Preventing Exploiters from firing Remote Events

Why hide them? (You can’t anyways).

Make sure you’re doing all the sanity checks on the server, that way exploiters can’t abuse them.
They can abuse FireServer, that’s the one you need to secure, anything else (ex; FireClient/FireAllClients) is safe.


The title might have been confusing or misleading but I changed it.

There is no need to hide a remote, it can be found easily as it exists in their memory.

Yes but what are the appropriate checks to make sure that it isnt an exploiter that fired the remote?

Do the logic on the server.

but how do I differentiate between an exploiter and a local script?

What are you trying to do with the remote event?

I was talking in general, a way to prevent exploiters from abusing a remote event,

There is nothing in general you can do, everything needs to be case-specific. If a remote says to give the player money, check that it’s not too much money, check that they were doing something that might have involved money, or just don’t rely on a LocalScript at all for money. If someone buys something at the shop, tell the server they bought it and let the server check and withdraw their money. Never trust the client.


So yeah in simpler terms of what he said, let’s say you wanted to let someone buy something with a gui. Fire the remote event then on the server script check how much money that player has as they could easily just change the values if you send the amount of money or if they have enough when you check it in a local script. Lets say you fired true or false from the local script, then the player could easily cheat that. If you just fire the event it automatically fires the players name, meaning you could just check the players amount of cash in the serverside script and bam now that’s fixed.

No you can’t prevent exploiters from firing remote events.
Parenting to nil it’s not going to work anyway

You technically can’t. But, you can do sanity checks. Here is an example: if you have a shop, and a player fires a RemoteEvent to buy something, you would check on the server if the player has enough money for it. If you don’t do that, an exploiter could fire the event to get the most expensive item, and if you don’t have any checks, they could get it for free. but if you check, they won’t get the item.

1 Like

Exploiters are clients as well, the code they execute is executed as a local script, you can’t say “this exploiter is not a client” or “this exploiter is not executing their code as a local script”.

Just do a sanity check. Make sure the remote is fired at the right time with valid arguments.

1 Like

Have the remote in replicated storage, acquire the reference to it with a local variable and set the remote’s parent to nil. Use the reference variable to call its functions. Only stops free exploit users.

local RemoteEvent = -- Location of your remote event.
local FireServer = RemoteEvent.FireServer -- Leave this part.
FireServer(RemoteEvent, Argument1, Argument2, Argument3) -- Only change the Argument1 - 3 etc of what you wanna send over.

Basically try not to use :FireServer() as that’s what can be logged.

The way provided isn’t 100% unloggable however it is on Platforms such as Synapse etc.

Additionally, the first Argument for :OnServerEvent is the Player that fired it, what I do is make the second Argument the Player it should be.

If both Argument1 and Argument2 match then proceed, if not, kick etc


That doesn’t make sense, using . instead of : isn’t any better, : just passes self as its first argument.
If anything: it is slower, since LuaU optimizes method calls.


You can’t, sure you could get the client to have a randomly generated string but that only protects you against people that don’t know exploiting well.

That’s not how life works…
All you are doing is swapping a colon for a dot, and your doing that on the client.
Anything stored/ shared/ fired on the client is accessible to the client to read and alter;

You want to share data between client scripts, but you don’t want it to be exploited so you put the data in a string value and fire a bindable event with nothing to notify other local scripts you want them to read something… so the local scripts goes to this path of where the string value is and goes to read it by doing .Value, it can still be altered without touching the string value because the local script is trying to get data stored on the client.

It’s secure tho, as stated - it doesn’t log with hacking software such as Synapse.

what do you mean by “it doesn’t log”?