Fix major exploit

Hello, so basically:

My game has grown a steady player count over a long period of time and now major exploits specifically made for my game are being created.
Which include people being able to fly and cheating in items.

Now the major problem here is cheating in items that you shouldn’t be able to get anymore. I assume they can also cheat in items that for example are not released yet and are kept in a folder. (These are tools located in a folder in ServerStorage)

Is there anyway i can prevent people from creating major eploits like these?
Any help is appreciated.

Well if you’ve got players spawning in unreleased/ unpublic items, you’ve got a huge issue with your networking and how you’re dealing with the player/ server relations. The server should be dealing with all interactions regarding items and obtaining them, so I assume you’ve got some sort of loop-hole which takes advantage of a remote that fires and gives them what they want.

Do you know how they’re spawning them in? That’ll help create a patch, because until then you’ll have a major vulnerability. If you do, I can help more, but without any sort of knowledge on how the exploit works, there’s not a lot you can specifically do apart from secure your remotes, do sanity checks, etc.

Hello friend!

I’ve been doing a lot of anticheat for some people recently, but, since I haven’t checked out your game, (at the moment), I can only go so far as to give you tips.

I assume you are aware of how Remote Events work, server to client, client to server ordeal. The main way exploiters get through your game are by using Remote Events / Functions that connect their client to the game server. The majority also have some sort of cheat that can get into folders of lots of different services, such as server storage, server script storage, and more. Then, they can find tools in your game files to simply paste into their inventory.

For the cheaters who fly and teleport, the simplest way is to look up some sort of video explaining how to create an anticheat on that, as I can’t explain it off the top of my head

For the items or custom abilities in your game, Here’s what I suggest… If it really is a huge problem in your game, then this is necessary. If you have any Bindable Events, Remote Events, or even straight up checking the character’s player that can get the player’s ID in your tool, you can use that to block any foreign accounts from accessing the stored power ups or advantages. However, the client CAN delete these events or functions, so embed the ID checker you make into the script that makes your tool or item do it’s thing. Then they have no choice but to leave it alone. Every future tool you make, make sure the client is checked for the correct attribute or ID that is usually required to obtain it in the first place. I, personally, kick them and then log it into a table for myself to see. *make sure all these checkers are in server scripts, as information provided to local scripts can be manipulated!

I’ll reread this later to see if I can make it anymore useful. Feel free to reply any questions!

If anybody is concerned by the whole “client changing stuff” thing, theres a great source of information by going to the Game Security page on the roblox developer reference

**or… you could get FE++ like @SpeakerDev suggested

There are various anticheats that have been released over the years and have been edited and improved by many people. I would personally recommend the open-source FE++ Anticheat as it is server-sided and works pretty well with my own games.

Thanks for the help! I will be trying to fix this now!