Post is completely outdated with new hacks, go to THIS post for new info
Old Post (OUTDATED)
Now, I know hacking cant be fixed; its as old as time, but I would like to explain how ROBLOX hacking works so you can prevent it.
Now this list may not be complete, some things may not be accurate, but is just a general overview of hacking today on ROBLOX. Hopefully this list covers your questions for making an anticheat.
What @Bullfrogbait said should be read as well, see the solution to read
What can hackers do?
Insert anything; and I mean anything into the local character (the hacker’s body), only visible on the client
Insert items into the local GUI, also only visible on the client
Change anything that is default in the local character, but cannot delete anything, excluding shirts/pants/hats, such as moving limbs, visible on the server and to other players, also includes StarterCharacterScripts and StarterPlayerScripts, this also includes teleporting, noclip, fly, and a lot of other movement hacks
Modify anything in Workspace, only visible on the client
Copy and view only LOCAL (keyword) scripts outside of server services, and anything in Workspace excluding server scripts
What cant hackers do?
Change anything about other players
Change anything on the server, including but not limited to ServerStorage or ServerScriptService
Insert scripts or GUI’s into other players that they can see
Change things other players can see outside of the local character (the hacker’s body)
There’s some extra information that you didn’t mention.
Exploiters can use Server Side Exploits if the developer(s) of the game has a backdoor script which gives exploiters the ability to access the server and do things normal exploits can’t.
If exploiters have access to your game’s server then they can basically destroy your game if they wanted to.
You can get more info on exploiting on this topic:
Most of the lists can be trimmed down to you explaining clientside versus serverside. However, still a neat resource.
Also it should be noted that exploiters can fire RemoteEvents with whatever parameters they want. Don’t trust the client.
If you’re looking to make an anticheat, learn about raycasting. It’s essential (in my opinion, open to debate I suppose) when making an anticheat. You’ll likely have to use it to detect flying (when checking if the player is standing on an object or not) and noclipping (check if their raycast from previous to new position went through something).
You can check current walkspeed by doing HumanoidRootPart.AssemblyLinearVelocity.Magnitude. (You’ll have to set LinearVelocity.Y to zero however)