Exploiters are hard to avoid. There is plenty of software created for the main purpose to inject code into a ROBLOX game in order to change a thing of the game for the client. Luck fully we are in a good time, as it was worse far ago!
The start of exploiting began with the simple software such as Cheat Engine. In the past, Filtering Enabled was not a thing, meaning any changes from a client would be instantly replicated to the server. This ruined games often, and for me, Prison Life. (Which is still a common place for exploiters.) After a patch with Cheat Engine, there slowly began to be ROBLOX-specific cheating software. After a while, however, came around Filtering Enabled! It is a god send to developers, in which made it so only things like the character, the ReplicationFocus (HumanoidRootPart) and local scripts to be the only way a game could be affected. Around some time in the past, FE (Filtering Enabled) became mandatory for a game. This does not mean that a server is completely safe from exploiters, even today.
Nowadays, exploiters have been more common due to the availability of it, such as KRNL and Synapse X. While it has grown harder to ruin a whole game for a little kid with cheat engine, things like remote events, used by developers to make client actions to replicate to server, has flaws. Remote events are able to be seen with scripts like RemoteSpy, and even be fired! This means that it is very important to do things such as Sanity Checks that check a remote if it’s appropriate and possible for a player to fire a remote event normally. It is recommended that most checks made for exploiters are server-sided, as since exploiters can just disable localscripts.
There are plenty of differences with normal exploiters and those that have gone beyond simple Synapse X. One of these can be Backdoors. Backdoors can be difficult to find, usually obfuscated, malicious code in order to give power to a player that you do not want power in that game. (These usually be exploiters.) Backdoors can be often seen inside of popular exploiter youtube channels. Backdoors can be snuck in by a suspicious developer, a free model added into a game, or even a plugin! Most backdoors try their best to not be seen by any developers, and give as much of the server-side to a player as possible. If you kick someone with exploits, that means that you most likely used a backdoor in order to achieve this.
I have a guide on how to delete backdoors here.
Known Exploitable Objects
- Anything inside the character (can be deleted)
- Localscripts that can be disabled and deleted
- Scripts inside the character (only deletable)
- The Humanoid (can be deleted, also things modified)
- Any sort of client-side effects
- Any Remote function or event (can be fired at any time)
Hidden objects to the client
- Objects inside ServerStorage
- Objects inside ServerScriptService
It is best you keep things outside of the character’s model, any important scripts inside of serverscriptservice (Keeping scripts there is better than workspace because scripts inside workspace look weird and may make exploiters feel more “free”), secure remoteevents, and not underestimate the abilities of an exploiter.