How to protect against UUID spoofing

It is possible, if your servers are not properly protected, for hackers to change their username and join as the owner or as the admins and gain permissions, this is because your backend servers have to be in offline mode for Bungeecord to work, which means if they are not protected then hackers can join as any username.

[Recommended] Option 1: Use the PebbleHost Firewall

PebbleHost offer a configurable Firewall with every plan and this is the easiest and most secure way to do it!

All you need to do is to go to each Bukkit/Spigot/Paper (NOT BungeeCord) server, and go to the Advanced > Firewall page, select your Bungeecord from the automatic configuration and hit Configure. We have more details here: How to configure a firewall on your server

[Not Recommended] Option 2: Use a plugin

Alternatively, if you are not able to use the PebbleHost Firewall then you will need to use a plugin. They do help protect against this however are slightly less secure than a hardware firewall as packets can still reach the server which means it may be vulnerable to other attacks or exploits, and additionally if the plugin has an error then it may allow an attacker to join.

The plugin we recommend is BungeeGuard which can be found here:

It is recommended to use Paper to be able to use BungeeGuard, if you use Spigot / Bukkit then you will need to also install the ProtocolLib plugin.
Also, you will need to make sure that ip_forward is set to true in your Bungeecord config as explained in How to set up BungeeCord

On BungeeCord:
Download the proxy plugin from and put it in your BungeeCord server.
Open the plugins/BungeeGuard/token.yml file and copy the token
Now, you need to install it on each backend server.

On Each Paper / Spigot / CraftBukkit server, NOT the Proxy
Download the backend plugin from and put it in your plugins folder on the backend server.
Open the plugins/BungeeGuard/config.yml file on each server and add the previously copied token to the allowed-tokens list as seen below
Restart each backend server.
Done! Your servers are now protected and you can configure the config.yml at any time to your liking and restart the server to load the changes.

# Allowed authentication tokens.
- "AUSXEwebkOGVnbihJM8gBS0QUutDzvIG009xoAfo1Huba9pGvhfjrA21r8dWVsa8"


This is what your network looks like if it is not properly protected:

Incorrectly protected network

This is what your network looks like if it is properly protected:

Protected by Firewall or Bungeeguard
Was this article helpful?
Thank you!