Security
Good security habits
A practical checklist for players, small studios, and communities using Expanse: passwords, RCON, SSH, and sharing access safely.
Good security habits
Expanse secures the platform; you secure how you use your services. A short, consistent checklist is better than a one-time “security week” that everyone forgets. The items here are the ones that come up the most in real incidents—most are free except your time.
For everyone (panel and life online)
- Do not share your owner sign-in — add a real user with a team role instead. Revoke when they leave.
- Turn on 2FA for your Expanse user. See Two-factor authentication (2FA).
- Beware of fake “support” in Discord or DMs. Real billing never asks for your full card. Use Support and contact through official paths only.
- Check links before you click. The panel and main site use domains you can verify in the address bar. If a message says “log in over here for a refund” and the domain is new to you, do not use it.
Game servers and admin tools
- Change default passwords for anything the game or panel gives you as a “demo” or “temp” value.
- Rcon, console, and admin web panels that face the public internet: use long random passwords, IP allow lists if the product supports it, and turn off features you are not using.
- Back up worlds in a way you can test restore, even if the platform backs up for you. One offline copy in your control is worth a lot at 2 a.m. when something weird happens. (The exact backup product is described in the panel if you have it; this article does not cover provider-specific settings.)
VPS (cloud servers) you run yourself
- SSH — prefer keys over passwords, disable root password logins if you know how, and only open ports you need.
- UFW, firewalld, or a cloud firewall — default deny, then allow 22 (or your SSH) and 80/443 as needed, not
0.0.0.0/0on 3306. - Updates — plan at least a security update rhythm; automatic unattended upgrades are a tradeoff you can choose for small servers, but test for game stacks.
If you think you were hacked
- Pause the blast radius: change Expanse sign-in, rotate game and SSH creds, and remove shared logins.
- Open a ticket if account access is odd—see Opening a support ticket.
- Document what you last changed, not your secrets, so support can help without asking for a password in plain text.
Related
- Security overview
- Team roles to avoid “everyone is owner”
- DNS if a hijack is via a stolen domain