secure your server

A short checklist for Minecraft Java server owners who want a private world to stay private. Lucky is not special: any server that accepts public internet connections will be found by scanners.

[fast path]

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

For a normal private Java server: use paid Minecraft accounts, keep authentication on, enable the whitelist, and add only the players who should be able to join.

editset the protection keys in server.properties.
restartreload the server so the properties take effect.
verifytry joining with an account that is not on the whitelist. It should fail before reaching spawn.

online-mode=true
white-list=true
enforce-whitelist=true
hide-online-players=true
enable-rcon=false

# server console
whitelist on
whitelist add YourName
whitelist add FriendName
whitelist list

# in-game as an operator
/whitelist on
/whitelist add YourName

[what each setting does]

online-mode=true: The server checks connecting players against Minecraft account authentication. This is what stops an offline-mode client from joining as your username.
white-list=true: Only players in whitelist.json can join. Manage it with console commands instead of hand-editing JSON.
enforce-whitelist=true: Players who are not on the list are removed when the whitelist is enforced. Use it with white-list=true.
hide-online-players=true: Status pings no longer expose the online player sample. Not access control, but it avoids leaking names to scanners.

[risk checks]

[premium servers]

If every player owns Minecraft Java Edition, leave online-mode=true. Do not turn it off to work around a temporary authentication error.

Keep the operator list small. A whitelist limits who can join, but /op decides who can run dangerous commands.

[offline mode]

A public cracked server is not protected by Minecraft account authentication. A name-based whitelist is not enough: an attacker can try the name of someone already allowed.

If you choose online-mode=false, use a maintained login plugin and restrict access at the network layer when possible.

[proxy checklist]

proxypublic port open, online mode on.
backendoffline only because the proxy authenticates.
firewallbackend ports accept only proxy traffic.
same hostbind backends to 127.0.0.1.