How to allow cracked players to join your Minecraft server (Disable Online Mode)

Allowing “cracked” (non-premium) players to join your Minecraft Java server comes down to a single line in server.properties: online-mode=false. That switch is easy to flip — the hard part is understanding what you give up when you do it, and how to put guardrails back in place so a single setting doesn’t hand control of your server to a stranger. This guide walks through exactly what online mode does, how to disable it, the real security consequences (impersonation, UUID drift, orphaned player data), and the proxy- and plugin-based patterns experienced admins use to run offline-mode networks without getting wrecked.

What “online mode” actually does

When a player connects to a Java Edition server, the server normally checks that account against Mojang/Microsoft authentication servers. This verifies the player owns a legitimate copy of the game and confirms their username and account-bound UUID are genuine. That verification is controlled by the online-mode key in server.properties, which defaults to true.

Set it to false and the server stops contacting the auth servers entirely. Anyone running a non-premium (“cracked”) client can join, because the server no longer asks Mojang to vouch for them. Network traffic is still encrypted, but the identity behind the connection is no longer verified. That is the whole trade: you trade away identity verification to let unauthenticated clients in.

How to disable online mode

Stop your server, open server.properties in the server’s root directory, find the line, and change it:

# server.properties
online-mode=false

Save the file and restart the server (a live /reload will not pick up server.properties changes — you need a full stop/start). The format is plain key=value, one per line, so make sure you don’t leave a stray space or duplicate the key. On most managed hosts you can edit server.properties directly from the control panel’s file manager, or there’s often a dedicated toggle in the panel UI. If you’re on our platform, the steps are spelled out in the Minecraft server setup documentation, and you can spin up a box to test on in minutes with our managed Minecraft hosting.

That’s it for the mechanical part. Everything below is about doing it without opening yourself up to the abuse that offline mode invites.

The security risks (read this before you ship it)

Impersonation — the big one

With online-mode=false, the server cannot verify who anyone is. That means anyone can join using any username they like — including yours. If your admin account is named Notch and you’ve opped Notch, a complete stranger can connect with the username Notch, and the server will treat them as you: same op level, same inventory, same permissions, same access to /stop and every other command. Spoofing an opped name is effectively a full takeover. This is not a theoretical edge case; it’s the single most common way offline-mode servers get destroyed.

UUID drift and orphaned player data

Online servers identify players by their Mojang account UUID. In offline mode there’s no account to pull a UUID from, so the server generates a UUID from the username instead (a name-based, “offline” UUID). These offline UUIDs are different from the online ones. The practical consequences:

• If you flip an existing online server to offline mode, every player’s UUID changes — so their saved inventory, ender chest, advancements, op status, and permission assignments can become orphaned and appear “lost,” because the server is now looking them up under a different ID.
• Two players who pick the same username get the same offline UUID, so their data collides.
• Migrating back to online mode causes the same problem in reverse.

Decide online vs. offline before you build a world you care about, and don’t flip back and forth on a populated server.

No skin authentication

Because there’s no account behind a connection, there’s no authenticated skin either. Skins won’t load the way they do on an online server unless you add a plugin that fetches them. It’s cosmetic, but it surprises people.

Making offline mode safe: the proxy pattern

The standard professional answer to “I need cracked players but I don’t want impersonation” is to put your server behind a proxy that re-implements authentication and identity. The two mainstream proxies are BungeeCord/Waterfall and Velocity.

The architecture works like this:

1. The proxy is the public-facing server players connect to. It handles online-mode/auth decisions and player identity.
2. The backend Minecraft servers run in offline mode (so they trust the proxy) and use IP forwarding, which lets the proxy pass along the real, proxy-resolved identity of each player to the backend.
3. You firewall the backends so that only the proxy can reach them. This is the critical step — a backend in offline mode with no firewall is wide open. If someone can reach the backend directly, they bypass the proxy’s identity layer entirely and you’re back to the impersonation problem.

This is also how multi-server networks (hub, survival, minigames) are built, so the proxy pattern earns its keep beyond just cracked support. If you’re running a network like this, see our guide to adding ops correctly — getting op identity right matters even more when authentication is relaxed.

Auth plugins (AuthMe and similar)

The other common mitigation is an in-server login plugin such as AuthMe. These force every player to /register a password on first join and /login on subsequent joins, so even if someone connects using your opped username, they can’t act until they enter the password only the real owner knows. This is the classic protection for standalone cracked servers that aren’t behind a proxy.

Exact AuthMe configuration varies by version, so set it up against the plugin’s current documentation rather than copy-pasting a years-old config. The principle is the constant: a username alone must never grant authority on an offline server — there has to be a second factor (a password, or a proxy-enforced identity).

Whitelist + cracked: do they work together?

Yes, and a whitelist is one of the cheapest, most effective protections for a small offline server. The relevant server.properties keys:

Key	Default	What it does
white-list	false	Enables access control via whitelist.json. Ops are auto-whitelisted.
enforce-whitelist	false	When true, kicks already-online players who aren’t whitelisted after a whitelist reload.
online-mode	true	Set to false for cracked/offline. Disables Mojang/Microsoft auth.

Manage entries with the vanilla commands:

/whitelist on
/whitelist add PlayerName
/whitelist remove PlayerName
/whitelist list

There’s one important catch unique to offline mode. On an online server, the whitelist binds a username to a verified Mojang UUID, so an impostor using a whitelisted name is still blocked (their real UUID won’t match). On an offline server, the whitelist effectively matches on the offline (name-based) UUID — which is derived from the username. That means a whitelist keeps out anyone whose username isn’t on the list, but it does not stop someone who simply types a whitelisted username into a cracked client. So a whitelist is a solid first wall (it blocks the casual griefer scanning for open offline servers), but it is not a substitute for an auth plugin or a proxy when it comes to impersonation. Layer them.

Turn on enforce-whitelist=true as well, so that if you remove someone mid-session they’re actually kicked rather than allowed to linger until they log out.

Locking down ops so impersonation can’t escalate

Because impersonation is the headline risk, your op setup matters more on an offline server than anywhere else. Java’s ops.json is an array of objects, each with a permission level from 1 to 4:

[
  {
    "uuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "name": "PlayerName",
    "level": 4,
    "bypassesPlayerLimit": false
  }
]

The four levels are cumulative:

• Level 1 (Moderator) — can bypass spawn protection.
• Level 2 (Gamemaster) — command blocks, /difficulty, target selectors, most cheat commands.
• Level 3 (Admin) — multiplayer management: /ban, /kick, /whitelist, opping others.
• Level 4 (Owner) — everything, including /stop and /save-all.

The /op command grants the level set by op-permission-level in server.properties (default 4). To assign a custom level (1–3), edit the level field in ops.json by hand, then restart. On an offline server, prefer giving day-to-day staff the lowest level that does their job — a leaked level-3 name is bad, but a leaked level-4 name is catastrophic. Note too that the server console always runs at the level-4 equivalent, so anyone with panel/console access has full control regardless of op state. Our deeper walkthrough of editing ops.json and using /op covers the per-level breakdown in detail.

Moderation tools for offline servers

Vanilla gives you blunt instruments. /ban is permanent only — there’s no built-in duration — and /ban-ip bans by address. On an offline server, IP-based bans are actually more useful than name-based ones, since names can be spoofed but a connecting IP can’t (short of a VPN). For graduated moderation you’ll want a plugin server fork (Paper/Spigot/Purpur) plus EssentialsX or a dedicated moderation plugin:

• /tempban — temporary ban (EssentialsX or LiteBans).
• /mute [duration] — chat mute (EssentialsX).
• EssentialsX also brings kits, warps, homes, and a built-in economy if you’re building out a fuller server.

Plain vanilla server.jar from Mojang cannot load plugins — you need Paper, Spigot, Bukkit, Purpur, or Folia. Most cracked communities run Paper anyway for performance and the built-in anti-cheat helpers. If you decide to add an economy later, our guide to adding money to any Minecraft server covers the EssentialsX + Vault setup.

A sane offline-server checklist

Put together, here’s the layered setup that keeps an offline server from becoming a free-for-all:

1. Set online-mode=false only after you’ve planned the rest of this list.
2. Enable white-list=true and enforce-whitelist=true; add players explicitly.
3. Install an auth plugin (AuthMe-style) so a username never grants authority on its own — or run behind a BungeeCord/Velocity proxy with backends firewalled to the proxy only.
4. Keep op levels minimal; reserve level 4 for the owner. Remember the console is already level 4.
5. Run Paper (or another fork) + EssentialsX/LiteBans for /tempban and /mute, and prefer IP bans for repeat offenders.
6. Never flip an existing online world to offline mode in place — the UUID change orphans player data.

A note on Bedrock

This whole topic is a Java Edition concern. Bedrock Dedicated Server (BDS) handles identity through Xbox Live and identifies players by XUID rather than a Mojang UUID, and its whitelist is the allow-list property backed by allowlist.json (not white-list/whitelist.json). Bedrock also runs over UDP on port 19132 (IPv4) versus Java’s TCP port 25565. “Cracked Bedrock” is a different animal and the Java offline-mode techniques above don’t map onto it directly.

Frequently asked questions

How do I allow cracked players on a Minecraft server?

Stop the server, open server.properties, change online-mode=true to online-mode=false, save, and restart. That alone lets non-premium clients join. Before you do, add a whitelist (white-list=true) and either an auth plugin or a proxy, because offline mode removes all identity verification and lets anyone connect under any username — including an opped one.

Is running a cracked (offline-mode) Minecraft server safe?

It’s only as safe as the guardrails you add. By itself, online-mode=false is unsafe: the server can’t verify identity, so impersonation of admins is trivial. With a whitelist, an AuthMe-style login plugin (or a properly firewalled BungeeCord/Velocity proxy), and minimal op levels, you can run a stable offline server. The danger is leaving any one of those layers off.

Why did my players lose their inventories after I disabled online mode?

Because UUIDs changed. Online mode uses each player’s Mojang account UUID; offline mode generates a different, name-based UUID. When you flip the setting on a populated world, the server starts looking players up under their new offline UUID, so their old inventory, ender chest, advancements, and op status appear lost (they’re still on disk under the old UUID). Decide online vs. offline before building a world you care about, and avoid switching on a live server.

Can I use a whitelist with a cracked server?

Yes — set white-list=true (and enforce-whitelist=true) and manage names with /whitelist add. It blocks anyone whose username isn’t listed, which stops casual griefers. But on offline servers the whitelist matches on a name-derived UUID, so it can’t stop someone who types a whitelisted name into a cracked client. Pair the whitelist with an auth plugin or proxy for real impersonation protection.

How do BungeeCord and Velocity make offline mode safer?

The proxy becomes the public entry point and owns identity, while your backend servers run in offline mode with IP forwarding so they trust the proxy’s resolved identity for each player. The essential step is firewalling the backends so only the proxy can reach them — otherwise someone can connect to a backend directly and bypass the proxy’s identity layer entirely. Velocity is the modern choice; BungeeCord/Waterfall is the long-standing alternative.

Do I need a special server jar to allow cracked players?

No — online-mode=false works on the vanilla Mojang server.jar. But you almost certainly want a plugin fork (Paper, Spigot, Purpur) so you can install AuthMe for login protection and EssentialsX/LiteBans for /tempban and /mute. Vanilla can’t load plugins, and on an offline server those plugins are exactly the protections you need.

Wrapping up

Disabling online mode is one line, but running a healthy offline server is a stack: whitelist, auth (plugin or proxy), tight op levels, and a moderation plugin for graduated bans. Get those in place and a cracked server is perfectly manageable. While you’re tuning the server, you might also want to stop creeper explosions from damaging builds or freeze the day/night cycle — small config tweaks that make a community server feel finished. And if you’d rather not manage the file edits and firewalling yourself, a managed host handles the plumbing so you can focus on the world.

Ready to play?

Run your own Minecraft server with XGamingServer

Spin up an always-on Minecraft server your friends can join in minutes — no port-forwarding, no tech headaches.

99.9%Uptime SLA

< 5 minInstant setup

24/7Human support

DDoSProtected

Instant setup Your server is live in minutes with a one-click control panel.

Mods & plugins Install mods, plugins and workshop content in a few clicks.

DDoS protected Enterprise DDoS mitigation keeps your server online 24/7.

Low-latency hardware Premium CPUs & NVMe SSDs for lag-free multiplayer.

Free backups Automatic backups so your world is never lost.

Real human support Gamers helping gamers — 24/7, no bots, no scripts.

Pick your Minecraft plan & play in minutes

See all plans

Starter $8.40/mo 4 GB RAM Renews $12/mo Buy now

Most popular Novice $10.50/mo 6 GB RAM Renews $15/mo Buy now

Rookie $17.50/mo 8 GB RAM Renews $25/mo Buy now

Pro $24.50/mo 12 GB RAM Renews $35/mo Buy now