Security Rules
Protect your server from unauthorized access, abuse, and attacks with these essential security practices.
A publicly accessible server is a target. Follow these rules to minimize your attack surface and keep your data safe.
Account Security
STEP 1 — Enable Two-Factor Authentication
Go to your LeaderHost account → Security → Enable 2FA. Use an authenticator app (Google Authenticator, Authy, or Bitwarden). Never use SMS-based 2FA for critical accounts.
STEP 2 — Use a strong, unique password
Your billing and control panel passwords should be at least 20 characters, randomly generated, and stored in a password manager. Do not reuse passwords across services.
STEP 3 — Revoke unused API keys
Go to the API Keys section in your control panel. Delete any keys that are no longer in use. Create separate keys per application. Never share a single key across multiple services.
Never commit API keys to Git repositories. If you accidentally expose a key, rotate it immediately from the control panel.
In-Game Security
Minecraft Servers
- Keep
online-mode=trueto require valid Minecraft accounts - Use a permission plugin (LuckPerms). Never give players
*(all) permissions - Set a strong RCON password and never expose the RCON port publicly
- Regularly audit your operator (op) list:
/whitelistand/opcommands
All Game Servers
Anyone with access to your console tab has full control over your server, including the ability to delete files and execute arbitrary commands. Treat it like root SSH access.
DDoS Protection
LeaderHost includes network-level DDoS mitigation on all plans. This filters volumetric attacks before they reach your server.
File Permissions
Only grant file manager access to users who absolutely need it. Use the Subuser feature in the panel to create limited-access accounts for moderators who only need console access.