Your server IP is already indexed. Services like mcscans.fi continuously scan the entire IPv4 address space, cataloging every Minecraft server they find. Within hours of spinning up a new server, its IP, port, version, MOTD, and player count appear in a searchable database — visible to anyone.
That includes people who want to join your community. It also includes people who want to crash it, grief it, or compromise it entirely.
Whitelisting is the obvious first defense, and it works. But whitelisting only controls who can log in. It does nothing about the network traffic reaching your server, the permissions your players have once they are inside, or the outdated plugin sitting in your /plugins folder with a known remote code execution bug.
This guide covers the full attack surface — from the network layer to in-game permissions to automated patching — so you can build a server that is actually hard to break.
The Minecraft Server Attack Surface
Before you can defend something, you need to understand what you are defending against. Minecraft servers face three broad categories of attacks.
Network-Level Attacks
Scanners run 24/7, probing every routable IP for open ports. When they find port 25565 (or any Minecraft server port), they log it. Attackers use these databases to find targets for:
- DDoS attacks — flooding your server with traffic until it becomes unresponsive. Even small-scale attacks (a few hundred Mbps) can saturate a home connection.
- RCON brute-forcing — if your RCON port is exposed, attackers will attempt to guess your password. RCON has no rate limiting by default and no encryption. A weak password can be cracked in minutes.
- Query exploitation — the query protocol (UDP 25565 by default) leaks information: player names, plugins, server version. Some older query implementations have been vulnerable to amplification attacks.
In-Game Exploits
Once someone can connect to your server — even as a regular player — they can attempt:
- Permission escalation — exploiting misconfigured permission plugins to gain operator privileges
- Dupe glitches and inventory manipulation — client modifications that exploit server-side bugs
- Crash exploits — sending malformed packets or triggering specific block/entity interactions that cause server crashes (book bans, chunk bans, entity spam)
- Social engineering — convincing operators to grant permissions or run commands
Plugin and Software Vulnerabilities
Every plugin you install is code running with full server access. Vulnerabilities in plugins (or in server software like Paper, Spigot, or Forge) can allow remote code execution. In early 2026, CVE-2026-24871 demonstrated this risk: a critical vulnerability in a popular RCON management tool allowed unauthenticated attackers to execute arbitrary code on affected servers.
Most server owners never check for security advisories. Most never update plugins unless something visibly breaks. That is how exploitation happens.
Hiding and Hardening the Network Layer
You cannot make your server invisible — if it is on the public internet, it will be scanned. But you can reduce exposure and make exploitation harder.
Change the Default Port
Port 25565 is the first port scanners check. Running on a non-standard port (any unused port between 1024 and 65535) will not stop a determined attacker, but it will filter out the laziest automated scans. In server.properties:
server-port=29132
Players can connect using your.server.ip:29132. If you have a custom domain set up, you can hide the port entirely behind an SRV record.
Disable Query If You Don't Need It
The query protocol broadcasts server information over UDP. Unless you are using a server list that requires query, disable it:
enable-query=false
This stops your server from responding to query probes entirely.
Lock Down RCON
RCON is a remote administration protocol with serious security limitations: no encryption, no rate limiting, no modern authentication. If you enable it, take precautions:
| Setting | Recommendation |
|---|---|
enable-rcon | Only enable if you actually use it |
rcon.port | Use a non-standard port |
rcon.password | 20+ characters, randomly generated |
| Firewall | Restrict RCON port to specific IP addresses |
If you only access your server through a web panel console (like the one at hosting.swelis.com), you do not need RCON at all. Disable it.
Firewall Rules
If you control your server's firewall (on a VPS or dedicated machine), whitelist only the ports you need:
# Allow Minecraft
ufw allow 29132/tcp
# Allow SSH from your IP only
ufw allow from 203.0.113.50 to any port 22
# Deny everything else
ufw default deny incoming
ufw enable
On managed hosting platforms, the host typically handles firewall rules. On Swelis, ports are allocated by the platform and only the necessary ports are exposed — you do not need to configure iptables yourself.
Permissions Done Right
The default Minecraft permission system has exactly four levels: regular player, command block access, operator (can use most commands), and full operator (can use /stop and /op). This is not enough granularity for a server with more than three people.
The Problem with OP
When you /op someone, you are giving them access to commands like /gamemode, /give, /tp, /ban, and /kick. Most operators do not need all of these. If an operator account is compromised (shared password, session token theft, social engineering), the attacker has full control.
Use a Permissions Plugin
Permission plugins like LuckPerms let you define exactly which commands each player (or group of players) can run. The principle is simple: grant the minimum permissions necessary for each role.
A reasonable starting structure:
| Group | Permissions |
|---|---|
default | Basic gameplay, /spawn, /home |
member | Everything in default + /sethome, /tpa |
moderator | Everything in member + /kick, /mute, /tempban, /vanish |
admin | Everything in moderator + /ban, /unban, /tp, /gamemode |
owner | Full access (you, and no one else) |
Do not give moderators /op. Do not give admins /stop. Console commands that affect server state should be run from the console, not in-game.
Audit Existing Permissions
If your server has been running for a while, audit your permission groups. Look for:
- Players who have been promoted beyond their actual role
- Wildcard permissions (
*) granted to non-owner groups - Plugins that auto-grant permissions you did not intend
LuckPerms has a verbose mode (/lp verbose on) that logs every permission check in real time. Use it to understand what permissions are actually being used.
Plugin Security
Every plugin you install is a potential attack vector. A malicious or vulnerable plugin has full access to your server: it can read and write files, execute commands, and access player data.
Vet Your Sources
Only download plugins from:
- Modrinth — has malware scanning and verified uploads
- Hangar (PaperMC's official plugin repository) — curated, Paper-focused
- SpigotMC — large ecosystem, but verify author reputation and update history
- GitHub — for open-source plugins where you can inspect the code
Never download plugins from random Discord servers, forum posts, or "cracked plugin" sites. These are common malware vectors.
Keep Plugins Updated
Plugin developers fix security vulnerabilities. If you are running a plugin version from 2024, you are running code written before the vulnerabilities discovered since then were known.
Check your plugins monthly. For critical plugins (permissions, anti-cheat, economy), check weekly. When the best plugins list recommends a plugin, it assumes you are running a current version.
Remove What You Don't Use
Every plugin is attack surface. If you installed a plugin to try it out and never used it, delete it. If a plugin has not been updated in two years and has a maintained alternative, switch.
Known Plugin CVEs
Some notable plugin vulnerabilities from recent years:
| Plugin/Tool | Vulnerability | Impact |
|---|---|---|
| Log4j (late 2021) | CVE-2021-44228 | Remote code execution via chat messages |
| Minecraft-Rcon-Manage | CVE-2026-24871 | Remote code execution via RCON interface |
| Various economy plugins | SQL injection | Database access, currency manipulation |
| Older WorldEdit versions | Arbitrary file read | Server file disclosure |
These are not theoretical. Log4Shell was actively exploited against Minecraft servers within days of disclosure. If you were running an unpatched server in December 2021, you were likely scanned.
Automated Patching and Backups
Security vulnerabilities are discovered constantly. The question is not whether your server software will have a vulnerability — it will. The question is how quickly you apply the patch.
The Patch Window
When a vulnerability is disclosed, there is a window between disclosure and when most servers update. Attackers know this. Automated exploit scripts start scanning within hours of a CVE publication.
If you update your server weekly, you have a 7-day window of exposure for any vulnerability disclosed that week. If you update monthly, that window is 30 days. The faster you patch, the smaller your window.
Automated Updates
Manually checking for updates is tedious, and tedious tasks get skipped. Automation solves this.
On Swelis, you can enable automated security updates in your service settings. The platform monitors upstream security advisories for Minecraft (all server flavors) and WordPress. When an advisory is published:
- You receive an email notification
- If you have auto-apply enabled, the platform takes a backup
- The update is applied during your configured quiet-hours window
- You receive a confirmation email
This does not remove the need to test updates on a staging server for major version bumps. But for security patches (26.1.1 to 26.1.2), automated application is almost always the right call.
Backups as a Safety Net
Sometimes updates break things. Sometimes an attacker gets in despite your precautions. Backups let you recover.
The backup strategies guide covers this in detail, but the essentials are:
- Automatic backups — at least daily, retained for at least a week
- Pre-update backups — before any server software or plugin update
- Off-site copies — if your server is compromised, an attacker can delete on-server backups
Test your restores. A backup you have never restored is a backup that might not work.
Anti-Grief and Anti-Cheat
Security is not just about external attackers. Players on your server can cause damage too.
Land Protection
Plugins like GriefPrevention, WorldGuard, or Lands let players claim areas that other players cannot modify. This prevents casual griefing and limits the blast radius of a compromised account.
Anti-Cheat
Anti-cheat plugins (Vulcan, Grim, Matrix) detect and flag common client modifications: fly hacks, speed hacks, kill aura, X-ray. No anti-cheat is perfect — determined cheaters with custom clients will eventually bypass detection — but a good anti-cheat raises the skill floor for cheating significantly.
Be prepared for false positives. Anti-cheat plugins can flag legitimate players with high latency or unusual play styles. Configure them conservatively, review flagged players before banning, and keep logs.
Logging and Auditing
CoreProtect logs every block change, chest interaction, and item transaction. When someone griefs a build or steals from a chest, you can see exactly who did it and roll back their changes.
This is not optional for a public server. Without block logging, you are investigating griefing blind.
Quick Reference
| Layer | Action | Priority |
|---|---|---|
| Network | Change default port | Medium |
| Network | Disable query if unused | Medium |
| Network | Disable or secure RCON | High |
| Network | Firewall unused ports | High |
| Permissions | Replace OP with permission plugin | High |
| Permissions | Audit existing groups | Medium |
| Plugins | Vet plugin sources | High |
| Plugins | Update plugins regularly | High |
| Plugins | Remove unused plugins | Medium |
| Patching | Enable automated security updates | High |
| Backups | Configure automatic backups | High |
| Backups | Test restores periodically | Medium |
| In-game | Install land protection | High (public servers) |
| In-game | Install block logging | High (public servers) |
| In-game | Configure anti-cheat | Medium |
If you are starting from zero, focus on the High priority items first. A server with a permissions plugin, updated software, and working backups is already more secure than most.
Related Guides
- How to Whitelist Players on Your Minecraft Server — the first layer of access control, explained in full
- Automated Security Updates for Minecraft and WordPress — how the Swelis advisory pipeline and auto-patching system work
- Backup Strategies for Game Servers and Websites — automatic backups, manual snapshots, and restore workflows
- Minecraft Server Console Commands Cheat Sheet — every server command, organized by category
- How to Fix Minecraft Server Lag — performance problems can look like attacks; rule out lag first
- A Complete Tour of the Swelis Control Panel — where to find backup, console, and security settings in the dashboard