Securing Your Server
Steps to enhance the security of your Minecraft server.
Securing Your Minecraft Server
Keeping your Minecraft server secure is essential, especially if it's open to the public. This guide covers the most important settings and best practices to protect your server from hackers, griefers, and unauthorized access.
Important Notice
This guide does NOT apply to servers in networks using a proxy (such as BungeeCord or Velocity). If your server is behind a proxy, ensure that the proxy handles authentication and follow its security recommendations.
Online Mode Settings
One of the most critical security options for a Minecraft server is the online-mode setting in server.properties.
When online mode is enabled, every connecting player is verified against Mojang / Microsoft's authentication servers. This helps to ensure that:
- Players are using legitimate, purchased Minecraft accounts
- Players cannot impersonate others by re-using their usernames
- Certain exploits and bots are harder to abuse
Recommended: online-mode=true
For almost all public or community servers, you should run in online mode.
# Recommended for most servers
online-mode=trueBenefits:
- Only legitimate Minecraft accounts can connect
- Players cannot connect as someone else's username
- Better protection against common security exploits and bots
- Compatible with most “premium-only” plugins and features
Use this if:
- Your server is public or semi-public
- You have any valuable builds, economy, or progression
- You are not intentionally running a cracked/offline server
Offline Mode: online-mode=false (Not Recommended)
# Not recommended unless you know what you are doing
online-mode=falseRunning in offline mode turns off Mojang/Microsoft account verification.
Warning
Only use offline mode if you fully understand the risks and have put other protections in place (reverse proxy, auth plugin, firewall, etc.).
Common reasons to use offline mode (with extra security):
- Hosting a cracked server that allows non-premium accounts
- Running the server behind a proxy such as BungeeCord or Velocity (the proxy does the authentication instead)
Risks of offline mode:
- Anyone can join using any username, including staff names
- No built-in verification of player identity
- Much higher risk of griefing and unauthorized access
- Certain exploits become trivial to abuse
If you must use offline mode (for example, behind a proxy), you must add an authentication plugin and other protections described later in this guide.
How to Change online-mode
The exact panel layout can vary, but the general process is always similar.
Log in to your Game Panel.
Go to your server and open the Files or File Manager section.
Find and open the file named server.properties.
Locate the line that starts with online-mode= and change the
value to either true (recommended) or false (offline mode).
motd=A Minecraft Server
network-compression-threshold=256
online-mode=true
op-permission-level=4
pause-when-empty-seconds=60Save the file.
Restart your Minecraft server so the change takes effect.
Additional Security Measures
online-mode is only one part of securing your server. For stronger protection, combine it with the measures below.
1. Use Anti-Grief and Protection Plugins
- Install an anti-grief plugin such as CoreProtect to log block changes and roll back griefing.
- Use claim/region plugins (for example, GriefPrevention or WorldGuard on supported server types) to protect important areas from unauthorized edits.
2. Set Up Permissions Properly
- Use a permissions plugin like LuckPerms.
- Create separate groups for regular players, moderators, and admins.
- Grant only the minimum permissions needed for each role.
Tip
Avoid giving * (all permissions) to any group other than a
trusted owner/admin account, and never to normal players.
3. Use a Whitelist for Private Servers
For small private servers, enable the whitelist so only approved players can join.
use-native-transport=true
view-distance=10
white-list=false - Add player usernames to your whitelist via the panel or server console.
- This is especially useful for family/friends-only servers.
4. Authentication Plugins for Offline Mode
If you must run offline mode, install an authentication plugin (for example, login/register plugins) so that players must set a password inside the server.
- Require strong passwords for in-game accounts.
- Enable features like session timeouts and login attempt limits if available.
These plugins do not make offline mode as safe as online mode, but they are essential to reduce the risk of impersonation.
5. Keep Your Server Updated
- Always run a supported Minecraft version and keep your server jar (Paper, Spigot, Fabric, etc.) up to date.
- Regularly update plugins and mods to their latest stable versions.
- Remove unused or unmaintained plugins that could introduce vulnerabilities.
6. Regular Backups
- Schedule automatic backups of your world and important configuration files.
- Store backups off-server when possible (another disk, object storage, or your own PC).
- Test restoring a backup occasionally so you know it works before you need it.
7. Secure Your Panel Account
- Use a strong, unique password for your panel account.
- Do not share your main account; instead, use sub-users or team accounts when available.
- Enable Two-Factor Authentication (2FA) if your account supports it. For more details, see the 2FA guide.
8. Monitor Logs and Activity
- Review your server logs regularly for suspicious activity, repeated failed login attempts, or unknown commands.
- Keep an eye on new players that join, especially if you run in offline mode or have recently changed security settings.
Security is an ongoing process, not a one-time setup. Periodically review your server.properties, plugin configuration, and panel security settings to make sure your Minecraft server stays protected as it grows.