Preventing exploiters from remote event?

How can I prevent exploiters from firing a remote event?


You don’t really

You just check on the server side if its harmful (if they’re spamming it or sending junk).

Or you could try and hide it somewhere where they can’t find it.

Just avoid making remote events valueable. Don’t use a remote event that would give the player free money.

Also I would check researching yourself how to defend against exploiters.

1 Like

probably add parameter even tho a remote doesnt need one as if exploiters try firing them they would need to know the params for the specific remote so you could do:

givemoneytoplayer:FireServer("Password")--the password would be a random text determined by you
local yourpass = "ThisIsASafePassword"
   if pass == yourpass then
      player:Kick("Caught cheating")

Well, this wouldn’t work since exploiters can see the local script. So you better off checking and making sure that it is right and not something dangerous with server script.

1 Like

uhmm i once tried an exploit and it didnt realy showed the local script so i dont think its that dangerous

An exploiter can see everything except things that are only visible to the server like serverscriptservice but even then there the localscripts won’t run. So basically if you’re trying to use localscripts they’re always vunerable.

1 Like

Exploiters with a proper executor like Synapse X or Krnl (or any WRD type exploit, WRD was recently updated to support advanced functions) can use hookfunction and see what’s being sent to the server, using a password is useless.

1 Like

This question has been asked so many times before, and the answer has always been the same, it’s a simple one: don’t try to prevent exploiters from firing your remotes. Instead, focus your efforts on making sure they cannot abuse vulnerabilities you leave in them.

Said vulnerabilities can range from a remote that gives the player money, or one that deals damage to a character. You should simply never trust the client to be telling the truth, and instead, handling all validation on the server appropriately to prevent an exploiter lying to the server and firing a remote to get whatever they want.

An example in the case of the money remote: let’s say this was being fired to gain the reward from a quest, in this case, you should have the remote be fired to tell the server that they completed the quest, and then have the server validate whether or not they completed the quest, and if they did, then reward the player based on information about the quest stored on the server.

In the case of the damage remote example, if this were for a sword, you could have the client tell the server that they think they hit this character and ask the server to damage them, the server would then validate this request by checking some factor such as the distance between the player’s character and the other character, and if so, dealing damage to the character in question based on what you set the sword’s damage as on the server.


i have krnl but i didnt get access to local scripts all i saw in the local script was all encoded in a weird way basically impossible to understand

You need a decompiler script to decompile it for you, now obviously I won’t tell you where and how to get one.

1 Like

I was trying to figure out a way to prevent “certain exploit that you don’t want to reveal” but there is no way to prevent it unless roblox lets you see if something gets added to it (which you can’t lol)

Asking this question is useless. It’s not possible to prevent any exploiter from doing anything with your Remote. RemoteEvents are forced to be shown on the client in order to be used. That’s their purpose.

You can make decent protection like making something like a table of allowed userIds and then using

table.find(Table, Value)

to help prevent users who aren’t allowed, but at the end of the day, this method isn’t practical for every remote. Don’t make your RemoteEvents worth exploiting. If it’s a core game mechanic, then there must be another way to have it practically done on the server.

Things like asking the server to retrieve data from a DataStore and returning to the client based on that input is a good type of RemoteEvent/RemoteFunction use, since you can’t really exploit a DataStorage that’s not on the client.

TLDR it’s not possible. you can make some defenses, but you can’t. this question isn’t worth asking tbh, not to mention it’s been asked so many times.

the answer is obfuscation, exploiters can then see the script but not the plain text password, since it looks like this:


You can’t prevent it obviously, that is up to Roblox

Yeah I know D: it’s kinda annoying why does roblox not let us see what is added to core gui D:

Even if Roblox adds those feature, again anyone with syn.protect_gui or similar won’t be affected as syn.protect_gui prevents any protected gui from being detected by recursive FFA attacks or such

why does everything so complicated bruh I mean this is kinda annoying tbh

Theres no point defending your remotes from exploiters when they can exploit and see what the secret code is. The best you can do is add server-side checks and make sure that they don’t spam the remote too often. For example

local Debounce = false
local Event = ...

  if not Debounce then -- Check that the debounce isn't active
    Debounce = true -- Set it to be active
    -- Do the things here
    task.wait(1) -- After 1 second they can re-fire.
    Debounce = false
    print("Player is firing remote event too quickly, not responding")

Not entirely, their protect_gui way has some vuln to it that can be used to detect GUIs :slight_smile: