What is the best way to detect a speed hacker?

game:GetService("RunService").Stepped:Connect(function()
	Player.Character.Humanoid.WalkSpeed = 16
end)

If you are using a sprinting system or a powerup. Just make a bool value inside the player and server check it.

Ehhh, it could annoy some skids, but all they have to run is getniliinstances and then they found any script that you tried to hide from them.

Never rely on the client a clever exploiter can change the speed limit as well as fireing those remote events to kick players

They would not be able to change others’ speeds unless there is a RemoteEvent that changes speeds, but again look back at the topic title - “What is the way to detect a speed hacker?” Advanced exploiting is out of the question, if they can directly change the speed of other players then that is a flaw in the game’s security.

That was a typo. It was meant to say “What is the best way to detect a speed hacker.” Thanks for mentioning it

coulden’t the hacker just destroy the local script and keep hacking?

That is possible, in that case a solution could be to have a server-sided script with a LocalScript (the one checking for hacks) cloning it into the player regularly. Many ways are possible, that was just a rough idea. But I agree.

Pretty good soloution

When it comes to exploiting you really can’t rely on any LocalScripts or anything that an exploiter would have NetworkOwnership which in this case is their player.

You could use .magnitude or raycasting to find the distance they traveled since the last heartheat, or render step. But this would slow down performance on large servers and can easily make your game unplayable to players with high ping.

I would really just stick to what @Operatik mentioned in their post since you can only protect your game from exploiters so much until you start hindering the game for your loyal fans who will make up for much more of your player count than the small group of exploiters.

Script called AntiCheatServer:

-- Services
local PlayerService = game:GetService("Players")

-- Variables
local players = {}

-- Event connections
PlayerService.PlayerAdded:Connect(function(plr)
	table.insert(players, plr)
end)

PlayerService.PlayerRemoving:Connect(function(plr)
	table.remove(players, table.find(players, plr))
end)

-- Main loop
while true do
	for _, plr in pairs(players) do
		if plr.Character then
			local acScript = plr.Character:FindFirstChild("AntiCheatClient")
			if acScript == nil then
				plr:Kick("Knock knock, the Anti-Cheat police is here!")
			else
				if acScript.Disabled == true then
					acScript.Disabled = false
				end
			end
		end
	end
	wait(1)
end

LocalScript called AntiCheatClient, should be in StarterCharacterScripts:

if script.Parent:IsA("Model") then -- Prevent the code from running inside StarterCharacterScripts
	-- Services
	local PlayerService = game:GetService("Players")
	
	-- Variables
	local character = script.Parent
	local humanoid = character:FindFirstChild("Humanoid")
	local player = PlayerService:FindFirstChild(character.Name)
	
	-- Functions
	function kickPlayer()
		player:Kick("Knock knock, the Anti-Cheat police is here!")
	end
	
	-- Event connections
	humanoid:GetPropertyChangedSignal("WalkSpeed"):Connect(function()
		kickPlayer()
	end)
	
	humanoid:GetPropertyChangedSignal("JumpPower"):Connect(function()
		kickPlayer()
	end)
end

This is from my own anticheat, it (hopefully) kicks the player if they try to delete the client-side of the anticheat and enables the client-side of the anticheat if it gets disabled.

It also kicks the player if it changes walkspeed or jumppower either server-side or client-side. Which you might want to add some code to to add exceptions to it.

This would kick the player if the script is still there however the player can still delete the script and the server wouldn’t know. When the client deletes a script it will not replicate to the server as shown here.

The only way to have a good anticheat would be to have it be 100% server sided, as stated before you could use v=d/t to calculate speed and punish them but it could affect people who lag.

Better crash exploiter’s client, because they can just revert your request to kick from server

Excuse me, but what about

while true do
       print("ez")
end

Yes, but I just give tip that will be bad idea to call remotes. You right all client is under exploiter control, but it depends if you hide your AE properly. But of course they still may find that

And you absolutely right. (30 chars bruh)

Magnitude (RenderStepped, server-sided)

The walkspeed property is not replicated to the server, checking this on the server won’t work, hence don’t try.

Don’t rely on client-sided checks as anyone can bypass it pretty easily.
They don’t even have to use a LuaSourceContainer to run code either, they can simply counter anything you are doing on the client, even remove the scripts completely.