What is this tutorial?
This tutorial is a guide on how you can mitigate bots in your experiences. Some topics in this tutorial may already be known to some, or some may already be in use inside of your experience. Whether it is or isn’t, I believe this should be useful for anyone, no matter the skill set, to understand and have knowledge of this to get a small insight into prevention measures and how they may operate.
Why write this tutorial?
The goal of this tutorial is to enable creativity and critical thinking and to expand your knowledge on what you can do to prevent bots from being a big problem in your experiences. The options in this tutorial may not be the best solution or the one-size-fits-all approach, but they should stop the majority of bots from ruining your experience.
Please note that this is my first written tutorial, and all contents in this tutorial are from what I know, have learned, and have researched, and from first-hand experience. Details or comments made in this tutorial are my own opinion. Feel free to criticize me on my writing and how I can improve writing tutorials in the future, what you disagree with, and if this tutorial taught you anything useful.
Table of Contents
Basic Mitigation Methods
These are methods that are simple to use and can help with removing bots that are quickly assembled or bots that don’t follow basic principles.
1. Account Age Limits
The first and probably most common solution is to set an account age limit when a user joins your experience. This method can look something like this:
How do I achieve this?
You can achieve this by writing a simple script on the server that checks the users’ account age and removes them from the experience if they don’t meet the requirements set. The code may look something like this:
local Players = game:GetService("Players")
local ALLOWED_ACCOUNT_AGE = 7
local function onPlayerAdded(player: Player)
if player.AccountAge < ALLOWED_ACCOUNT_AGE then
player:Kick(`Your account needs to be at least {ALLOWED_ACCOUNT_AGE} days old to play this experience!`)
return
end
-- Do something
end
local function initialize()
for _, player in Players:GetPlayers() do
onPlayerAdded(player)
end
Players.PlayerAdded:Connect(onPlayerAdded)
end
initialize()
Example script that shows how the account age limit may be implemented
How does this help me?
This is the most basic method used in a lot of Roblox experiences that remove players whose accounts are fresh. This means that if a bot account is created, joins your experience, and doesn’t meet the requirement, they’ll automatically get removed.
Now this may sound wonderful for preventing new bots from joining your experience; however, it does come with a downside.
What are the cons of implementing this?
While you are preventing recently created bots from joining your experience, you are also disabling the ability for real new players to join your experience as well. It’s a double-edged sword.
Conclusion
If you know your player base or player reach and accept the risk of not having new players join your experience, assuming they don’t meet the given requirements, you may want to use this method. Otherwise, I believe the next method should be useful for the majority of experiences, as it not only stops a lot of bots but may also help your players with account security.
2. Account Verification via Assets
While the first method points to checking the user’s account age, which may not be viable, this method checks if the user owns an accessory they receive when verifying their Roblox account.
What does that mean?
When you verify your Roblox account with your email address or phone number, you receive an exclusive avatar accessory item. Since 2013, the item you receive is the Verified, Bonafide, Plaidafied hat accessory.
What about users that verified their account before 2013? In that case, the avatar accessory item is the Verified Sign hat accessory.
This tells you that the user has at least verified their credentials with Roblox, ensuring not only account security but also signifying that they’re more likely an actual player.
How do I achieve this?
You can achieve this by writing a script on the server that checks if the user owns one of these accessories. If not, it simply removes the user and asks them to verify their account. The code may look something like this:
local MarketplaceService = game:GetService("MarketplaceService")
local Players = game:GetService("Players")
local BONDAFIED_ACCESSORY_ID = 102611803
local SIGN_ACCESSORY_ID = 1567446
local function isPlayerVerified(player: Player): boolean
local successBondafied, ownsBondafied = pcall(MarketplaceService.PlayerOwnsAsset, MarketplaceService, player, BONDAFIED_ACCESSORY_ID)
local successSign, ownsVerifiedSign = pcall(MarketplaceService.PlayerOwnsAsset, MarketplaceService, player, SIGN_ACCESSORY_ID)
if successBondafied and successSign then
return ownsBondafied or ownsVerifiedSign
else
warn(`Failed to check if player owns the following accessories: {BONDAFIED_ACCESSORY_ID} and {SIGN_ACCESSORY_ID}`)
return false
end
end
local function onPlayerAdded(player: Player)
local isVerified = isPlayerVerified(player)
if isVerified == false then
player:Kick("Your Roblox account is not verified! Please verify your Roblox account in order to play this experience.")
return
end
-- Do something
end
local function initialize()
for _, player in Players:GetPlayers() do
onPlayerAdded(player)
end
Players.PlayerAdded:Connect(onPlayerAdded)
end
initialize()
Example script that shows how checking for account verification through assets/accessories may be implemented
How does this help me?
As stated previously, this method ensures the user has at least verified their account with Roblox. While this method may not be foolproof, it at least discourages bot farmers from spending time and resources verifying all of their accounts just to play your experience. Thus eliminating the majority of bot accounts.
This also encourages your players to verify their Roblox account, which enhances account security and account recovery for your players.
What are the cons of implementing this?
While you are eliminating the majority of the bots from entering your experience, the same cons of the previous method still apply. You may discourage new players from joining your experience as it’s seen as being “too difficult,” “confusing,” or “annoying.”
Conclusion
The majority of bots don’t follow the basic principles of account verification, as Roblox does not require you to verify your account upon sign-up. Which, in return, removes the majority of bots, as the bot farmers don’t want to spend the time, money, or resources creating and/or finding new addresses or numbers for all of their accounts. However, you again risk losing new players that only log on to check out the experience or have no means of going through the hassle of account verification. Though in my opinion, this is a fair trade-off as this could be the simplest way to remove bots from your experience.
Advanced Mitigation Methods
These are methods that are for more advanced individuals, as they deal with more logic and personalized techniques in an attempt to make them effective.
1. Account Restrictions
This method is adding restrictions to users that you suspect are bots or are new to your experience. This may mean they’ve only played your experience for less than xyz hours, or they’ve been suspected of being malicious through player reports, past infractions, or other means.
This method primarily focuses on making it more challenging and difficult for the bot to do its job correctly and effectively. Either through receiving certain items or using certain in-experience abilities or mechanics such as boosts or trading. By adding certain restrictions, you may slow down the process of these bots from achieving what they want. Which may deter them from trying to do certain activities in your experience or coming to your experience altogether.
You don’t want to make the restrictions too harsh for new players, but you also don’t want to make it too easy for bots. It’s a challenge to create and a challenge to get right.
This leads to the second half of this method, which is…
1.1 Restrictions in Private Servers
This may sound like a stretch, but I believe restricting certain items from being obtained or making it harder to obtain them in private servers may deter and discourage bot farmers from utilizing private servers as a primary source. Private servers are unseen by the public, thus making it harder to detect and remove them from your experience.
Restricting or limiting items can include specific item rarities, gifting or trading features, or certain in-experience events.
This method should definitely be considered if your private servers are free, as they can become untraceable to the public and have free will to try out any type of methods or exploits they wish, assuming you don’t have any protections in place.
Which leads to the last method, which is…
2. Creating or using an anti-cheat system
This is one of the most obvious but also one of the most difficult problems to solve. Creating and testing anti-cheat systems are never easy and are very time-consuming. However, if you are dedicated and have the time or resources to do so, I highly encourage you to. And if you don’t, luckily there’s third-party solutions such as open-source anti-cheats that can be just as effective.
There are many different ways you can create your anti-cheat and its use case or effectiveness, as every experience is different. However, we can try to tackle the most common cheats bots use in your experiences. The most common cheats bots use are
- Teleportation: This enables the bots to teleport to various areas of your map, including off-limit and restricted areas.
- No-Clipping: This enables the bots to go through walls, buildings, and restricted areas in your experience.
- Auto-Collect/Auto-Sell: This enables the bots to purchase or sell an in-experience item automatically when they have the funds or ability to do so.
- Flying: This enables the bot to levitate and go wherever they want or have access to in your experience.
- Spam: These are bots that spam content in your experience’s chat to promote their products or services.
While there are no foolproof solutions and ultimate protections against these methods, there are ways to mitigate them with the use of anti-cheat detection. I recommend server-side anti-cheat mixed with client anti-cheat to get the best of both worlds.
As mentioned earlier, there are open-source anti-cheat solutions out there that you can use completely for free. I personally recommend Knightmare’s Server-Side Anti-Cheat, as it’s free, easily customizable, and still maintained and being worked on.
As a bonus method, you can try experimenting. I recommend researching and looking into these bots that spam content within’ your experiences chat and setting up a custom chat filter that, once it detects certain words or phrases, doesn’t replicate the message to other users, rendering them useless.
What I’ve gathered
From my research, a lot of these bots operate using multi-instance launching, emulators, phone farms, server/hardware renting, and cloud services (such as cloud phones), which are cheap to purchase in mass. The majority of these bot farms are also from Southeast Asian countries, such as Thailand, Vietnam, Indonesia, and the Philippines.
A lot of these bot farmers go for experiences that have items of value. This could be pets, eggs, abilities, towers, fruits, knives, etc. They primarily go for experiences that have gifting or trading mechanics to profit from these items.
These bots also utilize certain cheats and exploits such as auto-login (to log in to private servers or multiple accounts), auto-rejoin (to automatically rejoin experiences when kicked, disconnected, etc.), and macros (recording user actions and replaying them, giving the illusion it might be an actual player and doing specific tasks effectively).
A lot of these services sell on third-party websites and platforms, which I’m not allowed to name. However, they have groups of users that sell and buy these items that range from 30k up to 700k members for various popular Roblox experiences.
To name a few experiences that are the most common, we have Blox Fruits, Grow a Garden, Bee Swarm Simulator, Anime Vanguards, Anime Rangers X, Anime Saga, Arise Crossover, Anime Dimensions, and a lot more.
Conclusion
There is no definitive way of getting rid of bots, and they are unfortunately going to continue to stay on the platform. But we as a developer community can use and share these methods to try and mitigate these bots from plaguing our experiences and profiting from our hard work.
Roblox has done a great job in detecting these bots and removing them in recent ban waves. However, because there are so many and they operate as a large network, It’s very difficult to remove all of them.
There is some hope with Hyperion’s detection, as the majority of these bots use exploit software en masse to farm hundreds of experiences.
Before we go, here’s a mini survey I want to conduct:
- They’re everywhere (Most servers)
- I have them and they’re getting worse
- I have them but they’re not that bad
- I might have them, I don’t know
- I don’t have them
Thank you for reading through this whole forum post and I hope you learn something useful.
Resources
One final thing I forgot to include in the initial posting is some helpful resources you can explore in your free time. Here’s a list of a few YouTube videos and Roblox creator documentation about security:
Stop exploiters in your Roblox games (Suphi Kaner on YouTube)
Stop exploiters setting humanoid states (Suphi Kaner on YouTube)
How to Secure Your Game Against Exploiters (GnomeCode on YouTube)
Security tactics and cheat mitigation (Roblox Creator Documentation)