Server Security
If you're hosting a public community, your players' data is your responsibility. This guide covers how to keep your world and your community safe from bad actors.
1. The Rule of Online-Mode
Minecraft defaults to online-mode=true. This is your first and best line of defense.
True: Verifies players with Mojang's official servers. No one can log in as you or your staff unless they have your Minecraft credentials.
Important:
Don't set online-mode=false unless you have a dedicated authentication plugin (like AuthMe) and a solid proxy (like BungeeCord/Waterfall) in front of your server.
2. Managing Staff & OPs
Permissions with LuckPerms
Giving someone "OP" (Operator) status is giving them keys to your house. We recommend using a permissions plugin like LuckPerms instead of the default /op command.
- LuckPerms: Create groups (Moderator, Admin, Player) and give each group only the permissions they need.
- Avoid "Force OP": Never trust a plugin or person who asks you to give them "OP" to "fix something."
3. Protecting your Deduck Credentials
Your Deduck dashboard account is the most powerful tool you have. If someone gets your Deduck login, they can delete your entire server, including your backups.
- Enable 2FA (Two-Factor Authentication): This adds a second layer of security even if someone finds out your password.
- Safe SFTP: Only use SFTP across encrypted connections. Don't share your SFTP details with anyone; if you need a co-owner, use the "Invite" feature on your dashboard.
4. Plugin Security
Only download plugins from trusted sources like SpigotMC, Modrinth, or Hangar.
Avoid "Leaked" or "Null" plugins: These are premium plugins offered for free on sketchy sites. They almost always contain "backdoors" that allow the person who cracked the plugin to take over your server whenever they want.
Security isn't a one-time setup; it's a habit. Keep your plugins updated, your staff list small, and your backups frequent.