Guide to maximum game security

This is a guide to prevent most stuff in your game from being exploited, though obviously exploiters can’t be fully prevented, this is a guide to make things in your game much harder (or even impossible!) to exploit.

Free models and plugins

Number 1 - Free Models and plugins
This one might be an obvious one but when you’re inserting free models, be careful and ensure they don’t have any malicious scripts.
For plugins, ensure the plugin is from a trusted developer/plugin maker as that’s your only way to really verify.

Securing information being sent to the server

Number 2 - DON’T trust the client
I would STRONGLY advise not letting your client have control.
Lets say you’re trying to spawn a part and you use a remote event and let the client send the details of the part

local remote = game:GetService("ReplicatedStorage").RemoteEvent
remote:FireServer("Weak","Fast","Common")

You’ve transferred all of the details to the server but you’ve done this on a client script. This makes it INCREDIBLY easy for any exploiter to modify this script to whatever they prefer. The server will only see the details sent through this client script and the exploiter can easily modify them.
Obviously doing too much work on the server can inhibit server performance, but that can be fixed with FireAllClients()

Side notes

Also, you can do work on the client that there isn’t much point to exploit, that’s fine.
But work that if exploited will benefit the exploiter should not be done on the client

Anti Cheats

Number 3 - Anti Cheats
I would strongly suggest creating an anti cheat(ran by the server of course) to try catch out fly hackers, speed hackers, etc.
Obviously not all things can be solved by an anti cheat, but stuff like speed hackers can.
For example(this will be a sever script in StarterCharacterScripts)

(Note: if you have a speed boost in your game the person in your game may be kicked for it, the code I have is merely an example)

Bonus

A bonus tip to catch out exploiters is to check if the information being sent is the correct information and if it’s not, ban the exploiters.

local remote = game:GetService("ReplicatedStorage").RemoteEvent
remote.OnServerEvent:Conenct(function(plr, info)
if info ~= correctinfo then
plr:Kick("Information mismatch, likely exploiting")
end)

If you have any feedback on this topic, please reply below :smile:

21 Likes

The only problem with this configuration is that any kind of speed boost will instantly kick the player. This should be probably more be a higher number (let’s say 50)

11 Likes

Yeah, I maybe could have made it clearer and told people that if you use it and you have speedboosts, they can kick the player

Edited the topic :+1:

12 Likes

All these detection methods on the client can be simply avoided by deleting the LocalScript inside the player’s character. Along with this, you are kicking the player on the client. This can be hooked by any exploiter and disabled locally, rendering the ‘anti-cheat’ useless.

The information mismatch remote can simply be deleted.

I’ve just seen that you’ve specified that it’s a server-side script in StarterCharacterScripts. Each character’s walkspeed is not replicated to the server once changed on the client, rendering this idea useless.

11 Likes

Hold on, let me try the anticheat(probably should have done this sooner)
Anticheat works completely fine

8 Likes

Did you change the walkspeed on the client or the server?

6 Likes

I changed the walkspeed on the server, on the client it may be undetectable but that also makes it so no one else notices your walkspeed difference

6 Likes

The walkspeed difference would be noticed by other people in the server, as the client has the ability to change the walkspeed of their character and other players would obviously see this change. Changing the walkspeed on the client will not flag your anti-cheat, and in what circumstances would a client modify their walkspeed on the server?

5 Likes

Given that clients control their own model physics wise, increasing your walkspeed on the client does make you move faster, even to others. The only real way to check for speedhacks on the server is with magnitude checks.

6 Likes

Ah, alright I’m going to remove the anti cheat example then

6 Likes

game:GetObjects('rbxassetid://PLUGIN_ID')[1].Parent = workspace:

13 Likes

a great way of viewing plugin source code

11 Likes

This is why i am against the idea of closed-source plugins, if you couldn’t do this anymore this shit would be abused fast

1 Like

I have found a kind of popular plugin with obfuscated source code before, called EasyLS (low quality police siren freemodel). Seems like after a year, roblox finally deleted it. Even though I understand that they dont want players to just leak the plugin source code (that for some reason costs 600 robux), but obfuscating a plugin that just inserts a while loop to your game is crazy.

To me, plugins are like mods (altrough i don’t want paid mods so i don’t consider plugins to be same as game mods as i understand plugin devs need money aswell). They enhance your Studio experience, similar how mods enhance your gaming experience outside of Roblox.

And i like to open the source of a mod and look trough it’s code, so it’s similar to plugins. Sometimes they are compiled files but it isn’t hard to decompile them but if they we’re also obfuscated aswell then it gets a trip to the recycle bin as i don’t want to figure out how to deobfuscate it just to look at the src.

Luckily i never experienced obfuscated mods unlike roblox plugins and i don’t install 1000+ plugins onto Studio anyway since it doesn’t make you get better at building/scripting/game design lmao

1 Like