks like:

default (group)
  -> basic play permissions

member (group, inherits default)
  -> slightly expanded permissions (set home, warp, etc.)

moderator (group, inherits member)
  -> kick, mute, warn, tempban

admin (group, inherits moderator)
  -> ban, unban, manage regions

owner (group, inherits admin)
  -> full permissions

Set up groups with:

/lp creategroup default
/lp creategroup moderator
/lp group moderator parent add default
/lp group moderator permission set minecraft.command.kick true
/lp group moderator permission set minecraft.command.mute true

Wildcard Permissions Are Dangerous

Never assign * or <plugin>.* to players or moderators. Review every permission node you assign. Wildcard permissions often grant unintended access, including the ability to bypass protections.

Protect Op Status

Operators bypass almost all plugin permission checks. Keep your op list to an absolute minimum. Use LuckPerms for granular control instead of op wherever possible. Audit your ops list regularly:

/op list

Remove anyone who should not be there.

8. Backup Strategy

Backups are your last line of defense. When everything else fails, a clean backup means you can restore the server to a state before the damage.

Automated Plugin Backups

DriveBackupV2 is a popular plugin that automatically backs up your world files to Google Drive, OneDrive, or Dropbox on a schedule.

Configuration example:

# DriveBackupV2/config.yml
backup-list:
  googledrive:
    enabled: true
    keep-count: 10
    local-save-directory: DriveBackupV2
    cron: "0 */6 * * *"   # Every 6 hours
    googledrive:
      directory: "MinecraftBackups"

Panel-Level Backups

If your hosting panel supports scheduled backups (Pterodactyl does), configure server-level snapshots independently of plugin backups. CraftRift’s Pterodactyl panel gives you full access to configure scheduled tasks, so you can set up both automated world backups and server file snapshots directly from the panel without needing SSH access.

What to Back Up

  • World folders (world, world_nether, world_the_end)
  • Plugin data folders (especially CoreProtect database, LuckPerms data, economy data)
  • server.properties and bukkit.yml
  • Your entire plugins folder config

Test restores periodically. A backup you have never tested is a backup you do not trust.

9. Hiding Your Server IP with a Proxy

Why Your Real IP Is a Risk

Once your server’s real IP address is known, it becomes a DDoS target. If an attacker floods that IP, no amount of upstream protection helps if the traffic reaches your machine directly. The goal is to make sure players never learn the actual server IP.

Velocity Proxy Setup

Velocity is a modern, high-performance Minecraft proxy. Players connect to the proxy’s IP, which forwards their connection to the backend server. The backend server’s IP is never exposed.

Install Velocity on a separate small VPS. Configure your backend server to only accept connections from the Velocity proxy:

In velocity.toml:

bind = "0.0.0.0:25565"
player-info-forwarding-mode = "modern"

[servers]
lobby = "your.backend.ip:25565"

On your backend Paper server, in config/paper-global.yml:

proxies:
  velocity:
    enabled: true
    online-mode: true
    secret: "your_shared_secret_here"

Then in server.properties on the backend, bind to a non-standard port and firewall off port 25565 from all IPs except the Velocity proxy’s IP.

Using a SRV Record

Even if you are not using a full proxy, using an SRV DNS record (_minecraft._tcp.yourserver.com) means players connect using your domain. You can change the backend IP without players noticing, which is useful if you ever need to migrate or change IPs after an attack.

10. Security Checklist

Use this as a quick reference when setting up or auditing your server.

Authentication and Access

  • online-mode=true in server.properties (or AuthMe if cracked)
  • RCON disabled or secured with a strong password
  • Op list minimized
  • Admin accounts protected with 2FA on hosting panel

World Protection

  • WorldGuard installed and spawn protected
  • CoreProtect logging enabled
  • Claim plugin active for survival worlds
  • TNT, fire spread, mob griefing disabled in unclaimed areas

Anti-Cheat and Permissions

  • Grim or equivalent anti-cheat installed
  • LuckPerms groups structured with least privilege
  • No wildcard permissions for non-owner groups
  • Moderator permissions reviewed and minimal

Network and DDoS

  • Hosting provider includes DDoS protection
  • Server IP hidden behind Velocity proxy or protected address
  • Packet limiter enabled in paper-global.yml
  • prevent-proxy-connections set appropriately

Backups

  • Automated backups scheduled every 6 hours or less
  • Off-site copies to cloud storage
  • Panel-level snapshots configured
  • Test restore completed at least once

Software

  • Paper/Spigot on latest stable version
  • All plugins up to date
  • Java runtime on latest LTS release

11. Frequently Asked Questions

My server is already being DDoSed. What do I do right now?

Contact your hosting provider immediately. If they offer DDoS protection, ask them to enable or escalate mitigation. If they do not offer protection, your options while under attack are limited. Longer term, migrate to a host with built-in DDoS mitigation before the next attack.

Should I enable a whitelist?

For private or semi-private servers, absolutely. A whitelist means only approved usernames can join, which eliminates most random griefing and bot attack vectors. For public servers, a whitelist is not practical, but you can combine online-mode, claim protection, and anti-cheat to compensate.

How do I handle a player who has op and is abusing it?

Run /deop <username> immediately. Follow up with /ban <username>. Then review CoreProtect logs for all actions they took while opped: /co lookup u:<username> t:1d. Roll back any damage they caused. Change your RCON password and review all other admin accounts.

Are cracked servers less secure?

Yes, significantly. Running with online-mode=false disables Mojang authentication entirely. Without AuthMe or a similar plugin, any player can log in as any username. This is a severe vulnerability. If you run a cracked server, authentication plugins are mandatory, not optional.

What ports should I close on my firewall?

Close everything except the ports you explicitly need. For a standard Minecraft server: 25565 (TCP/UDP) for player connections. If behind a proxy, close 25565 on the backend and only allow the proxy’s IP. Close 25575 (RCON) unless you are actively using it. Close query port (25565 UDP) if enable-query=false.

How often should I update my plugins?

Check for updates weekly at minimum. Subscribe to security announcements for plugins you use. Critical security patches should be applied within 24 hours. The Log4Shell vulnerability spread rapidly across unpatched servers in 2021 precisely because many admins had no update workflow.

Can X-ray be stopped?

Client-side X-ray through texture packs cannot be fully prevented at the server level, but you can use anti-xray features in Paper. Enable anti-xray in config/paper-world-defaults.yml with engine-mode 2 for the best obfuscation:

anticheat:
  anti-xray:
    enabled: true
    engine-mode: 2
    max-block-height: 64
    update-radius: 2
    hidden-blocks:
      - copper_ore
      - deepslate_copper_ore
      - gold_ore
      - iron_ore
        - diamond_ore
        - ancient_debris

This sends fake ore data to all players and only reveals real ores when a player is adjacent to them.

Conclusion

Minecraft server security is not something you configure once and forget. Threats evolve, plugins get vulnerabilities, and your player base changes. The most secure server operators treat security as an ongoing process: keeping software updated, reviewing logs regularly, testing backups, and auditing permissions periodically.

The layered approach described in this guide covers the full attack surface. World protection stops griefers. Anti-cheat discourages hackers. Proper permissions limit blast radius when accounts are compromised. Backups ensure recovery when something goes wrong. And network-level DDoS protection keeps your server online even when someone actively tries to bring it down.

Start with the security checklist above, address any gaps, and revisit it monthly. Your players will thank you for the stable, safe experience.

Related Articles

guides

Best Minecraft Server Plugins in 2026: Essential List for Every Server

A complete guide to the best Minecraft server plugins in 2026, covering anti-cheat, economy, world management, performance, and more. Find the right plugins for your Spigot or Paper server.

 guides

How Much RAM for a Minecraft Server? Chart by Player Count

RAM guide with tables for Vanilla, Paper, Forge, and Fabric servers. 1-100+ players covered. Includes Aikar's flags and signs your server needs more RAM.

 guides

How to Start a Minecraft Server (2026) — 15-Min Setup

Start a Minecraft server in under 15 minutes. Step-by-step for Java + Bedrock with port forwarding, plugins, and security basics. Free tools included.

Free Tools You Might Need

Ping Tester

Test latency from Singapore
Config Generator

Optimize your server config
TPS Calculator

Estimate your server TPS

Need Low-Ping Hosting?

CraftRift servers run on dedicated hardware in Singapore. Sub-50ms ping across Southeast Asia, starting at $3/mo.

Get Started View Pricing