Skip to main content
Security should be a top priority when running a public Minecraft server. PocketMine-MP includes several security features, but proper configuration is essential.

Authentication

Xbox Live Authentication

Xbox Live authentication verifies player identities and prevents impersonation.
server.properties
# Require Xbox Live authentication
xbox-auth=true
NEVER disable xbox-auth on public servers. Disabling authentication allows players to:
  • Impersonate other players
  • Bypass username-based bans
  • Access other players’ data
  • Steal admin accounts

XUID Verification

pocketmine.yml
player:
  # Verify Xbox User ID matches previous records
  verify-xuid: true
This prevents non-XBL players from using XBL players’ usernames when xbox-auth=false.
Keep verify-xuid enabled even if you disable Xbox authentication to maintain some identity consistency.

Network Security

Encryption

pocketmine.yml
network:
  # Enable packet encryption
  enable-encryption: true
Disabling encryption makes your server vulnerable to:
  • Session hijacking
  • Man-in-the-middle attacks
  • Packet sniffing
  • Player session theft
Only disable for local testing on trusted networks.

Port Configuration

In server.properties: 
# IPv4 port
server-port=19132

# IPv6 port
server-portv6=19133

# Server IP (leave empty for all interfaces)
server-ip=
server-ipv6=
For production servers:
  • Use standard ports (19132/19133) for easy client connection
  • Keep server-ip empty unless you need to bind to specific interface
  • Use firewall rules instead of non-standard ports for security

Firewall Configuration

Always use a firewall to protect your server: 
# Allow PocketMine-MP ports
sudo ufw allow 19132/udp
sudo ufw allow 19133/udp

# Enable firewall
sudo ufw enable
PocketMine-MP uses UDP, not TCP. Ensure your firewall rules use the correct protocol.

Access Control

Whitelist

The whitelist allows only approved players to join:
server.properties
# Enable whitelist
white-list=true

Managing Whitelist

# Add player
whitelist add PlayerName

# Remove player
whitelist remove PlayerName

# List whitelisted players
whitelist list

# Reload whitelist from file
whitelist reload

# Enable/disable
whitelist on
whitelist off
Use whitelist for:
  • Private servers
  • Testing environments
  • Application-based communities
  • Early access/beta testing

Operator Permissions

Operators (ops) have full server control. Manage carefully: 
# Add operator
op PlayerName

# Remove operator
deop PlayerName

# List operators
op list
Only give op to trusted players. Operators can:
  • Execute any command
  • Bypass permissions
  • Stop the server
  • Modify worlds
  • Access player data

ops.txt

Operators are stored in ops.txt: 
PlayerName1
PlayerName2
TrustedAdmin
For advanced permission management, use a permissions plugin like PurePerms.

Server Console Security

Console Access

pocketmine.yml
console:
  # Accept console commands
  enable-input: true
If running in a shared environment, consider:
  • Disabling enable-input on production
  • Using RCON for remote management
  • Implementing proper user access controls

Remote Console (RCON)

For secure remote administration, use RCON with proper authentication.
PocketMine-MP doesn’t include built-in RCON. Use third-party plugins or implement SSH access with proper key authentication.

Plugin Security

Plugin Sources

Only download plugins from:
  • Poggit (official repository)
  • Verified GitHub repositories
  • Trusted developer websites
Never install plugins from:
  • Unknown forums
  • File sharing sites
  • Unofficial “hacked” or “cracked” versions
Before installing, check what the plugin can do:
  • File system access
  • Network connections
  • Command execution
  • Database access
Regularly update plugins to receive:
  • Security patches
  • Bug fixes
  • Compatibility updates
Disabled plugins still load code. Completely remove plugins you don’t use.

Plugin Data Directory

pocketmine.yml
plugins:
  # Use modern plugin data structure
  legacy-data-dir: false
Keep legacy-data-dir: false for better security and data separation.

File System Security

File Permissions

Set proper file permissions on Linux/Unix: 
# Server directory
chmod 755 /path/to/server

# Configuration files
chmod 644 server.properties pocketmine.yml

# Plugin directory
chmod 755 plugins/
chmod 644 plugins/*.phar

# World directories
chmod 755 worlds/

# Prevent writing to PocketMine-MP binary
chmod 555 PocketMine-MP.phar

Sensitive Files

Never commit these files to version control:
  • ops.txt - Operator list
  • whitelist.json - Player whitelist
  • banned-players.txt - Ban list
  • banned-ips.txt - IP ban list
  • Plugin configuration files with API keys/passwords
  • World save data
Add to .gitignore:
.gitignore
ops.txt
whitelist.json
banned-*.txt
player_data/
worlds/
plugins/*/config.yml
*.log

Vulnerability Reporting

If you discover a security vulnerability in PocketMine-MP:
1

Do NOT post publicly

Never report vulnerabilities on:
  • GitHub Issues (public)
  • Discord
  • Forums
  • Social media
2

Report privately

Use one of these methods:GitHub Security Advisories:
  1. Go to https://github.com/pmmp/PocketMine-MP/security
  2. Click “Report a vulnerability”
  3. Fill out the form with details
Email: Send to [email protected] with:
  • PocketMine-MP version
  • Detailed vulnerability description
  • Exploitation steps
  • Your GitHub username (for credit)
3

Wait for response

The team will:
  • Acknowledge receipt
  • Investigate the issue
  • Develop a fix
  • Release a patch
  • Credit you in the security advisory (if desired)
PocketMine-MP does not offer bug bounties, but responsible disclosure is appreciated.

Security Checklist

1

Enable Xbox authentication

xbox-auth=true in server.properties
2

Enable encryption

enable-encryption: true in pocketmine.yml
3

Configure firewall

Only allow necessary ports (19132/UDP, 19133/UDP)
4

Use whitelist (if appropriate)

For private servers, enable white-list=true
5

Limit operator access

Only op trusted administrators
6

Install plugins from trusted sources

Use Poggit or verified repositories only
7

Set proper file permissions

Restrict write access to configuration files
8

Keep server updated

Regularly update to latest stable version
9

Monitor logs

Regularly check server.log for suspicious activity
10

Backup regularly

Maintain backups of worlds and configurations

DDoS Protection

Server-level Protection

PocketMine-MP has limited built-in DDoS protection. For production servers:

Use DDoS Protection Service

Services like:
  • Cloudflare Spectrum
  • TCPShield
  • Path.net
  • OVH Game DDoS Protection

Rate Limiting

Implement connection rate limiting:
  • Firewall rules
  • Plugin-based protection
  • Network-level filtering

Connection Limiting

Limit connections per IP using firewall rules:
iptables
# Limit connections from single IP
iptables -A INPUT -p udp --dport 19132 -m connlimit --connlimit-above 3 -j DROP

Backup and Recovery

Regular Backups

Backup critical files regularly: 
# What to backup
- worlds/
- plugins/
- server.properties
- pocketmine.yml
- ops.txt
- whitelist.json
- banned-*.txt
Automate backups with:
  • Cron jobs (Linux)
  • Task Scheduler (Windows)
  • Backup plugins
  • Server management panels

Backup Script Example

backup.sh
#!/bin/bash
DATE=$(date +%Y-%m-%d_%H-%M-%S)
BACKUP_DIR="/path/to/backups"
SERVER_DIR="/path/to/server"

# Create backup
tar -czf "$BACKUP_DIR/backup-$DATE.tar.gz" \
  -C "$SERVER_DIR" \
  worlds/ plugins/ server.properties pocketmine.yml ops.txt whitelist.json

# Keep only last 7 days
find "$BACKUP_DIR" -name "backup-*.tar.gz" -mtime +7 -delete

Next Steps

Configuration

Review security-related configuration options

Updating

Learn how to safely update your server

Build docs developers (and LLMs) love

Get started for freeTalk to us