How to protect your server from exploiters tutorial!

How to protect your server from exploiters tutorial!

Greetings everyone!

So recently I have seen quite a few peoples code which uses things like remove events and as such but they have not protected the server well. Due to this I decided to write a detailed tutorial onto this. Inside this tutorial I will be including how exploiters can use things like remote events to hack your game, best ways to protect your server from exploiters and some examples of ways you can protect your server. I will try to include lots of information but also makes this tutorial simple so anyone can understand it.

How do exploiters use remote events and functions to hack your game?

One of the top ways exploiters hack your game is via remote events and functions. The reason for this is because the way games work is that you have a server side and a client side. The client side is what is run on the Player client. Now due to this exploiters can inject executors to fire remote events to the server due to you being able to fire them from the client. Due to this if our server side is not protected people can fire remote functions or events to do something on the server side which they should not be allowed to do.

How to protect your servers:

There are many ways to protect your servers but the best ways is checks on your server. If you check things you can view if someone should be allowed to use this remote events. There is many more ways to protect your server via checks these are just some of the common ways people do this. You can also make an anti exploit system via this because if the request does not meet the checks it is clear the user is exploiting.

Some examples of checks you can can do on the server are:

• Check stats on the server side (as an example money when buying something)
• Check a rank in a group (this can be used if you want something only to be used if they have a rank in a group)
• Check how many times a request is sent. Sometimes if you know something can only be fired after a certain time you can check this server side
• If you have to do anything to a user make sure to do it via the player value you get given from Roblox.

Unprotected Server:

UnprotectedServer1500×500 76.8 KB

Protected Server:

20F3F91A-E1A1-4FEC-9E60-B869B5EB578D1500×500 17.7 KB

Examples of protected servers:

Here are some simple examples of ways you can check your server. You are welcome to copy any of the code to use in your project completely for free. Just make sure to modify it because it will most likely not work 100% if you just copy it.

Example One:

-- Services --

local RS = game:GetService("ReplicatedStorage")

-- Variables --

local GroupID = 6559630

-- Main Code --

RS.Events.Admin.Kick.OnServerEvent:Connect(function(plr, plrToKick, Reason)
	if plr:GetRankInGroup(GroupID) >= 215 then
		plrToKick:Kick("You have been kicked from the server by "..plr.Name.." due to the reason of "..Reason)
	else
		plr:Kick("You have been kicked for attempting to kick a user when not an example (if you are exploiting please stop).")
	end
end)

Conclusion of tutorial!

I will now be concluding this tutorial here. There are more advanced ways to protect your server but what I have said in this tutorial is the basics you should really know so that you can have at least some protection on the server end.

If you would like to read a little more about game security feel free to take a read at this articles which Roblox created (Game Security). If you would like to find some more information in general about remote functions and events feel free to read this article written by Roblox (Remote Functions and Events).

Cool! I am just wondering though, what if the person in question is not in the parent group? will it still kick them? thanks.

Well it really depends what you mean by this. The code example I gave was if the user rank is not equals to 215 or higher then you can’t use the admin command. The reason why we can kick them right away is because we can check on the client side to see if someone is that rank or not but due to exploiters being able to fire remote events and functions we have to do checks on both the server and client.

If you want to kick someone who is not in a group you can either use :GetGroupInGroup(GroupID) == 0 because the rank someone gets if they are not in the group is 0 or you can use :IsInGroup (both checked via an if statment)

image1049×369 19.7 KB

https://developer.roblox.com/en-us/api-reference/function/Player/IsInGroup

This is a bit poorly-written and gives false information on securing your server, remember that exploiters can manipulate any given value to them, so in your case you should provide an info of where you are doing the value checks, if you do check the money on the client and send it to server then wait for approval, an exploiter can easily manipulate the information on the client and can achieve the item that they’re not permitted to have.

This is just a quick short overview of how to protect ur back end. I see many scripts with no backend protection at all. Yes there is more advanced ways and extra stuff but this is more for beginners.

The whole tutorial is also based on the protection of your server is it is quite clear that the checks will be on ur server

If you check on the server and edit the money on the server as an example of a shop then there is a low chance of someone being able to get an item they do not have the money for. You of course should also check on the client as well really because then someone who is not exploiting can be dealt by the client but should always check the server as well.

I really don’t see how it is confusing or not well written as the whole point of this post is the protection of the server so I don’t think someone would be confused about what I am talking about.