Plugin Safety

TShock plugins are vetted by staff before approval. However, sometimes, mistakes can happen.


What are plugins?

TShock plugins are C# dynamic link libraries (DLLs) that allow arbitrary code execution on your computer or server. Malicious plugins can create arbitrary administrators, wipe your hard disk, or more. While we attempt to vet every plugin, it's important to understand the risks associated with using TShock plugins.


How can I be secure?

Take preventive steps to ensure that you don't accidentally download malware.

  • Download plugins from TShock's website, and resource manager, over third party download sites.
  • Read the source code that comes with the plugins you download. Look for malicious code. If necessary, decompile shipped plugins, or compile them yourself.
  • Download plugins from only users you trust and developers you know.
  • Run your TShock server in an isolated environment, such as a chroot jail on Linux, with SELinux and an underprivileged user account.
  • Never run your TShock server and mission critical applications on the same system.
  • Create regular backups of any files on the same computer as TShock, including worlds, databases, and more.
  • Follow the principle of least privilege, and isolate your TShock server as much as possible.