I tried some experiments, that there are several ways for noclipper to go through a wall.
I notice that Part.Touched event doesn’t even work if the client side part nil, which doing a Raycast over and over might lag.
But can anything atleast prevent this or even stopping it? Detecting a part loss on workspace might be a little laggy if the game contains a lot of parts, worse if the game uses map changing.
Don’t overdo it. Some things you will need to let people get away with for the sake of stability and performance. Only try to detect noclippers in places that will be most crucial.
I believe you can no-clip through a wall by just teleporting your character through it, so detecting part loss might not work anyway.
It would if they used raycasts on the server, but as Jarod said, don’t overdo it.
Some games don’t have enough going on to make constant raycasts really harm performance, but of course this isn’t true for all games. There’s nothing I hate more when playing a game than when the game is ruined from the creator trying to stop exploiters from ruining it. The biggest issue with exploiters is the fun they ruin, so if you ruin the fun in your game just to get rid of them then your exploit prevention is just redundant.
tl;dr Games are for having fun. There’s several ways to make exploiting harder, but don’t ruin the fun just to make exploiting harder.
Oh and to add onto my last post, @ op, you could probably receive more advice if we knew the nature of the game. Different games call for different measures. You might not need to even worry about stopping them from walking through walls specifically.
Character auto replicates right? Just set up some region3s and check player perms in said regions lol.
Use player.Character.Torso:GetTouchingParts() and if any of the parts happen to be inside of the torso’s character by let’s say .1studs or more, you can conceivably believe this to be auto clipping. You might want to have some exceptions too such as bullets that might not register until they actually go into the character, and other body parts.
When a Roblox user goes through an object its using StrafingPhysics. Check when the HumanoidStateType changes and then see if the state was put to StrafingNoPhysics then kick the user, etc…
plr.Character.Humanoid.StateChanged:connect(function(State)
if State == Enum.HumanoidStateType.StrafingNoPhysics then
print(plr.Name.." is using noclip!")
script:Remove()
end
end)
I’d recommend hiding this within a local script inside of StarterPlayerScripts.
Client-side (LocalScript) checks can always be disabled. These fall under the categories of “obscurity” and “obfuscation”. You do not want these to be your first line of defense!
Server-side checks can never be disabled. These fall under the categories of “validity checking” and “sanity checking”. You want these to be your first line of defense because there’s no way around them!
Implement server-side checks first, then implement client-side checks only if you have to, and only if there’s still exploiters.
The most reliable method is to check the Position property of the root part on the server.
Position changed too much in a single step? Exploiting. (Teleporting)Position has consistently been too high for X seconds? Exploiting. (Speed)Position to current Position passes through parts? Exploiting. (Noclip)Position has consistently returned too large of a distance for X seconds? Exploiting. (Flying)Why do it this way:
Sometimes there are false positives. The consequences for exploiting do not need to be far-reaching or permanent. Respawning the player seems like a reasonable consequence – exploiters don’t get to play the game, and false positives just get a slight, temporary interruption.
To add on to this, make sure to be wary of players who simply have a laggy connection. If someone lags out for a second or two and walks around a corner, server-side detection would see it as them walking through the wall and/or moving a large distance in one step (since the server only gets the client’s new position after the lag spike ends), so you may not want to be overly strict in every case. If a client is consistently failing multiple checks though, it would be perfectly appropriate to take some form of action on them.
One guy I was talking to recommended a Trust value you assign to each player which starts at 100 when you join the game. You’d then check everything that @Corecii recommended checking, maybe once every second (give or take, could be frame by frame, once every 5 seconds). Every time some odd number shows up in the feedback, you reduce the Trust value, and only punish a player if it drops below a certain threshold.
Of course I guess you’d need to account for laggy players as well, who might spit out false positives a lot.
I would recommend hiding the code in one of the Default Roblox Script and also have other scripts detect if it’s being disabled or not.
I think even tho the script can be removed entirely, if the script is a movement script then shame on the Exploiter. 
that reminds me of a lag switcher exploit. Which almost can be prevented by doing a repetitive event from server to client. When the client doesn’t responds for like half a minute, it kicks that person
Doesn’t the server already kick someone if their client hasn’t responded in half a minute?
Though kicking people for lagswitching isn’t really a good idea since there’s no real way to tell the different between lagging and lagswitching on the server. If the server is pretty certain they’re lagswitching for some advantage, then just disable whatever that advantage they could be getting is for a moment.
Example
Let’s say you have a gun system, mind you a not a very good one since the server doesn’t make sure gun shots are legitimate for the sake of the example (this is more common than it should be), and you’re looking to prevent lagswitching. The issue is, when someone puts their computer in airplane mode (or whatever they do), they get this short moment of being able to just repeatedly shoot someone, and when they turn airplane mode off all these shots will register.
To get around this, you would need to make a system that records the ‘responsiveness’ of each player’s client. Mark down their responsiveness somewhere that other scripts on the server can read it, and when registering a gun shot on the server, you would just need to make sure their client has been recently responsive enough before doing damage. If not, they’re either lagswitching or just lagging, and both of those things are annoying for other players.
I believe you’re referring to an old post I made.
What I do is score how untrustworthy I consider each player in game to be. When they make an unusual request that I wouldn’t expect from a normal player, or perhaps move in an unconventional way (such as no-clipping) then I increase their score by some amount depending on how odd the action was. If it reaches a certain threshold, kick them. It’s also worth noting that this score should decrease over time since occasional offenses could imply something other than exploiting.
In the interests of this topic it’s a good way to deal with no clippers. Players can get stuck inside parts, flung out of a map or other unusual physics quirks, these can potentially throw false positives in terms of no-clipping and most methods may mean you kick this player despite them not doing anything wrong intentionally. Instead, you can bump up the score when you believe the player is no clipping and if they keep doing it they’ll eventually be kicked after reaching the threshold.
I believe this is actually what Phantom Forces does. If you fly around or run around too fast, the server temporarily prevents you from dealing any damage for some time. If you persist, the game will kick you at about 1-2 min in. This seems to work pretty well as (at least I) have only run into 1-3 exploiters ever in PF. It’s also a practice that can piss off the exploiter as they run around thinking they’re dealing damage lol.
if i put anti-exploit code inside one of roblox’s default core roblox scripts, if exploiters try to disable a core script doesn’t that just break their character? i mean, even if they disable an anti-exploit they’d just break their own game, and if that’s true, why would i need other scripts checking for the enabled/disabled state of the core roblox localscript?
Technically, by editing the core scripts, you are exploiting, and can be banned
(Unless you mean by forking the default character movement scripts and adding something at the bottom)
Ok I have a solution for this, but I’ll bring up a part of it
So, Imagine it like this…
Add a part to the character.
This Part will be named “TriggerNoclip”
The Part will be sized to 0.001,0.001,0.001
CanTouch will be enabled and CanCollide will be disabled
Transparency will be 1 and Anchored will be disabled
This Part will need to follow the Root Part, so this is your choice.
You could use welds(Which I think exploiters have access to) or anchor the part and set its cframe to the root part’s cframe each time when the player moves.
From here, you probably know what to do.
Edit: Also if you’re confused, I’ll send a roblox place file for it 
The best way to detect noclip is in my opinion raycast. It’s a pretty simple,and effective way. If you scripted everything correctly there should also be no false detections.