I often see servers being demolished by the most blatant “cheaters” where it could be prevented in a super easy way (explosions, peds, teleporting etc.)
Lets start by the simplest things you can do (i.e SERVER COMMANDS / CONVARS)
Disabling networking sound PlaySoundFrom*
What a headache was when cheaters were playing all those super loud siren sounds (or other) on my server and you couldn’t do anything about it 
, now you can disable it completely by setting this server command
sv_enableNetworkedSounds false
As why, your server probably don’t use them (or you use an external resource that handles it through NUI so won’t really matter)
Setting a required pure client
⚠️ This is something I won't really recommend for most of the server as it is forces a full pure client (depending on the setting)
For example, recently there’s been a lot of RPFs that would crash every person on your server (by manipulating the type of lets say “ambulance” and making it a helicopter, which would lead in a crash for other players
# At this moment there are only 2 levels you can set
sv_pureLevel 1 # Will block all modified client files except audio files and known graphics mods.
sv_pureLevel 2 # Will block all modified client files.
Block all control requests (entity authority?)
Ever wondered why cars are “flying”/being constantly deleted on your server (really annoying isn’t it?)
A super easy solution for all this would be setting sv_filterRequestControl
# There's 4 modes of this setting actually
# -1: Default, equivalent to 2 at this time, but will also warn in console.
# 0: Off. Also disables the routing bucket/entity lockdown-based policy.
# 1: Blocks control requests to entities controlled by players (currently, occupied vehicles only) that have existed for more than sv_filterRequestControlSettleTimer milliseconds (default 30000) - hereafter referred to as 'settled'.
# 2: Blocks control requests to all entities controlled by players.
# 3: Blocks control requests to all entities controlled by players, and any 'settled' non-player entities.
# 4: Does not route REQUEST_CONTROL_EVENT whatsoever.
# I would **personally** recommend setting it to 4
sv_filterRequestControl 4
Basically, this would block all control request over given entity by unauthorized client
Entity lockdown
⚠️ This setting can break many of your scripts that depends on creating entities by the client
A super simple way of blocking user created entities such as custom objects, vehicles, peds etc…
sv_entityLockdown inactive # Clients can create any entity they want.
sv_entityLockdown relaxed # Only script-owned entities created by clients are blocked.
sv_entityLockdown strict # No entities can be created by clients at all.
For more flexibility you could use this native https://docs.fivem.net/natives/?_0xA0F2201F or even handle the events for creating/removing entities!
Read more in-depth explanation about commands here!
How do I block malicious events?
What do I mean by that is people tend to forget that we should absolutely NEVER trust the client whatsoever
An example of this would be, lets say you’re roleplaying and you work a job where you collect packages and it gives us money
WRONG/BAD PRACTICE
-- Some client-side pseucodocode
if IsControlJustPressed(0, 38) then
if hasEnoughItem("package", 1) then
TriggerServerEvent("packages:removeItem", "package", 1)
TriggerServerEvent("packages:addMoney", 5000)
else
showNotification("You don't have enough packages to sell")
end
end
-- Server-side
RegisterNetEvent("packages:removeItem", function(item, count)
removePlayerItem(source, item, count)
end)
RegisterNetEvent("packages:addMoney", function(money)
addPlayerItem(source, "money", money)
end)
-- etc...
At the first sight, everything works but when a malicious user comes and see this, they would immediately use it (packages:addMoney) as way to generate infinite money
CORRECT/BETTER WAY
-- Some client-side pseucodocode
if IsControlJustPressed(0, 38) then
if hasEnoughItem("package", 1) then
TriggerServerEvent("packages:givePackage")
else
showNotification("You don't have enough packages to sell")
end
end
-- Server side
local sellPosition = vector3(100.0, 0.0, 0.0) -- Some random position doesn't matter here
RegisterNetEvent("packages:givePackage", function()
local ped = GetPlayerPed(source)
local position = GetEntityCoords(ped) -- hey fivem gave us this super thingy so we can use it server-sidely what and check people's positions how cool is it!?
-- Lets double-check if the player is near the sell/give point whatever we called it earlier doesn't matter
if #(position - sellPosition) >= 10 then -- 10 should be an enough radius to see if the player is close enough for them to sell
return sendNotification(source, "You are too far away to give packages..")
end
if hasEnoughItem(source, "package", 1) then
removePlayerItem(source, "package", 1)
addPlayerItem(source, "money", 5000)
end
--- you know where it's going more and more checks!
end)
In short, write better code.
Handle onesync events
We can handle all sorts of events such as creating entities, particles, explosions and all of this stuff that hackers often do to destroy fun on our servers…
We can prevent it super easily!
As stated above we can use entityCreating, filter blocked entities (or those we don’t want) by cancelling the event on them (those that are cancellable ofc.)
Same goes with explosionEvent, ptfxEvent, removeAllWeaponsEvent etc…
Read more about server events here!
https://docs.fivem.net/docs/scripting-reference/events/server-events/
Obfuscate your files for production
Thanks to the partnership between Tebex and CFX.re, we can now ship obfuscated scripts for our users.
But how do we server-owners profit from it?
We can obfuscate our files using the FXAP tool created by FiveM so hackers can’t easily dump our client-scripts and look at them (this includes all assets & scripts)
I hope this tutorial helped you have a better understanding about hackers in 2023 and how we can prevent it 
If not, Im sorry 
.
thanks bro
