PluginGuard

Why PluginGuard?
Knowing which plugins a server runs is the first step in attacking it. A player who knows you run a specific economy plugin, an outdated permissions plugin, or a known-vulnerable utility can target published CVEs or exploit known quirks. Default Bukkit gives that information away to anyone who types /pl.
PluginGuard closes every public surface that leaks plugin presence:

• /plugins, /pl, /ver, /version, /about, /icanhasbukkit
• bukkit: and minecraft: prefixed command probing
• Tab-completion enumeration via /[tab]
• Permission-error vs unknown-command distinction (used to enumerate plugin existence)
• Server-list ping / MOTD protocol brand identification

Features

• Hide Mode — choose how the server responds to probes:
  • unknown-command — indistinguishable from a typo (most realistic)
  • empty — returns Plugins (0):
  • fake-list — return a configurable list of plausible-looking decoys
  • permission-denied — pretend the player simply lacks permission
• Plugin Spoofing — make a hardened production server look like vanilla Paper with two utility plugins.
• bukkit: / minecraft: Prefix Protection — block or redirect prefixed-command probes.
• Tab-Completion Hardening — strip plugin commands from autocomplete suggestions.
• Common Plugin Blocklist — /essentials, /lp, /we, /co, /mv, /dynmap, /gp and friends all return "Unknown command" — denying the distinction attackers use to enumerate.
• Server-Brand Spoofing — return vanilla (or anything you configure) in MOTD / server-list ping responses.
• Aggressive Mode — block every plugin command by default; only players with explicit <command>.use permission may use them.
• Probe Logging & Pattern Detection — record probe attempts and alert online admins when a player crosses a weighted-score threshold within a sliding window. Categories are weighted so legitimate /help use is ignored but a bukkit:-prefixed probe plus a couple of enumeration attempts trips the detector.
• Honeypot Commands — list fake commands no legitimate user would ever type. A single hit fires an alert by itself — near-zero false-positive tripwire.
• Bypass Permission — staff with pluginguard.bypass see the real server, untouched, and never trigger detection.
• Hot Reload — /pluginguard reload swaps the live configuration atomically.

Compatibility

• Minecraft: 1.21.x and 26.x.x
• Java: 21+ (1.21.x) / 25+ (26.x.x)
• Recommended: Paper, Purpur, Pufferfish, Folia, Leaf and other Paper forks
• Spigot / CraftBukkit: loads cleanly — server-brand spoofing is disabled because the underlying event is Paper-only
• Folia: fully supported, lock-free, no scheduler use

Performance
PluginGuard is built to be invisible to your TPS.

• Listener-driven — no background threads. Schedulers are only used on the cold path: probe-log file writes and admin alert broadcasts are dispatched off the calling region thread via Paper / Folia's async and global-region schedulers, so the event handlers themselves stay cheap.
• Lock-free hot path — config is held in an immutable snapshot behind a volatile reference, accessed without contention from every Folia region thread.
• Minimal per-command work — the command listener slices the base command by index and lowercases only that, so per-event CPU is bounded by the command name length, not the message length.
• No runtime reflection — used only at startup to detect Paper vs. Spigot.

Configuration
The full config.yml ships with inline comments explaining every option. A taste:
Probe-detector weights

• Honeypot (weight 5) — anything listed under honeypot-commands; single hit triggers
• High (weight 3) — bukkit: / minecraft: prefixed probes, /icanhasbukkit
• Medium (weight 2) — /pl, /plugins, /ver, /version, /about
• Low (weight 1) — /lp, /we, /co, /mv, /dynmap, ...
• /help and /? are deliberately never tracked — too commonly legitimate.

Commands

• /pluginguard reload — atomically reload the configuration
• /pluginguard status — show current protection status
• Alias: /pg

Permissions

• pluginguard.bypass — see the real plugin list and bypass all hiding (default: op)
• pluginguard.reload — reload PluginGuard configuration (default: op)
• pluginguard.alerts — receive in-game probe-detector alerts (default: op)

Installation

1. Drop PluginGuard-<version>.jar into your plugins/ folder.
2. Start the server once to generate plugins/PluginGuard/config.yml.
3. Edit the config to taste and run /pluginguard reload.

No external dependencies. No database. No web dashboard.