I often see servers being demolished by the most blatant “cheaters” where it could be prevented in a super easy way (explosions, peds, teleporting etc.). In this post we detail the easiest way to block or catch cheaters on your FiveM server.
Lets start by the simplest things you can do (i.e SERVER COMMANDS / CONVARS)
Disabling networking sound PlaySoundFrom*
What a headache was when cheaters were playing all those super loud siren sounds (or other) on my server and you couldn’t do anything about it 
Now you can disable it completely by setting this server command
sv_enableNetworkedSounds false
This will also disable legitimate uses of PLAY_SOUND, but your server probably doesn’t use them. Most scripts use an external resource that handles sounds through NUI.
Setting a required pure client
⚠️ This is something I won't really recommend for most of the server as it is forces a full pure client (depending on the setting)
For example, recently there’s been a lot of RPFs that would crash every person on your server (by manipulating the type of lets say “ambulance” and making it a helicopter, which would lead in a crash for other players
# At this moment there are only 2 levels you can set
sv_pureLevel 1 # Will block all modified client files except audio files and known graphics mods.
sv_pureLevel 2 # Will block all modified client files.
Block all control requests (entity authority?)
Ever wondered why cheaters are able to make all cars fly? Or delete other player’s cars? (really annoying isn’t it?)
A super easy solution for all this would be setting sv_filterRequestControl
# There's 4 modes of this setting
# -1: Default, equivalent to 2 at this time, but will also warn in console.
# 0: Off. Also disables the routing bucket/entity lockdown-based policy.
# 1: Blocks control requests to entities controlled by players (currently, occupied vehicles only) that have existed for more than sv_filterRequestControlSettleTimer milliseconds (default 30000) - hereafter referred to as 'settled'.
# 2: Blocks control requests to all entities controlled by players.
# 3: Blocks control requests to all entities controlled by players, and any 'settled' non-player entities.
# 4: Does not route REQUEST_CONTROL_EVENT whatsoever.
# I would **personally** recommend setting it to 4
sv_filterRequestControl 4
Basically, this would block all control request over given entity by unauthorized client
Entity lockdown
⚠️ This setting can break many of your scripts that depends on creating entities by the client
A super simple way of blocking user created entities such as custom objects, vehicles, peds etc..
sv_entityLockdown inactive # Clients can create any entity they want.
sv_entityLockdown relaxed # Only script-owned entities created by clients are blocked.
sv_entityLockdown strict # No entities can be created by clients at all.
For more flexibility you could use this native https://docs.fivem.net/natives/?_0xA0F2201F or even handle the events for creating/removing entities!
Disable networked entity state change
It’s a more specific thing that blocks stuff like exclusive drivers etc.
sv_enableNetworkedScriptEntityStates false
Read more in-depth explanation about commands here!
Sanitization ConVars
FiveM has a few game_ ConVars that add extra checks to game mechanics that can be abused by cheaters. Add these to your server.cfg
setr game_sanitizeRagdollEvents true -- prevents force ragdoll cheats
setr game_sanitizePlayerAttachment 2 -- prevents vehicles and objects from being attached to players
You can optionally also add this one, which prevents cheaters from messing with other player’s cars, but beware that it completely disables the option to hijack a vehicle with a driver inside by pressing F on a door
setr game_enableVehicleHijackFix true -- prevents vehicle hijack cheats **but also prevents pressing F on the driver door to steal a car**
Blocking network game events commonly used by cheats
Some base GTA V Network Game Events weren’t made by Rockstar with security in mind and can be easily used by cheaters to obtain weapons or armor. Using the block_net_game_event in your server.cfg, you can prevent these events from working
-- These block common game events cheaters use to get or remove weapons
block_net_game_event "GIVE_PICKUP_REWARDS_EVENT"
block_net_game_event "NETWORK_GIVE_PICKUP_REWARDS_EVENT"
block_net_game_event "REMOVE_ALL_WEAPONS_EVENT"
block_net_game_event "NETWORK_PICKUP_CARRIABLE_EVENT"
block_net_game_event "REQUEST_MAP_PICKUP_EVENT"
block_net_game_event "REQUEST_PICKUP_EVENT"
block_net_game_event "REMOVE_WEAPON_EVENT"
Simple script checks
There are plenty of simple script-level checks that you can use to detect the most common and obnoxious cheaters. Many anti-cheat resources, even free ones, implement these, but we recommend you create your own resources, tailored to your server’s needs.
Keep in mind that these are not fool-proof and as cheats evolve, they can get around such primitive checks. Here are a few easy ones to implement with basic knowledge of scripting:
Client-side
-
Detect if a player is in freecam by checking the distance between
GetEntityCoordsandGetFinalRenderedCamCoord. -
Detect No Clip by checking if a ped is high above the ground (
GetEntityHeightAboveGround) without being in a vehicle (IsPedInAnyVehicle), parachuting (IsPedInParachuteFreeFall) or falling (IsPedFalling) -
Detect God Mode cheats using
GetPlayerInvincibleandGetPlayerInvincible_2 -
Detect infinite stamina cheats by checking if
GetPlayerSprintStaminaRemainingis decreasing while the player is running (GetEntitySpeedover 6 and on foot) -
Detect invisible players by checking these natives
IsEntityVisible,IsEntityVisibleToScript,GetEntityAlpha -
Detect increased weapon damage by checking
GetWeaponDamageagainst known values for each weapon
Server-side
-
Monitor the
entityCreatingevent. If a player is spawning too many peds, they are probably cheating. You can also checkGetEntityPopulationTypefor the created ped - legitimate population peds spawned by a player will have the types 1, 2, 3, 4 or 5. Types 0 and 5 are spawned by a script and if you don’t have a script to spawn them - they are most likely created by the cheater.
TIP: You canCancelEvent()to prevent the ped from spawning. -
Monitor the
explosionEventevent. If you don’t have explosions disabled and a player is creating too many explosions, they are likely cheating. Do not attempt to cancel explosionEvent, it results in desync. -
Monitor the
ptFxEventevent. If a player is creating too many particles, they are likely using some kind of cheat. Some freecam cheats also use txAdmin’s built-in freecam code, which creates particles with the assetHash `ent_dst_elec_fire_sp`. You can also cancel this event to prevent the particles. -
Monitor
giveWeaponEvent,removeWeaponEvent,removeAllWeaponsEvent. These can all be used by cheaters to modify other player’s weapon. The source of the event is the cheater! -
If you are in full control of all scripts on your server you can also add more advanced checks, but making sure to exclude all legitimate ways to trigger them. For example, if a ped’s health rises without anyone having used a healing item on them, they might be cheating. Or if a player has suddenly teleported half way across the map without using a teleporter/command, they are also likely cheating.
Read more about server events here!
How do I write secure scripts?
When writing scripts, the base philosophy is to absolutely NEVER trust the client whatsoever.
An example of this would be, lets say you’re roleplaying and you work a job where you collect packages and it gives us money
WRONG/BAD PRACTICE
-- Some client-side pseucodocode
if IsControlJustPressed(0, 38) then
if hasEnoughItem("package", 1) then
TriggerServerEvent("packages:removeItem", "package", 1)
TriggerServerEvent("packages:addMoney", 5000)
else
showNotification("You don't have enough packages to sell")
end
end
-- Server-side
RegisterNetEvent("packages:removeItem", function(item, count)
removePlayerItem(source, item, count)
end)
RegisterNetEvent("packages:addMoney", function(money)
addPlayerItem(source, "money", money)
end)
-- etc...
At the first sight, everything works but when a malicious user comes and see this, they would immediately use it (packages:addMoney) as way to generate infinite money
CORRECT/BETTER WAY
-- Some client-side pseucodocode
if IsControlJustPressed(0, 38) then
if hasEnoughItem("package", 1) then
TriggerServerEvent("packages:givePackage")
else
showNotification("You don't have enough packages to sell")
end
end
-- Server side
local sellPosition = vector3(100.0, 0.0, 0.0) -- Some random position doesn't matter here
RegisterNetEvent("packages:givePackage", function()
local ped = GetPlayerPed(source)
local position = GetEntityCoords(ped) -- hey fivem gave us this super thingy so we can use it server-sidely what and check people's positions how cool is it!?
-- Lets double-check if the player is near the sell/give point whatever we called it earlier doesn't matter
if #(position - sellPosition) >= 10 then -- 10 should be an enough radius to see if the player is close enough for them to sell
return sendNotification(source, "You are too far away to give packages..")
end
if hasEnoughItem(source, "package", 1) then
removePlayerItem(source, "package", 1)
addPlayerItem(source, "money", 5000)
end
--- you know where it's going more and more checks!
end)
In short, write better code.
Obfuscate your files for production
Thanks to the partnership between Tebex and CFX.re, we can now ship obfuscated scripts for our users.
But how do we server-owners profit from it?
We can obfuscate our files using the FXAP tool created by FiveM so hackers can’t easily dump our client-scripts and look at them (this includes all assets & scripts)
I hope this tutorial helped you have a better understanding about hackers in 2026 2023 and how we can prevent it 
If not, Im sorry 
.
thanks bro
