WorldProtection

A comprehensive world protection plugin that allows administrators to protect specific worlds with a whitelist system

89

Quick challenge

How far can you run before the mobs catch you?

WorldProtection

WorldProtection

A comprehensive world protection plugin for Paper/Spigot servers that allows administrators to protect specific worlds with a whitelist system. Even operators are blocked from accessing protected worlds unless explicitly whitelisted.

Features

Core Features

- Multiverse Support: Enable or disable protection on any world - Multiverse Support: Only whitelisted players can access protected worlds - Multiverse Support: Blocks operators from accessing protected worlds (unless whitelisted) - Multiverse Support: World names are matched case-insensitively for convenience - Multiverse Support: `/wp go <world>` allows players to teleport to worlds (blocks if not whitelisted) - Multiverse Support: Prevents access via: - World changes - Teleportation commands - Portal usage (nether portals, end portals, etc.) - Direct world joining - Multiverse Support: Protected worlds and whitelists are saved automatically - Multiverse Support: Reload configuration without restarting server - Multiverse Support: Compatible with Multiverse-Core (soft dependency)

Security Features

- Operators are blocked by default (configurable) - Operators are always teleported away (kicks may not work on ops) - Bypass permission available but still respects operator blocking - Automatic teleportation to safe world when access is denied - Configurable safe world for teleportation - Optional kick on access denial (default: enabled) - Customizable kick message

Requirements

- Paper 1.21.x or compatible - Java 21 - Multiverse-Core (optional, for Multiverse world management)

Installation

1. Download the latest JAR from the releases page 2. Place `WorldProtection-1.0.0.jar` in your server's `plugins/` folder 3. Start or restart your server 4. Configure `plugins/WorldProtection/config.yml` to your preferences 5. Use `/wp toggle <world>` to protect worlds 6. Use `/wp whitelist <world> add <player>` to whitelist players

Configuration

config.yml

```yaml

World Protection Configuration

Default message when access is denied

messages: prefix: "&c[WorldProtection]&f " access_denied: "&cYou do not have permission to access this world!" world_protected: "&eWorld &6%world% &eis protected. Only whitelisted players can access it." world_unprotected: "&aWorld &6%world% &ais now unprotected." world_protected_enabled: "&aWorld &6%world% &ais now protected." player_whitelisted: "&aPlayer &e%player% &ahas been whitelisted for world &6%world%&a." player_unwhitelisted: "&cPlayer &e%player% &ahas been removed from whitelist for world &6%world%&c." not_whitelisted: "&cYou are not whitelisted for world &6%world%&c." world_not_found: "&cWorld &6%world% &cnot found!" no_worlds_protected: "&7No worlds are currently protected." teleport_success: "&aTeleported to world &6%world%&a." teleport_denied: "&cYou do not have permission to teleport to world &6%world%&c."

Block operators from accessing protected worlds (unless whitelisted)

block_operators: true

Kick players who try to access protected worlds

kick_on_deny: true

Safe world to teleport players to when access is denied (if kick_on_deny is false)

Leave empty to auto-find a safe world

safe_world: ""

Kick message when player is not whitelisted

kick_message: "&4You are not whitelisted on this world" ```

Configuration Options

messages - All messages can be customized with color codes - Use `%world%` placeholder for world names - Use `%player%` placeholder for player names

block_operators - `true`: Operators are blocked from protected worlds (unless whitelisted) - `false`: Operators can access protected worlds (not recommended)

kick_on_deny - `true`: Players are kicked when they try to access a protected world (default) - `false`: Players are teleported back to a safe world - Note: Operators are always teleported (kicks may not work on ops)

safe_world - Name of the world to teleport players to when access is denied and `kick_on_deny` is `false` - Leave empty (`""`) to automatically find a safe world - Must be a valid world name

kick_message - Custom message shown when a player is kicked for accessing a protected world - Supports color codes (use `&` prefix) - Default: `"&4You are not whitelisted on this world"`

Commands

Player Commands

/wp go <world> or /wp go <world> - Teleport to a world (available to all players) - Blocks teleportation if the world is protected and you're not whitelisted - Example: `/wp go creative` - Note: World names are case-insensitive

Admin Commands

All admin commands require `worldprotection.admin` permission (default: OP).

/wp toggle <world> or /wp toggle <world> - Enable or disable protection on a world - Example: `/wp toggle creative` - Note: World names are case-insensitive

/wp whitelist <world> add <player> or /wp whitelist <world> add <player> - Add a player to the whitelist for a protected world - Example: `/wp whitelist creative add PlayerName` - Note: World names are case-insensitive

/wp whitelist <world> remove <player> or /wp whitelist <world> remove <player> - Remove a player from the whitelist for a protected world - Example: `/wp whitelist creative remove PlayerName` - Note: World names are case-insensitive

/wp list or /wp list - List all currently protected worlds - Shows the number of whitelisted players per world

/wp info <world> or /wp info <world> - Show detailed information about a world's protection status - Displays protection status and whitelisted players - Note: World names are case-insensitive

/wp reload or /wp reload - Reload the configuration file and data - Requires admin permission - Example: `/wp reload`

Permissions

worldprotection.admin - Full admin access to all world protection commands - Default: `op` (operators only) - Allows: toggle protection, manage whitelist, view info

worldprotection.bypass - Bypass world protection (not recommended) - Default: `op` (operators only) - Note: Still blocked if `block_operators: true` in config

Usage Examples

Protecting a World

1. Protect a world: ``` /wp toggle creative ``` Output: `[WorldProtection] World creative is now protected.`

2. Whitelist players: ``` /wp whitelist creative add PlayerName /wp whitelist creative add AnotherPlayer ```

3. Check protection status: ``` /wp info creative ```

Unprotecting a World

1. Remove protection: ``` /wp toggle creative ``` Output: `[WorldProtection] World creative is now unprotected.`

2. Note: Whitelist is preserved but not enforced when world is unprotected

Managing Whitelist

Add a player: ``` /wp whitelist creative add PlayerName ```

Remove a player: ``` /wp whitelist creative remove PlayerName ```

View all protected worlds: ``` /wp list ```

How It Works

Protection Mechanism

When a player attempts to access a protected world, the plugin:

1. Checks if world is protected - If not protected, access is allowed

2. Checks if player is whitelisted - If whitelisted, access is allowed

3. Checks bypass permission - If player has `worldprotection.bypass`, access is allowed - Exception: If `block_operators: true` and player is OP, still blocked

4. Blocks access if all checks fail - If `kick_on_deny: true`: Kicks player with configured kick message - If `kick_on_deny: false`: Teleports player to safe world (configured or auto-found) - Operators are always teleported away (kicks may not work on ops) - Sends access denied message - Multiple event handlers ensure blocking works regardless of access method

Access Methods Blocked

The plugin blocks access through:

- Portals: When a player changes worlds (via any method) - Portals: When a player joins the server in a protected world - Portals: All teleportation commands and events (including `/wp go`) - Portals: Nether portals, end portals, and other portal types

Operator Blocking

Operators are handled specially: - They are always blocked from protected worlds (when `block_operators: true`) - They are always teleported away (kicks may not work on operators) - Multiple event handlers ensure operators cannot stay in protected worlds - Even if a kick fails, operators are immediately teleported to a safe world

Data Storage

Protected worlds and whitelists are stored in: ``` plugins/WorldProtection/data.yml ```

This file is automatically created and updated when: - Worlds are protected/unprotected - Players are added/removed from whitelists

File Structure

``` plugins/WorldProtection/ ├── config.yml # Configuration file └── data.yml # Protected worlds and whitelists (auto-generated) ```

Troubleshooting

Operators can still access protected worlds: - Check `block_operators` in config.yml (should be `true`) - Ensure operators are not whitelisted - Verify they don't have `worldprotection.bypass` permission - Operators should be teleported away immediately - if not, check server logs - Try using `/wp go <world>` as an operator - you should be blocked and teleported away

Players can still access protected worlds: - Check if world is actually protected: `/wp list` - Verify player is not whitelisted: `/wp info <world>` - Check if player has bypass permission

Whitelist not working: - Ensure world is protected: `/wp toggle <world>` - Verify player was added correctly: `/wp info <world>` - Check data.yml file for correct UUIDs

Players getting stuck: - If a player is in a protected world when protection is enabled, they will be teleported out immediately - Use `/wp whitelist <world> add <player>` to allow them access - Or temporarily unprotect the world: `/wp toggle <world>` - Players can use `/wp go <world>` to attempt teleportation (will be blocked if not whitelisted)

Multiverse worlds not working: - Ensure Multiverse-Core is installed (optional but recommended) - World names are matched case-insensitively, so you can use any case - Use `/mv list` to see world names, but you can use any case variation

Security Considerations

Operator Blocking

By default, operators are blocked from accessing protected worlds. This is intentional and provides additional security:

- Prevents accidental access by admins - Ensures only explicitly whitelisted players can access - Maintains strict access control - Operators are always teleported away (kicks may not work on operators) - Multiple event handlers ensure operators cannot bypass protection

To allow operators access, you must: 1. Whitelist them: `/wp whitelist <world> add <operator_name>` 2. Or set `block_operators: false` in config.yml (not recommended)

Important: Even if `kick_on_deny` is enabled, operators are teleported instead of kicked, as server protections may prevent kicking operators.

Bypass Permission

The `worldprotection.bypass` permission exists for special cases but: - Still respects `block_operators` setting - Should be used sparingly - Consider whitelisting instead for better tracking

API

Public Methods

```java // Check if a world is protected boolean isWorldProtected(String worldName)

// Check if a player is whitelisted for a world boolean isPlayerWhitelisted(UUID playerUUID, String worldName)

// Check if a player can access a world boolean canAccessWorld(Player player, String worldName) ```

Events

The plugin listens to and handles: - `PlayerJoinEvent` - Blocks players joining in protected worlds - `PlayerChangedWorldEvent` - Blocks world changes - `PlayerTeleportEvent` - Blocks teleportation - `PlayerPortalEvent` - Blocks portal usage

Version

Current Version: 1.0.0

Support

For issues, feature requests, or questions, please open an issue on the project repository.

License

This plugin is provided as-is for use on Minecraft servers.

Credits

Developed for Paper 1.21.x servers with optional Multiverse-Core integration.

ADS