Eaglercraft & Offline Mode Security | Learn About MC Servers

Security

Eaglercraft & Offline Mode Security (the fun kind of danger)

Running a server in offline mode means Mojang isn't verifying who joins. Here's how to keep your server (and your players) safe anyway.

Offline Mode

No Authentication

Plugins Fix It

Proxy Protection

The Problem

Why Offline Mode Is Risky

When online-mode=false, your server trusts the client to tell it who they are. Mojang's session servers are never contacted. This means:

Zero identity verification — anyone can join as "Steve" or "Notch" or your server admin's username
Impersonation attacks — a bad actor can join with your OP's exact name and run commands as them
Ban evasion — banned players change their username and come back instantly, no new account needed
No accountability — without Mojang IDs, you can't track a player across sessions or link them to a real account
No UUID consistency — offline mode generates UUIDs from the username, so changing names changes your UUID and all your items/claims are orphaned

Think of online mode like a passport checkpoint. Offline mode is an unlocked door in a public alley. Most people walking by are fine — but the ones who aren't? They can walk right in.

The Fix

AuthMe — Password-Based Login

The single most important plugin for an offline-mode server. It adds a password wall between the player and the game:

Players must /register <password> <confirm> on first join
They must /login <password> every time after that
Players who don't login within 30 seconds are kicked
Unauthenticated players can't move, chat, open inventories, or run commands
Passwords are hashed (bcrypt/sha256) in the server files

Without AuthMe, anyone can impersonate anyone. With it, a username is tied to a password — not foolproof, but it's the difference between an open door and a locked one.

AuthMe recommended config tweaks:

# config.yml — harden AuthMe
registrationTimeout: 45
passwordMinLength: 6
forceSingleSession: true
forceRegistration: true
isPlayerCacheEnabled: false
removeInactivePlayersAfterDays: 14

Set forceSingleSession: true to prevent the same account being logged in from multiple connections at once — this blocks account sharing and some types of automated abuse.

Rollback

CoreProtect — Anti-Grief Logging

Since you can't fully trust who joins, you need to be able to undo anything. CoreProtect logs every block break, place, interaction, and container transaction:

/co inspect — click any block to see its full history
/co rollback t:2h r:10 p:PlayerName — undo everything a player did in last 2 hours within 10 blocks
/co lookup u:PlayerName a:block-break — see every block a player has broken
Logs chest access, furnaces, hoppers, even item frames
Data is stored in a local SQLite or MySQL database

CoreProtect rollback syntax is powerful — you can undo by player, area, time range, and action type. Example rollback scenarios:

# Undo a griefer in the last hour within 50 blocks
/co rollback t:1h r:50 p:GrieferName

# Restore a blown-up area from the last day
/co rollback t:24h r:30 a:+TNT_EXPLOSION

# Look up all chest thefts by a player
/co lookup u:PlayerName a:inventory

Store CoreProtect data on a separate MySQL database if possible — it keeps the server world folder lean and allows cross-server logging if you run a proxy network.

Land Claims

GriefPrevention — Claim Your Land

GriefPrevention lets players claim areas of the world where only they can build:

Players use a golden shovel to define claim corners
Claims are automatically protected against non-trusted players
Confidence mode detects griefing patterns automatically
Admins can override, resize, or delete any claim
Blocks all block editing, explosions, fire, and fluid flow inside claims
Auto-claims when players place a chest (optional — great for new players)

In offline mode, land claims are essential — they protect builds even when players are offline. Configure claim limits based on playtime to reward active players:

# config.yml — GriefPrevention tweaks
Claims:
  InitialBlocks: 100
  AccruedBlocksPerHour: 50
  MaxAccruedBlocks: 1000
ChestClaimRestriction:
  Enabled: true  # auto-claim on chest place

Alternative land claim plugins: Lands (more features, factions-like), WorldGuard (region-based, admin-only), PreciousStones (block-based claims with custom fields).

Permissions

LuckPerms — Granular Control

In offline mode, never use OP. Use a permission plugin instead. LuckPerms is the modern standard:

Create groups (Member, Mod, Admin, Owner) with specific permissions
Temporary permissions — grant access that expires automatically
Permission trees — give minecraft.command.gamemode without giving full OP
Contextual permissions — permissions that only apply in certain worlds or at certain times
Built-in command cooldowns and warmups

Example LuckPerms setup for a typical offline-mode server:

/lp creategroup Member
/lp creategroup Mod
/lp creategroup Admin

# Give Moderators kick/ban but not OP
/lp group Mod permission set minecraft.command.kick true
/lp group Mod permission set minecraft.command.ban true
# Give Fly only in the "hub" world
/lp group Member permission set essentials.fly true worlds=hub

Without a permission plugin, you're forced to use OP — which in offline mode is a guaranteed incident waiting to happen.

Anti-Bot

Rate Limiting & Bot Protection

Offline-mode servers are prime targets for bot attacks. A single script can join 1,000 fake players and crash your server. Here's how to fight back:

AdvancedAntiBot — detects bots by analyzing connection patterns, skin data, and handshake behavior. Blocks >99% of known bot clients automatically
BotFilter — lightweight, configurable, uses a score-based system to flag suspicious connections
NoirAntiBot — modern anti-bot with machine learning pattern detection
Connection throttle — limit connections per IP (e.g., 1 per second, max 3 per minute)
CAPTCHA plugins — show a simple math problem or click-the-item captcha before interacting
Proxy-level limits — BungeeCord/Velocity can throttle globally before reaching your backend

A common bot attack: bots join with random names, spam chat with links to "free ranks" or "cracked Minecraft," then leave. Anti-bot plugins catch this pattern automatically. AdvancedAntiBot can even silently shadow-ban suspected bots — they think they're connected but see a fake, empty world.

# BungeeCord config.yml — connection limits
throttle: 400           # ms between connections from same IP
connection_throttle: 4000
player_limit: 100
ip_forward: true

Network

DDoS Protection for Eaglercraft

Eaglercraft servers attract DDoS attacks because they're accessible from browsers — scripts can trivially open hundreds of WebSocket connections. Your defense strategy:

TCPShield — free Minecraft DDoS protection that proxies connections; works with Eaglercraft via WebSocket. Their free tier handles up to 20 concurrent connections per IP
BungeeCord proxy on a separate VPS — your real server IP stays hidden behind the proxy. If the proxy gets hit, spin up a new one
Cloudflare Spectrum — paid Cloudflare plan ($200/mo) that proxies TCP/WebSocket traffic. Best option for serious servers
Minecraft AntiDDoS — paid service specifically for Minecraft, supports Eaglercraft with custom config
WebSocket rate limiting — nginx or HAProxy in front of your WebSocket server can limit connections/second per IP
Always host on a VPS — never your home connection. A $5/mo VPS has better DDoS tolerance than residential fiber

Eaglercraft uses WebSocket (ws://) not raw TCP, so standard Minecraft anti-DDoS services often don't work. You need a provider that understands WebSocket proxying.

Simple nginx DDoS throttle for WebSocket:

# nginx.conf — rate limit websocket connections
limit_req_zone $binary_remote_addr zone=eagle:10m rate=1r/s;

server {
    listen 80;
    location / {
        limit_req zone=eagle burst=5 nodelay;
        proxy_pass http://localhost:25565;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

Proxy Security

BungeeCord & Velocity Hardening

If you run a proxy network, the proxy is your first line of defense. Hardening tips:

Enable ip_forward — pass real player IPs to backend servers for accurate bans and logging
Set a custom server list ping — don't leak your backend server names or IPs
Disable online_mode on proxy (if running Eaglercraft) but set online_mode=true on backend servers
Use Velocity instead of BungeeCord — Velocity is newer, faster, and has built-in DDoS protection features
Modern forwarding — Velocity's modern forwarding mode is encrypted, preventing backend connections from fake proxies
Restrict backend ports — only allow connections from the proxy's IP on backend server ports via firewall

Velocity modern forwarding uses a secret key shared between proxy and backend. Even if someone knows your backend IP, they can't connect without the forwarding secret:

# velocity.toml
[forced-hosts]
  # Only allow connections through the proxy

[advanced]
  # Encrypts player info between proxy and backend
  forwarding-secret = "your-secure-random-key-here"
  proxy-protocol = false  # use modern forwarding instead

Encryption

WSS vs WS — Encrypting Connections

Plain WebSocket (ws://) sends everything in cleartext — chat, commands, even passwords. If someone is on the same network, they can read everything.

WSS (WebSocket Secure) — uses TLS/SSL encryption, same as HTTPS. wss:// encrypts all traffic between client and server
LetsEncrypt — free TLS certificates. Use Certbot to automatically generate and renew certs for your WSS domain
Reverse proxy with nginx/Caddy — terminate TLS at the proxy and forward to your Eaglercraft server
Cloudflare (free plan) — enables WSS automatically if you proxy through Cloudflare's DNS
Without WSS, assume everything is visible — passwords, IPs, private messages, admin commands

Setting up WSS with Caddy is absurdly simple — it auto-provisions TLS certs:

# Caddyfile
mc.yourdomain.com {
    reverse_proxy localhost:25565
}

# That's it. Caddy handles HTTPS/WSS automatically.

Players connect with wss://mc.yourdomain.com instead of ws://your-vps-ip:25565. Everything is encrypted, and your IP stays hidden behind the domain.

Backups

Backup Strategies That Actually Work

Offline-mode servers get griefed more. You will need to restore from backup at some point. Have a real plan:

Automated hourly backups — use a plugin like AutoBackup or a cron script. Keep last 24 hourly, last 7 daily, last 4 weekly
World-only backups — exclude plugin data you can re-download. Keeps backups small and fast
Off-site backups — rsync or rclone to a separate storage location. If your VPS gets wiped, local backups are gone too
Database backups — if using MySQL for CoreProtect or AuthMe, back up the DB separately (mysqldump)
Test your backups — actually restore one to a test server and verify you can roll back. Untested backups are hallucinations
Backup before updates — before updating plugins or the server JAR, take a manual snapshot

Simple cron-based backup script:

#!/bin/bash
# /etc/cron.hourly/mc-backup
TIMESTAMP=$(date +\%Y\%m\%d-\%H\%M)
tar -czf /backups/world-$TIMESTAMP.tar.gz /server/world/ /server/world_nether/ /server/world_the_end/
find /backups/ -name "*.tar.gz" -mtime +7 -delete

Restoring from backup should take under 5 minutes. If your restore process is complicated, simplify it before you need it in a panic.

Attack Vectors

Real Attack Scenarios

Here are actual attacks that target Eaglercraft/offline-mode servers, so you know what to watch for:

🕵️ The Impersonator — A griefer joins with the exact username of your most trusted admin. They wait until the admin logs off, then go on a griefing spree. Everyone assumes the admin did it. Without AuthMe, you can't prove otherwise. Defense: AuthMe with unique passwords. CoreProtect to see the real connection IP.

🤖 The Bot Swarm — A script creates 200 WebSocket connections simultaneously, each with a random 10-character name. Your server runs out of RAM within 30 seconds. The server crashes. Repeat. Defense: Connection throttling, AdvancedAntiBot, MaxPlayers limit at proxy level.

💣 The Lava Bomber — A player /register's, buys a bucket of lava from spawn shop, runs to a highly-trafficked area, and dumps lava everywhere. They then switch to a new account and do it again. Defense: GriefPrevention land claims, CoreProtect rollback, disable lava placement in spawn with WorldGuard.

📡 The Packet Sniffer — An attacker on the same WiFi network uses Wireshark to capture unencrypted WebSocket traffic. They see passwords, private messages, and admin commands in plain text. Defense: WSS encryption (wss://), never use ws:// on untrusted networks.

🔄 The UUID Shuffle — Player "BuilderPro" changes their username to "BuilderPro2". Their offline-mode UUID changes because it's derived from the username. All their land claims, inventory, and permissions point to the old UUID. They lose everything. Defense: Use a plugin like UUIDFixer or SkinRestorer that maintains consistent UUID mappings.

Identity

UUID Fixing & Player Tracking

Offline mode generates UUIDs by hashing the username (OfflinePlayer:<username>). This is fragile and breaks when players change names. Here's how to fix it:

SkinRestorer — fetches Minecraft skins for offline players and caches them. Also assigns stable UUIDs based on first-join data
UUIDFixer — migrates offline UUIDs to a more stable system. Converts existing player data to the new UUID scheme
DiscordSRV — link Discord accounts to Minecraft usernames. Creates an audit trail. If a name changes, you can trace it via Discord
Plan (Player Analytics) — tracks playtime, sessions, IPs, and usernames over time. Gives you a full history of every player's alias

Example Plan output shows you everything about a player:

# /plan player check Griefer123
Known IPs: 192.168.1.5, 10.0.0.7
Previous names: Griefer123 → xX_Griefer_Xx → Raider99
Session count: 47
Bans: 3 (griefing, ban evasion, chat spam)

When a player changes their username, Plan still links them to the same profile by IP and session data. This is how you catch repeat offenders in offline mode.

Monitoring

Log Analysis & Real-Time Alerts

You can't watch your server 24/7. Here's how to get notified when something bad happens:

DiscordSRV — bridges Minecraft chat to Discord. Also sends alerts for staff commands, server errors, and join/leave patterns
AdvancedBan — notifies staff via Discord when a ban/mute/kick is issued
LogBlock — alternative to CoreProtect. Can send suspicious activity reports to a log channel
Watchdog plugins — detect impossible movements, kill aura, fly hacks, and auto-ban configurable offenders
Server health monitoring — use services like UptimeRobot or Grafana to alert you if the server goes offline

Set up DiscordSRV alerts for key events:

# DiscordSRV config.yml — alert channels
DiscordChannels:
  GlobalChat: "123456789"       # main chat
  StaffChannel: "987654321"     # staff alerts
  ConsoleChannel: "555555555"   # console output

# Send specific events to staff channel
DiscordChannelEvent: StaffChannel
- player_join
- player_leave
- server_start
- server_stop
- watchdog_command

With DiscordSRV + Plan + CoreProtect, you have a complete audit trail: who did what, when, from where, and under what names.

Hardening

Server JVM & OS Hardening

Beyond Minecraft-specific configs, harden the server itself:

Run as non-root user — create a "minecraft" system user. Never run the server JAR as root. If the server is compromised, the attacker gets a limited user
Use a firewall — UFW on Linux: ufw allow 25565/tcp and deny everything else. Also block all outgoing traffic except what's needed
Disable SSH password auth — use SSH keys only. A brute-force on your VPS's SSH is common after a Minecraft server is discovered
Automatic security updates — unattended-upgrades on Debian/Ubuntu keeps the OS patched
Java flags for security — limit JVM resource usage to prevent fork bombs from crashing the host
Filesystem isolation — use Docker or a chroot jail to contain the server process

Recommended JVM flags for both performance and safety:

java -Xms2G -Xmx4G \
     -XX:+UseG1GC \
     -Dsun.rmi.dgc.server.gcInterval=2147483646 \
     -XX:+ExplicitGCInvokesConcurrent \
     -Djava.security.manager \
     -jar server.jar --nogui

The flag -Djava.security.manager restricts what Java code can do (file access, network connections, system properties). Some plugins may break, but it's a powerful lockdown.

Mistakes

Common Mistakes (And How to Avoid Them)

Even experienced server owners make these. Learn from their pain:

Giving OP to anyone — never /op <player> unless you'd trust them with your house keys. In offline mode, anyone can claim to be that player
Running without AuthMe — your server WILL be griefed. It's not a question of if, but when. Every day without AuthMe is a gamble
No backups — offline mode servers get attacked more often. Hourly automated backups are cheap insurance. You'll need them
Exposing your home IP — never host an Eaglercraft server on your home connection. The DDoS risk is real and can take your entire household offline
Using default ports — changing from 25565 to a non-standard port reduces automated scanner hits significantly
Forgetting firewall rules — always restrict to only the ports and IPs you need. Close everything else
Trusting skin/username verification — skins can be faked, names can be spoofed. Don't make moderation decisions based on who someone appears to be
Not testing restores — a backup you've never restored is not a backup. Test it at least once a month

Checklist

Full Eaglercraft Security Checklist

Run through every item before opening your server. Check off each one:

AuthMe installed, configured, forceSingleSession=true
CoreProtect logging active with MySQL backend
GriefPrevention or Lands for land claims
LuckPerms installed, OP removed from all players
AdvancedAntiBot or similar anti-bot plugin
Automated backups every 1-2 hours, off-site storage
DDoS protection (TCPShield, Cloudflare Spectrum, or proxy VPS)
WSS encryption enabled (LetsEncrypt + nginx/Caddy)
Server hosted on a VPS, never home connection
Firewall configured (UFW on Linux, specific ports only)
Server runs as non-root system user
Server software and Java updated to latest versions
Whitelist enabled (if private server). Keep regular backups of whitelist.txt
Non-standard port for WebSocket connections (not 25565)
DiscordSRV configured with staff alert channel
Plan or similar player analytics installed
SkinRestorer installed for consistent player appearance
You have tested a backup restore (actually done it, not just planned it)

Architecture

Recommended Network Architecture

A picture is worth a thousand words — here's how secure Eaglercraft server layers stack together.

┌─────────────────────────────────────────────────────────────┐
│                    PLAYERS (Clients)                        │
│  ┌──────────┐  ┌──────────────┐  ┌──────────────────────┐  │
│  │Eaglercraft│  │Java Edition  │  │   Bedrock (Geyser)   │  │
│  │ (Browser) │  │ (Launcher)   │  │   (Phone/Console)    │  │
│  │ wss://     │  │ tcp://       │  │   tcp://             │  │
│  └─────┬─────┘  └──────┬───────┘  └──────────┬───────────┘  │
└────────┼───────────────┼─────────────────────┼──────────────┘
         │               │                     │
         │   INTERNET    │    (Cloudflare Proxy / TCPShield)   │
         │               │                     │
┌────────┼───────────────┼─────────────────────┼──────────────┐
│        ▼               ▼                     ▼              │
│        ┌───────────────────────────────────────────┐        │
│        │       REVERSE PROXY (nginx / Caddy)       │        │
│        │  • TLS termination (wss://)               │        │
│        │  • Rate limiting (1 req/s per IP)         │        │
│        │  • DDoS filtering                         │        │
│        └─────────────────┬─────────────────────────┘        │
│                          │                                  │
│        ┌─────────────────▼─────────────────────────┐        │
│        │       BUNGEECORD / VELOCITY PROXY          │        │
│        │  • EaglercraftBungee plugin               │        │
│        │  • WebSocket → TCP translation            │        │
│        │  • Connection throttling                  │        │
│        │  • Player limits per server               │        │
│        └──────┬──────────────────┬─────────────────┘        │
│               │                  │                          │
│  ┌────────────▼──────┐  ┌───────▼──────────────┐           │
│  │  Backend Server 1  │  │  Backend Server 2   │           │
│  │  (Survival)        │  │  (Creative)         │           │
│  │  online-mode=true   │  │  online-mode=true    │           │
│  │  AuthMe             │  │  AuthMe              │           │
│  │  CoreProtect        │  │  CoreProtect         │           │
│  │  GriefPrevention    │  │  GriefPrevention     │           │
│  │  LuckPerms          │  │  LuckPerms           │           │
│  └────────────────────┘  └──────────────────────┘           │
│                          │                                  │
│        ┌─────────────────▼─────────────────────────┐        │
│        │   DATABASE LAYER (MySQL / SQLite)          │        │
│        │  • CoreProtect logs                       │        │
│        │  • AuthMe passwords (hashed)              │        │
│        │  • LuckPerms data                         │        │
│        │  • Plan analytics                         │        │
│        └───────────────────────────────────────────┘        │
│                                                   │
│        ┌───────────────────────────────────────────┐        │
│        │   MONITORING & ALERTS                     │        │
│        │  • DiscordSRV → staff Discord channel     │        │
│        │  • UptimeRobot → SMS/email if server down │        │
│        │  • Cron → hourly backups to cloud storage │        │
│        └───────────────────────────────────────────┘        │
│                               VPS (your server)             │
└─────────────────────────────────────────────────────────────┘

This layered architecture means a compromise at one level doesn't expose the others. Each layer has a specific job and is secured independently.

Stack

Recommended Plugin Stack

Every plugin you need, organized by category. Install these before opening your server.

Category	Plugin	Purpose	Priority
Authentication	AuthMe	Password-based login for offline mode	CRITICAL
Block Logging	CoreProtect	Every block action logged, rollback capable	CRITICAL
Land Protection	GriefPrevention	Player-owned land claims against grief	CRITICAL
Permissions	LuckPerms	Granular permissions, no OP needed	CRITICAL
Bot Protection	AdvancedAntiBot	Detects and blocks automated bot attacks	HIGH
Backups	AutoBackup	Scheduled world and config backups	HIGH
Alerts	DiscordSRV	Discord bridge for chat, alerts, and logging	HIGH
Analytics	Plan	Player session tracking, IP/name history	HIGH
Skins	SkinRestorer	Fetches and caches Minecraft skins	MEDIUM
Anti-Cheat	Grim / Vulcan	Detects hacked clients, kill aura, fly, speed	MEDIUM
Spawn Protection	WorldGuard	Protect spawn area from griefing	MEDIUM
Punishments	AdvancedBan	Temporary and permanent bans with Discord alerts	MEDIUM

Install in order of priority. Don't open your server to the public until all CRITICAL and HIGH items are in place.

FAQ

Eaglercraft Security FAQ

Real questions people ask about running an offline-mode server.

Is Eaglercraft itself unsafe to use?

Eaglercraft runs entirely client-side in your browser. The code is open source (MIT license) and has been audited by the community extensively over years. The risk isn't Eaglercraft the client — it's the fact that your server must run in offline mode to accept Eaglercraft players, which removes Mojang's identity verification layer. If you trust the Eaglercraft codebase (it's literally compiled Java Edition), the remaining concern is entirely on the server side.

Can I use online-mode=true with Eaglercraft?

No — Eaglercraft cannot authenticate with Mojang's session servers because it doesn't have a Minecraft account to verify. Setting online-mode=true will reject all Eaglercraft clients. However, with a proxy setup (BungeeCord/Velocity + EaglercraftBungee), you can set online-mode=true on the backend server while the proxy handles Eaglercraft authentication separately. Java Edition players connecting through the proxy can use their Mojang auth, while Eaglercraft players use the proxy's fallback.

Is wss:// noticeably slower than ws://?

The encryption overhead of WSS is negligible for Minecraft gameplay — we're talking about 1-2ms of additional latency per connection. The initial TLS handshake adds about 50-100ms the first time a player connects, but after that, encrypted WebSocket frames have minimal overhead. In practice, no player will notice the difference, and the security benefit (passwords, chat, commands not being readable by anyone on the network) is enormous.

What's the difference between AuthMe and Mojang authentication?

Mojang authentication is automatic and centralized — when a player connects, Minecraft contacts Mojang's servers, verifies their session ticket, and trusts the result. AuthMe is per-server and manual — a player types a password that only that specific server knows about. AuthMe works even when Mojang's servers are down (which happens more than you'd think), but it's only as strong as the passwords your players choose. A player using "password123" on AuthMe is far less secure than a Mojang-authenticated player, but a player using "xG7#mK9$pQ2" is about equivalent.

Can Eaglercraft players connect to a normal Java Edition server?

Yes, but only through a proxy (BungeeCord/Velocity) with the EaglercraftBungee plugin installed. The proxy acts as a translator — it accepts WebSocket connections from Eaglercraft clients and converts them to standard TCP Minecraft protocol for your backend server. Without this proxy layer, Eaglercraft clients can't communicate with vanilla Java servers because they use different transport protocols (WebSocket vs raw TCP). The proxy also lets Java and Eaglercraft players play on the same server simultaneously.

How do I permanently ban someone in offline mode?

Use /ban <username> for username bans and /ban-ip <ip> for IP bans. Since usernames can be changed instantly, IP bans are more effective but still bypassable with VPNs. For best results: use AuthMe's ban system (/authme ban <username>) which blocks login regardless of the username used, combine it with an IP ban, and log the IP to a shared staff channel. For persistent offenders, add their IP to your firewall's block list at the OS level. Also consider using AdvancedBan plugin which supports temporary and permanent bans, IP bans, and Discord alert integration.

How do I prove someone griefed if usernames aren't reliable?

CoreProtect logs every action with the player's connection IP address, not just their username. Even if a griefer changes their name between attacks, their IP stays the same (unless they use a VPN). If you have Plan installed, you can see every username that IP has ever used. This creates an undeniable audit trail: "IP 203.0.113.45 joined as 'xX_Griefer_Xx' at 14:32, griefed at 14:33, reconnected as 'xX_Santa_Xx' at 14:35." DiscordSRV can automatically post these alerts to your staff channel.

Is there a way to verify player identity in offline mode?

Not perfectly — there's no Mojang-level guarantee — but you can build a multi-layer identity system: (1) AuthMe passwords tie a username to a secret, (2) DiscordSRV linking ties a Minecraft username to a Discord account (which has its own authentication and audit history), (3) whitelist-only servers restrict who can join at all, (4) Plan analytics tracks all IP and username history for every connection, and (5) geolocation plugin can flag if a player is suddenly connecting from a different country. None of these alone is foolproof, but together they raise the barrier so high that most attackers will move on to an easier target.

What plugins do I absolutely need for an Eaglercraft server?

Minimum viable security: AuthMe (password auth), CoreProtect (block logging and rollback), GriefPrevention (land claims), and LuckPerms (permission management without OP). Strongly recommended: AdvancedAntiBot (bot detection), DiscordSRV (alerts and audit log), Plan (player analytics), SkinRestorer (consistent player appearances), and AutoBackup (automated world backups). Optionally, add WorldGuard for spawn protection and AdvancedBan for a better punishment system.

Can someone DDoS my Eaglercraft server?

Yes, and it's one of the biggest risks. Eaglercraft servers are particularly vulnerable because WebSocket connections can be opened trivially from any browser with a single line of JavaScript. Compared to a normal Minecraft server where an attacker needs to write a custom TCP client, attacking an Eaglercraft server is as simple as refreshing a web page 1,000 times. Use TCPShield (free tier available), Cloudflare Spectrum, or a proxy VPS. Never host on your home connection. Add rate limiting at the reverse proxy level (nginx/HAProxy).

Should I hide my Eaglercraft server IP?

Absolutely. Always put a reverse proxy (nginx, Caddy, HAProxy) or DDoS protection service (TCPShield, Cloudflare Spectrum) in front of your server. Players connect to your domain (e.g., wss://mc.yourdomain.com), and the proxy forwards traffic to your actual server IP — which should not be publicly known. If the proxy gets attacked, you can spin up a new one and update your DNS. If your actual server IP gets attacked, you may need to migrate to a completely new VPS. Hide it from the start.

Do I need a domain name for my Eaglercraft server?

Strongly recommended. A domain gives you: (1) a clean, memorable address instead of a raw IP, (2) free WSS encryption via LetsEncrypt, (3) the ability to change VPS providers without telling players a new IP, (4) Cloudflare proxying to hide your real IP, and (5) subdomain flexibility (mc.yourdomain.com, play.yourdomain.com). Domains cost $5-15/year. If you can afford a VPS, you can afford a domain. Use Cloudflare for DNS — the free plan includes DDoS protection and proxying.

My server got griefed. What do I do right now?

Step 1: Stop the server immediately to prevent further damage. Step 2: Don't panic-restart — you might overwrite evidence. Step 3: Check CoreProtect logs to identify the griefer's IP and all usernames used. Step 4: IP-ban them at the OS firewall level. Step 5: Rollback their damage with /co rollback t:24h p:GrieferName. Step 6: If you don't have AuthMe installed, install it now before reopening. Step 7: Review what other security measures you skipped and implement them before going public again. Step 8: Change all admin passwords. Step 9: If the server was on your home connection, contact your ISP about the IP being targeted.

Can Java Edition players play with Eaglercraft players?

Yes, with the right proxy setup. EaglercraftBungee (or EaglercraftXVelocity) allows both Eaglercraft (WebSocket) and Java Edition (TCP) players to connect through the same proxy. Java players authenticate normally via Mojang (online-mode=true), while Eaglercraft players connect without authentication. Both groups see each other in-game, chat together, and interact as if they're on the same server — because they are. The proxy handles the protocol translation transparently.

What's the best VPS provider for an Eaglercraft server?

Any provider with good DDoS protection and low latency to your player base. Top recommendations: OVH (excellent built-in DDoS protection, good for Europe), Hetzner (best price/performance, add your own DDoS protection), BuyVM (budget-friendly, includes DDoS protection up to 1.6Tbps), Vultr (many locations, easy scaling), and Linode/Akamai (reliable, good for US players). Minimum specs for a small Eaglercraft server (10-20 players): 2 vCPU, 4GB RAM, 50GB SSD, ~$10-15/month. Don't use AWS or Google Cloud without budget alerts — their egress costs can surprise you.

How do I handle player reports and disputes in offline mode?

Create a clear reporting system that doesn't rely on usernames: (1) Set up a Discord channel for reports where players include screenshots with coordinates, (2) install ReportPlugin or BetterReports that logs reporter, reported player, reason, and timestamp to a file or Discord, (3) use CoreProtect lookup to verify claims independently of what any player says, (4) keep a staff-only Discord channel where you share CoreProtect evidence and ban decisions, (5) never ban based on a single report — always verify with logging data. The block log is your most reliable witness.

Can I run multiple Eaglercraft servers on one VPS?

Yes, but isolate them properly. Use Docker containers for each server instance — this prevents one compromised server from affecting another. Assign specific CPU/RAM limits per container. Each server needs its own port for WebSocket connections. Use a reverse proxy (nginx/Caddy) to route wss://server1.yourdomain.com to port 25565, wss://server2.yourdomain.com to port 25566, etc. Also run separate AuthMe databases per server (or use separate table prefixes) so player accounts don't bleed between servers. Or use a single BungeeCord/Velocity proxy that routes to multiple backend servers — this is more efficient and gives players a unified experience.

What's the most common way offline mode servers get hacked?

Based on community reports, the top attacks in order: (1) Impersonation — joining as an admin's name after they log off and using their OP status to grief or deploy malware, (2) Bot swarm DDoS — hundreds of automated connections crashing the server, (3) Social engineering — befriending a trusted player to get their password or invite them to a "cool Discord server" that's actually a phishing link, (4) Plugin exploits — outdated plugins with known CVEs being used to execute commands or crash the server, (5) Credential stuffing — attackers trying common passwords against known username lists. All of these are preventable with the measures on this page.

Should I use a whitelist for my Eaglercraft server?

If your server is for a known group of players (friends, Discord community, school club), yes, absolutely. A whitelist is the single most effective security measure — it reduces your attack surface from "anyone on the internet" to "only people you've approved." To enable: add white-list=true to your server.properties, then add players with /whitelist add <username>. Whitelist is NOT a replacement for AuthMe/CoreProtect (whitelisted players can still go rogue), but it eliminates 99% of random attacks and bot swarms. Keep a backup of your whitelist.txt — losing it means all your approved players are locked out until you manually re-add them.

Where can I find the plugins mentioned on this page?

Most are on SpigotMC.org (the official Minecraft plugin marketplace) or Polymart.org (modern plugin distribution platform). AuthMe, CoreProtect, GriefPrevention, and LuckPerms are all free. DiscordSRV, Plan, and AdvancedAntiBot are also free on Spigot. TCPShield's Minecraft proxy is a free service — sign up at their website. For Velocity (the better BungeeCord), go to velocitypowered.com. Always download from official sources and verify file hashes if available. Never install random .jar files from Discord or untrusted forums — they can contain malware.