Place botting explanation & ways to combat it

That’s actually a good idea. Consider posting it in #platform-feedback:engine-features, or wherever appropriate. I’m conflicted if it would be considered a web feature, or an engine feature.


This is really cool, and I’m definetely going to find great use for it.

There was something that I was questioning making before. I was considering making a script which sends a bunch of player data to a web API, like chat messages, movement, etc. The API would then use some sort of machine learning algorithm to determine if that person should be flagged as a bot. The more games that use the script and the more people that join those games, the smarter it will become and the more bots that will be detected. It would kind of be like reCaptcha, but instead of tracking mouse movement and all that other data, it tracks all the player and character data in the game and past games it joins.

Edit: It could look at join date, avatar, their inventory past joined games, accounts with similar names, chat messages, interval between messages, message similarity, etc


The question is if there is such a simple (granted temporary) solution why hasn’t Roblox implemented it themselves yet? Correct me if I’m wrong and don’t understand the premise of this fix.

I have a small question on this. I am implementing this into my game currently, and in the game, I do manually load the Character from a script which seemed to affect the repeat wait() until client.Character. Since I manually load the Player’s character in when the Player has finished loading all of the game’s assets, would just pinging the server after the Player has loaded the assets work aswell? You said that they don’t Run local scripts so this should be safe and work, correct?

They’ve tried but it’s not simple to implement a global solution since if it’s bypassed, it’s for all games. If developers have different challenges it’s impossible to constantly update a bot for each game.


This is a really neat post and I definitely appreciate the new insight on the subject.

Though, as helpful as this is, it doesn’t solve botting dislikes or likes which is one of the BIGGEST security issues Roblox has to date. Dislike/like botting is an epidemic no one but Roblox can fix realistically.

As far as I know you can only shoddily prevent dislike botting by kicking any players that are under a certain age (1 < day old accounts are kicked). Your method you’ve introduced. And a couple of other methods, but these are band-aid fixes onto a gushing wound.

But this obviously doesn’t prevent the frequent botted games getting 1k, 5k, 10k, even 100k. Even reputable games like Adopt Me and others have been botted before.
Usually games that get player-botted have horrible like/dislike ratios but who’s to stop a semi-decent game or even a good game with good ratios from being boosted from a couple thousand bots?

I won’t touch on it too much since it’s a bit off-topic but don’t even get me started on how much the Library received botting issues a few months back.

TLDR This is awesome, thank you :heart:. I just wish the actual problem was cut at the root.

I did have a question though. Where are some sources on this? I would personally love to research more on this for more ways to prevent this until Roblox fixes it.


Instead of each game having its own challenge, it would be possible to make a general solution.

Essentially the server generates a problem. This problem would be hard to solve, but easy to verify. Think proof of work bitcoin style.

What this means is that a client would have to solve a somewhat computationally complex problem in a limited amount of time. An individual computer would be able to solve it with little problems. However a bot that generates thousands of joins would need a substantial amount of computational power in order to answer 1000s of these questions, something that these bot users likely do not have.


While that could stop the bots that chat in-game to go to sketchy sites for free robux, I highly doubt that it would stop the dislike/like bots.

Correct me if I’m wrong, but they can still dislike/like bot the game even if they didn’t finish the problem if this were to be implemented.

1 Like

It’s already been stated before, we can’t stop dislike/like bots. But the method I listed will stop player botting your own game (for the most part).

Basically summed it up perfectly. The real problem has to be dealt with by ROBLOX, but as of right now we can only fight back partially.

1 Like

This is very interesting. I have had one idea I’ve never implemented and eventually shot down, but it’s much more basic. Its simply just creating a giant “X” button on the player’s screen and if they don’t click within 5 minutes or so, kick the player…

But obviously, 5 minutes is too long and I can’t tell if it’s just a bot or a player getting a snack lol


I wonder how effective Captcha systems could be in this case. Something like this except maybe the button could move with each press randomly. Bots attacking game servers - #2 by toocrusty

That is if the bots do eventually break through the measures we have now. It wouldn’t surprise me with how quickly they seem to adapt.

I made an updated version.
Check it out, I think this will prevent in-game botting but not dislikes, maybe checking user’s age and kicking them will but I think Roblox should do something about it.

New players must be able to play games only after they’ve verified their email.

Oooooh. Much better. And yeah, we definitely need verified emails and a time amount needed to dislike to be added.

Personally not a fan of this one. Just annoying for the user.

I don’t think we should be using “captchas” at all.

i do agree, it does ruin the user experience

Yeah, that’s fair. It’s makes the user experience a bit more… Rough? It kind of takes some immersion away.

Don’t think that’s the case, I do recall a time where I clicked the play button but then later the client failed to load because of my slow internet, though I was still able to rate the game after i’ve clicked the play button.

1 Like

Five seconds doesn’t seem to be enough. I tried this on my games and people with slow internet (I assume) were complaining about being kicked.


Bots must follow all user-account restrictions. It’s impossible to tell if the user is a bot based on name and if account age is put Into perspective, you’re missing out on a lot of new players joining your game. This is not a developer issue. This is simply Roblox failing to follow modern security techniques.


It’s impossible to tell if the user is a bot based on name and if account age is put Into perspective

Which this thread doesn’t do? Did you even see how the place file works?