Terabit
Back to knowledgebase
Minecraft

Secure Minecraft Server Access: Baseline Hardening Checklist

Apply a practical access-hardening baseline for Minecraft servers using online mode, whitelist controls, operator hygiene, and RCON safety.

March 29, 2026 by Terabit Editorial / 2 min read

MinecraftSecurityWhitelistServer Administration

This is a fast, practical hardening baseline for small and medium Minecraft servers. It is not enterprise security, but it closes the most common access risks.

15-minute checklist

  • Keep online-mode=true for internet-facing Java servers.
  • Enable whitelist if your server is private or community-curated.
  • Limit operator (op) access to trusted admins only.
  • Keep enable-rcon=false unless you have a clear need.
  • Update server software and core plugins regularly.

Java server.properties baseline

In server.properties, review at least:

online-mode=true
white-list=true
enforce-whitelist=true
enable-rcon=false

Why these matter:

  • online-mode=true ensures account authentication.
  • whitelist blocks unapproved joins.
  • enforce-whitelist=true applies whitelist changes cleanly.
  • disabling RCON removes a remote control surface you may not need.

Property descriptions and warnings are documented in Minecraft Wiki: server.properties.

Access-control commands you should actually use

/whitelist on
/whitelist add PlayerName
/whitelist remove PlayerName
/whitelist reload
/op TrustedAdmin
/deop FormerStaff

Operational rule: every staff change should include an immediate whitelist/op review.

RCON and remote admin safety

If you must enable RCON:

  • Use a long random password.
  • Restrict network exposure (local/VPN only where possible).
  • Never expose management ports broadly to the public internet.

The Java server property documentation explicitly notes RCON transport risks on untrusted networks: Minecraft Wiki: server.properties.

Plugin and platform hygiene

  • Update your server platform (Paper/Spigot/Purpur) on a regular cadence.
  • Update security-relevant plugins (permissions, anti-griefing, moderation).
  • Read changelogs before major version jumps.
  • Test updates on staging when possible.

Paper update guidance: Paper Updating.

Bedrock differences to remember

Bedrock Dedicated Server has a different property set and naming in some areas (for example, allow-list terminology). Do not blindly copy Java property files between editions.

Reference: Minecraft Wiki: server.properties (Java and Bedrock).

Trusted references