How To Prevent Exploiters / Cheaters Properly

#1 Never Trust The Client

So to get into this there are some things you should understand to make a secure game. One of the first things is to never trust the client now I am saying this because the client can always be modified by an exploit program like KRNL, Synapse, JJSploit, and more. Never trusting the client includes a lot like not trusting the client to make just basic checks.

#2 Remote Events

So most of you might think securing a game is all about making a strong Anti Cheat but that is far from securing a game. Because of the simple fact that a lot of people actually tend to think that securing a game involves making a strong anti they forget to actually add secure non-exploitable remote events. Making a secure non-exploitable remote event is one of the biggest ways to make your game secure. You make secure remote events by adding server-sided checks for values like money some examples will be listed below:

Example #1 Secure Local Script:

local Player = game.Players.LocalPlayer

local BuyEvent = game.ReplicatedStorage.BuyShotgun

script.Parent.MouseButton1Click:Connect(function()
	
	BuyEvent:FireServer()
	
end)

One thing that you will notice with this local script is that it does not check the player’s money on it. This local script does not do check money on the client because the client can be manipulated very easily so then you may ask where does it check the money you will see very soon

Example #2 Secure Server Script:

game.Players.PlayerAdded:Connect(function(Player)

	local Money = Instance.new("IntValue")
	
	Money.Name = "Money"
	
	Money.Value = 100
	
	Money.Parent = Player
	
end)

Now one thing you will notice is that the Money is checked on the server now this is done because the server cannot be manipulated but the client can. So this means if an exploiter changes the amount of money they possess to 200 dollars from 100 dollars this will not allow the player to get 2 shotguns because the server script only sees that the player has 100 dollars. So In short if the Client modifies values the server cannot see that they did so this is one of the reasons why you do server checks on remote events.

Example #3 Non-Secure Local Script:

local Player = game.Players.LocalPlayer

local ItemPrice = 100

local BuyEvent = game.ReplicatedStorage.BuyShotgun

script.Parent.MouseButton1Click:Connect(function()

	if Player.Money.Value < ItemPrice then

		return

	end

	Player.Money.Value = Player.Money.Value - ItemPrice

	BuyEvent:FireServer()

end)

For this example, you see that the client checks the amount of money the player has now this is not secure because an exploiter can modify the amount of money they have on their client and they can theoretically get infinite shotguns because they can give themselves infinite money on their client.

Example #4 Non-Secure Server Script:

local BuyEvent = game.ReplicatedStorage.BuyItem

local Shotgun = game.ServerStorage.BuyShotgun

BuyEvent.OnServerEvent:Connect(function(Player)
	
	local NewShotgun = Shotgun:Clone()
	
	NewShotgun.Parent = Player.Backpack
	
end)

It is pretty easy to see that the only difference between the secure scripts and non-secure ones is that the server does the money check.

#3 Making a server-sided anti-cheat

Now you might need to make an anti-cheat if you are making a competitive game like an FPS or a TPS. Making a good server-sided anti-cheat can prevent game-breaking hacks like no-clip hacks, speed hacks, and even fly hacks. Now you might ask why make the anti-cheat server well this goes back to the main point is to never trust the client if you end up making a client-side anti-cheat it can be easily bypassed but a server-side anti-cheat will be almost impossible to bypass. Now when making a server-side anti-cheat it is highly important to design it around your game if you fail to do this it might not work properly or it might even falsely kick or ban players and this would not be good. Now I will link a good resource for making a server-side anti-cheat now make sure not to forget to design it around your game.

Now if you watched the video one thing you will notice is that you are not going to be checking Humanoid.WalkSpeed this is because the server will not be able to see that the client has changed their WalkSpeed to something abnormal. Well, then you might ask how does the server check the WalkSpeed well if you watched the video you would know that you have to use stuff like magnitude to check the WalkSpeed of the player.

#4 Make A Votekick System

Now there are many advantages and disadvantages to making a vote kick system in your game. But if the game you are making is going to be a competitive one then this might be necessary to prevent exploiters or cheaters. There are many games out on the Roblox platform that use a vote kick system to prevent hackers inside of their game an example of a highly popular Roblox game that does this is Phantom forces but also you can see many examples of this system being abused by the phantom forces player base so adding a vote kick system might be effective but might also not be effective. Also, one thing to keep in mind when making a vote kick system is to make secure remote events for it.

#5 Make A Strong Moderation Team Requested By (AbuMuASin)

It is not a question that a good moderation team is one of the best ways to prevent hackers or exploiters. But making a strong moderation team can be very difficult. Many things can go wrong making a moderation team like moderators abusing their power for their own gain or to just be toxic. To prevent this issue only give moderator status to people that you have high trust in. Another issue with making a moderation team is getting the people to make a moderation team. You can get some people for your moderation team from maybe a post on the dev forum or a discord server where you can be hiring moderators inside of it. Also, another thing with making a moderation team is that you will need to create or make a good moderation system inside of your project and when making a moderation system that requires remote events keep what I have mentioned in section #2 about securing remote events.

#6 Don’t Ruin Your Game To Prevent Cheaters

There are always going to be cheaters inside of your Roblox game period. And there are some examples of games being ruined because of the simple fact that they are trying to prevent cheaters. There is really no way to fully prevent cheaters so don’t make your game so strict on preventing cheaters that it ruins the core aspects of the game or that It ruins the performance of the game.

35 Likes

Point #5 is what I always missed in tutorials like these. Clever to include it!

Cheaters can lead to less player retention, but a noticeable anti-cheat will be even more damaging to the playerbase.

5 Likes

Yeah bro what you said is why I Included that section.

3 Likes

Exactly, I always missed it on other “how to prevent exploiters” topics. Thank you for including it.

5 Likes

Dude no problem bro I am glad that you read it. It was a lot of hard work and research to make! :slight_smile:

6 Likes

Best things to do for anti-cheat system.

1- Catch up humanoid walkspeed <— if they tried to change it any number. they will be kicked!
2- Catch up the jump power. They will be kicked.
3- Catch fly by checking character position - if changed then he will get kicked
4- Hide leaderstats. at the player folder!
5- Hide tools.
6- Use plugins to hide guis. the plugin called! [Gui to Lua]
7- Keep updating your anti-cheat system.
8- It’s easy if you just updated the system.

– Properties you need to check.
1- Humanoid.
2- Body Colors.
3- Animator.
4- There more type of it. you want to check to know how to make anti-cheat system.

Hopefully helps

No needs vote-kick.

Reading the stuff more at roblox delevoper website. will be making your anti-cheat to powerfully

11 Likes

Both of these require for you to check on the client, which is not plausible.

This is unnecessary, if you have a good client-server communication model (which you should), it is pointless.

Neither of the properties on these replicate.
When an exploiter sets their WalkSpeed property on the client - the result replicates - I.e., the server sees them moving faster, but they will not see the WalkSpeed change. This is why speed anticheats are fundamental.

9 Likes

This is 100 percent true and this a good addition to this post!

3 Likes

Some of these properties only replicate on the client but overall it is a good post!

2 Likes

Might’ve missed the point of having a Management/Moderation team. It’s human Anti-cheat, usually works better than scripted Anti-cheat. Pretty nice list nonetheless.

3 Likes

I believe it’s easy! to stop walkspeed. and jumppower! using local script.

3 Likes

ok so the thing is about using local scripts for anti-cheats is that local script anti cheats can be easily bypassed and server ones cannot be bypassed. But yes a local anti cheat can see changes in WalkSpeed and JumpPower.

3 Likes

I added moderation as a section

2 Likes

But can’t the client fire the remote event through exploits?

1 Like

It’s just an example. In reality, if you had a event like that, you’d do something along the lines of this:

—event fired by client, server gets notified 

BuyRemote.OnServerEvent:Connect(function(player)
if player.leaderstats.Money.Value >= needed then

— do something to give them the item
player.leaderstats.Money.Value -= needed

end

end)
1 Like

No…
I meant what if the client fires the remote events. It wouldn’t be very secure.

2 Likes

It doesn’t matter as long as all you do from the client is fire the event. The server should be the one making sure everything is in order and rewarding the player, so as long as you don’t have the client doing any of the comparing, you should be fine.

1 Like

Dude. Even if they fire it it will still be the same result
They can’t cheat that kind of system as they can’t edit the serversided script.

Also,it’s a buy event, so maybe your thinking spam the event? Lose all of your coins in a flick of a finger.

3 Likes