Host Keys

Frequently in the past, Minecraft had failures in its login code where players could login to a server as any player, including administrators and moderators. Between 2010 and 2013, exploits of this nature were made public five times, frequently leading to thousands of servers being hacked.

The host keys feature was added to WorldGuard as an extra barrier to impersonation. It works because an extra piece of information, not known by Mojang, has to be sent from the client during login to a server. Even if an attacker were able to break Minecraft’s login system and join as a moderator, because the attacker’s game would lack this piece of information, the server could detect impersonation.


Security breaches of this nature are less common these days.

How It Works

When a player connects to a server with an address, say, Minecraft will tell the server that the player connected with that address. A moderator could connect to a special, secret address, and the server could easily check whether the address used by the moderator started with secretmod.

The host keys feature allows you to configure an an accepted address for certain players. If a player on the list connects with an incorrect address, he or she is kicked immediately.


Setup is done using the Configuration:



Host keys do not support UUIDs yet.

DNS Configuration

To make this work, you have to make and point to your server. However, you should not add specific records for the domains that you use, because this allows attackers to easily figure out the secret domains.

Rather, it is recommended that you setup “wildcard addresses.” An example of a wildcard address may be *, which would mean that any prefix would work (,,, etc.).


If you don’t have a domain name or can’t set a wildcard address, you can use


An alternative to host keys, although not provided by WorldGuard, is to use some sort of login command that takes a password.