How to Actually Protect Your Minecraft Server from Griefers

May 05, 2026 • BaoHost Team

Let me guess. You left your free server open to the public, went to sleep, and woke up to a spawn cratered by 10,000 blocks of TNT. It happens to everyone at least once. Running a public server without protection is like leaving your front door wide open in a bad neighborhood and putting up a sign that says 'Free TVs'.

Most server owners think a whitelist is enough. It's not. Accounts get compromised constantly, and the moment someone with an alt account slips through, your world is gone. Let's lock this down properly.

Rule 1: CoreProtect is Mandatory

If you take nothing else away from this article, install CoreProtect right now. It is the holy grail of anti-griefing.

CoreProtect logs literally everything. Block breaks, block placements, items taken out of chests, doors opened, lava buckets dumped. If a griefer nukes your base, you just stand in the crater and type /co rollback radius:50 time:10h. Bam. The crater vanishes. The stolen items return to the chests. The griefer's work is undone in three seconds.

Rule 2: Stop Giving Everyone OP

We see this constantly on BaoHost. A server owner wants their friend to be able to use the /tp command, so they give them Operator status (OP level 4). That friend's account gets compromised, and now a hacker has full control over the server, including the ability to stop it remotely.

Use a permissions manager like LuckPerms. Create a 'Moderator' group. Give that group only the specific commands they need (like kick, ban, and tp). Nobody except the physical console should have OP.

Rule 3: Anti-Xray (It's Built Into Paper)

People love complaining about hackers using X-ray resource packs to strip-mine diamonds. Instead of downloading twelve sketchy anti-cheat plugins to catch them, just turn on the Anti-Xray engine that's already built into Paper.

Open your config/paper-global.yml and find the anti-xray section. Set it to engine-mode: 2. This mode actively obfuscates hidden ores by sending fake block data to the client. Hackers will look underground and see thousands of fake diamond ores instead of the real ones. It completely breaks their mods.

Rule 4: Claim Plugins

If you're running a survival server, you need a way for players to protect their own land. GriefPrevention (the golden shovel plugin) is the classic choice, but honestly, it's starting to show its age.

Look into modern alternatives like Lands or Towny depending on the vibe of your server. Let your players draw borders around their bases so they can't be touched by outsiders. If you combine this with CoreProtect, you basically make griefing physically impossible.

Don't wait until your server gets destroyed to implement this stuff. Take 20 minutes today, install Paper, drop CoreProtect in the plugins folder, and sleep soundly knowing your world is safe.