🛡️ Security Tips: Minecraft Servers

Today, we want to share some important security tips for those managing Minecraft servers, whether it's a small server for friends or a large network with hundreds of players. Security is crucial to ensure the integrity of your servers and to prevent your experience—and that of your users—from being ruined. Here are some tips to keep your server safe.

1. 🚫 Avoid Downloading Plugins from Unreliable Sources

It can be tempting to search for and try out new plugins to add interesting features to your server, but it’s crucial to ensure they come from trustworthy sources. Avoid downloading "leaked" plugins or those from unverified sites, as they may contain malicious code that compromises the security of your server and the privacy of your players. While some might use these plugins to test before buying, using them can lead to significant issues. For instance, we had a client running a Survival server with around 50 players online simultaneously who got their server hacked by using a leaked plugin. The hacker deleted all the server's progress and files, then demanded money in exchange for the files—a situation also known as ransomware.

Try to use spigot's official page if you want to download mods!

2. ⚙️ Be Cautious with the "online-mode" Setting

The "online-mode" parameter in the server’s configuration file determines whether the server authenticates players with Minecraft’s authentication server. If this parameter is set to "false," players can connect without authentication, leaving your server vulnerable to attacks. For example, a user could simply take an Administrator's nickname and gain OP privileges. Only disable this setting if you are sure of what you are doing and have additional security measures in place, such as a well-configured authentication plugin (/register & /login).

3. 🔒 Protect Your PixelHost Panel Credentials

If your server is hosted on PixelHost or any other provider, never share your access credentials with anyone who is not absolutely trustworthy. Also, keep your server’s sub-users up to date and regularly review who has access.

4. 🔐 Use Plugins to Protect Your Ports

If your server is part of a network (a collection of interconnected servers), it is essential to protect the ports to prevent unauthorized access. Use security plugins specifically designed to protect your ports and strengthen your network’s infrastructure.

5. 📦 Keep Your Plugins Updated

Most plugins now include automatic update features, which we recommend keeping enabled. New vulnerabilities in plugins can emerge that could pose a risk to your server. For example, an issue in the past with early versions of the WorldGuard plugin involved the command //calc, which was available to all users without needing permissions. A clever individual figured out how to crash the server by using this command to calculate all the decimals of π (pi), which caused a CPU overload and instantly crashed the server. While it was a simple fix—blocking the command—it highlights the importance of keeping your plugins up to date.

6. 💾 Maintain a Good Backup System

A good backup system isn’t just about having a .zip file within your server. While better than nothing, it's not ideal. If an attacker gains access to your server, they could simply delete the backup, rendering it useless. Additionally, any errors in the node’s hard drives—though rare—could also result in data loss. It’s recommended to take daily backups of your server to an external location. At PixelHost, you’ll find a Backup section where backups are stored simultaneously in 27 locations. This service has an additional cost, but if you prefer not to pay, we recommend using a plugin that can store backups elsewhere or simply downloading them to another location apart from your server’s local storage.

Remember, security is an ongoing process, and it’s important to stay vigilant about potential

vulnerabilities and new threats.

If you have any questions about security on your Minecraft server, don't hesitate to contact us through any available means.

Best Regards,

João @PixelHost.