Securing your panel access

Your panel is the control center for every server you own. If an attacker gains access, they can delete worlds, steal databases, or pivot to your community's Discord.

Enable two-factor authentication

2FA is the single most effective protection against credential stuffing.

• Go to Account Settings → Security in the panel
• Scan the QR code with any TOTP app (Google Authenticator, Authy, Bitwarden)
• Save your backup codes in a password manager
• Require 2FA for all sub-users with administrative access

Use IP allowlists

If your staff works from fixed locations, restrict panel access to known IP ranges.

• Navigate to Server Settings → Network → IP Allowlist
• Add your office / home IPs in CIDR notation (203.0.113.0/24)
• Test from a mobile hotspot before saving
• For remote staff, consider a VPN concentrator

Sub-user least-privilege model

Never share your owner account. Create dedicated sub-users with the minimum permissions they need.

• Owner — Full access. Only one person should have this.
• Admin — Can restart, edit files, and manage databases. No billing access.
• Moderator — Console access only. Can view logs and run commands.
• Developer — File manager + database access. No restart or backup deletion.

Audit sub-user permissions quarterly. Remove inactive accounts immediately.

Password hygiene

• Use a unique password generated by a password manager
• Minimum 16 characters with mixed case, numbers, and symbols
• Enable panel session timeout to 15 minutes for shared computers
• Never reuse your panel password on Discord or forums

Audit and monitoring

• Review the Activity Log weekly for unexpected logins
• Set up Discord webhooks for critical events
• If you suspect compromise, rotate all passwords and regenerate API keys immediately