WorldProtection
A comprehensive world protection plugin that allows administrators to protect specific worlds with a whitelist system
Quick challenge
How far can you run before the mobs catch you?
Minecraft check
Confirm your run
Complete the quick check to get your code.
WorldProtection
WorldProtection
A comprehensive world protection plugin for Paper/Spigot servers that allows administrators to protect specific worlds with a whitelist system. Even operators are blocked from accessing protected worlds unless explicitly whitelisted.
Features
Core Features
- Multiverse Support: Enable or disable protection on any world - Multiverse Support: Only whitelisted players can access protected worlds - Multiverse Support: Blocks operators from accessing protected worlds (unless whitelisted) - Multiverse Support: World names are matched case-insensitively for convenience - Multiverse Support: `/wp go <world>` allows players to teleport to worlds (blocks if not whitelisted) - Multiverse Support: Prevents access via: - World changes - Teleportation commands - Portal usage (nether portals, end portals, etc.) - Direct world joining - Multiverse Support: Protected worlds and whitelists are saved automatically - Multiverse Support: Reload configuration without restarting server - Multiverse Support: Compatible with Multiverse-Core (soft dependency)
Security Features
- Operators are blocked by default (configurable) - Operators are always teleported away (kicks may not work on ops) - Bypass permission available but still respects operator blocking - Automatic teleportation to safe world when access is denied - Configurable safe world for teleportation - Optional kick on access denial (default: enabled) - Customizable kick message
Requirements
- Paper 1.21.x or compatible - Java 21 - Multiverse-Core (optional, for Multiverse world management)
Installation
1. Download the latest JAR from the releases page 2. Place `WorldProtection-1.0.0.jar` in your server's `plugins/` folder 3. Start or restart your server 4. Configure `plugins/WorldProtection/config.yml` to your preferences 5. Use `/wp toggle <world>` to protect worlds 6. Use `/wp whitelist <world> add <player>` to whitelist players
Configuration
config.yml
```yaml
World Protection Configuration
Default message when access is denied
messages: prefix: "&c[WorldProtection]&f " access_denied: "&cYou do not have permission to access this world!" world_protected: "&eWorld &6%world% &eis protected. Only whitelisted players can access it." world_unprotected: "&aWorld &6%world% &ais now unprotected." world_protected_enabled: "&aWorld &6%world% &ais now protected." player_whitelisted: "&aPlayer &e%player% &ahas been whitelisted for world &6%world%&a." player_unwhitelisted: "&cPlayer &e%player% &ahas been removed from whitelist for world &6%world%&c." not_whitelisted: "&cYou are not whitelisted for world &6%world%&c." world_not_found: "&cWorld &6%world% &cnot found!" no_worlds_protected: "&7No worlds are currently protected." teleport_success: "&aTeleported to world &6%world%&a." teleport_denied: "&cYou do not have permission to teleport to world &6%world%&c."
Block operators from accessing protected worlds (unless whitelisted)
block_operators: true
Kick players who try to access protected worlds
kick_on_deny: true
Safe world to teleport players to when access is denied (if kick_on_deny is false)
Leave empty to auto-find a safe world
safe_world: ""
Kick message when player is not whitelisted
kick_message: "&4You are not whitelisted on this world" ```
Configuration Options
messages - All messages can be customized with color codes - Use `%world%` placeholder for world names - Use `%player%` placeholder for player names
block_operators - `true`: Operators are blocked from protected worlds (unless whitelisted) - `false`: Operators can access protected worlds (not recommended)
kick_on_deny - `true`: Players are kicked when they try to access a protected world (default) - `false`: Players are teleported back to a safe world - Note: Operators are always teleported (kicks may not work on ops)
safe_world - Name of the world to teleport players to when access is denied and `kick_on_deny` is `false` - Leave empty (`""`) to automatically find a safe world - Must be a valid world name
kick_message - Custom message shown when a player is kicked for accessing a protected world - Supports color codes (use `&` prefix) - Default: `"&4You are not whitelisted on this world"`
Commands
Player Commands
/wp go <world> or /wp go <world> - Teleport to a world (available to all players) - Blocks teleportation if the world is protected and you're not whitelisted - Example: `/wp go creative` - Note: World names are case-insensitive
Admin Commands
All admin commands require `worldprotection.admin` permission (default: OP).
/wp toggle <world> or /wp toggle <world> - Enable or disable protection on a world - Example: `/wp toggle creative` - Note: World names are case-insensitive
/wp whitelist <world> add <player> or /wp whitelist <world> add <player> - Add a player to the whitelist for a protected world - Example: `/wp whitelist creative add PlayerName` - Note: World names are case-insensitive
/wp whitelist <world> remove <player> or /wp whitelist <world> remove <player> - Remove a player from the whitelist for a protected world - Example: `/wp whitelist creative remove PlayerName` - Note: World names are case-insensitive
/wp list or /wp list - List all currently protected worlds - Shows the number of whitelisted players per world
/wp info <world> or /wp info <world> - Show detailed information about a world's protection status - Displays protection status and whitelisted players - Note: World names are case-insensitive
/wp reload or /wp reload - Reload the configuration file and data - Requires admin permission - Example: `/wp reload`
Permissions
worldprotection.admin - Full admin access to all world protection commands - Default: `op` (operators only) - Allows: toggle protection, manage whitelist, view info
worldprotection.bypass - Bypass world protection (not recommended) - Default: `op` (operators only) - Note: Still blocked if `block_operators: true` in config
Usage Examples
Protecting a World
1. Protect a world: ``` /wp toggle creative ``` Output: `[WorldProtection] World creative is now protected.`
2. Whitelist players: ``` /wp whitelist creative add PlayerName /wp whitelist creative add AnotherPlayer ```
3. Check protection status: ``` /wp info creative ```
Unprotecting a World
1. Remove protection: ``` /wp toggle creative ``` Output: `[WorldProtection] World creative is now unprotected.`
2. Note: Whitelist is preserved but not enforced when world is unprotected
Managing Whitelist
Add a player: ``` /wp whitelist creative add PlayerName ```
Remove a player: ``` /wp whitelist creative remove PlayerName ```
View all protected worlds: ``` /wp list ```
How It Works
Protection Mechanism
When a player attempts to access a protected world, the plugin:
1. Checks if world is protected - If not protected, access is allowed
2. Checks if player is whitelisted - If whitelisted, access is allowed
3. Checks bypass permission - If player has `worldprotection.bypass`, access is allowed - Exception: If `block_operators: true` and player is OP, still blocked
4. Blocks access if all checks fail - If `kick_on_deny: true`: Kicks player with configured kick message - If `kick_on_deny: false`: Teleports player to safe world (configured or auto-found) - Operators are always teleported away (kicks may not work on ops) - Sends access denied message - Multiple event handlers ensure blocking works regardless of access method
Access Methods Blocked
The plugin blocks access through:
- Portals: When a player changes worlds (via any method) - Portals: When a player joins the server in a protected world - Portals: All teleportation commands and events (including `/wp go`) - Portals: Nether portals, end portals, and other portal types
Operator Blocking
Operators are handled specially: - They are always blocked from protected worlds (when `block_operators: true`) - They are always teleported away (kicks may not work on operators) - Multiple event handlers ensure operators cannot stay in protected worlds - Even if a kick fails, operators are immediately teleported to a safe world
Data Storage
Protected worlds and whitelists are stored in: ``` plugins/WorldProtection/data.yml ```
This file is automatically created and updated when: - Worlds are protected/unprotected - Players are added/removed from whitelists
File Structure
``` plugins/WorldProtection/ ├── config.yml # Configuration file └── data.yml # Protected worlds and whitelists (auto-generated) ```
Troubleshooting
Operators can still access protected worlds: - Check `block_operators` in config.yml (should be `true`) - Ensure operators are not whitelisted - Verify they don't have `worldprotection.bypass` permission - Operators should be teleported away immediately - if not, check server logs - Try using `/wp go <world>` as an operator - you should be blocked and teleported away
Players can still access protected worlds: - Check if world is actually protected: `/wp list` - Verify player is not whitelisted: `/wp info <world>` - Check if player has bypass permission
Whitelist not working: - Ensure world is protected: `/wp toggle <world>` - Verify player was added correctly: `/wp info <world>` - Check data.yml file for correct UUIDs
Players getting stuck: - If a player is in a protected world when protection is enabled, they will be teleported out immediately - Use `/wp whitelist <world> add <player>` to allow them access - Or temporarily unprotect the world: `/wp toggle <world>` - Players can use `/wp go <world>` to attempt teleportation (will be blocked if not whitelisted)
Multiverse worlds not working: - Ensure Multiverse-Core is installed (optional but recommended) - World names are matched case-insensitively, so you can use any case - Use `/mv list` to see world names, but you can use any case variation
Security Considerations
Operator Blocking
By default, operators are blocked from accessing protected worlds. This is intentional and provides additional security:
- Prevents accidental access by admins - Ensures only explicitly whitelisted players can access - Maintains strict access control - Operators are always teleported away (kicks may not work on operators) - Multiple event handlers ensure operators cannot bypass protection
To allow operators access, you must: 1. Whitelist them: `/wp whitelist <world> add <operator_name>` 2. Or set `block_operators: false` in config.yml (not recommended)
Important: Even if `kick_on_deny` is enabled, operators are teleported instead of kicked, as server protections may prevent kicking operators.
Bypass Permission
The `worldprotection.bypass` permission exists for special cases but: - Still respects `block_operators` setting - Should be used sparingly - Consider whitelisting instead for better tracking
API
Public Methods
```java // Check if a world is protected boolean isWorldProtected(String worldName)
// Check if a player is whitelisted for a world boolean isPlayerWhitelisted(UUID playerUUID, String worldName)
// Check if a player can access a world boolean canAccessWorld(Player player, String worldName) ```
Events
The plugin listens to and handles: - `PlayerJoinEvent` - Blocks players joining in protected worlds - `PlayerChangedWorldEvent` - Blocks world changes - `PlayerTeleportEvent` - Blocks teleportation - `PlayerPortalEvent` - Blocks portal usage
Version
Current Version: 1.0.0
Support
For issues, feature requests, or questions, please open an issue on the project repository.
License
This plugin is provided as-is for use on Minecraft servers.
Credits
Developed for Paper 1.21.x servers with optional Multiverse-Core integration.