Better WebConsole
Secure real-time web console for Minecraft servers
Better-WebConsole
Secure browser console and admin dashboard for Paper/Purpur/Spigot 1.21.x servers.
Features
Web Console
- Embedded Jetty web server with one built-in web UI.
- Live console log streaming over WebSocket with buffered history for new sessions.
- Console command execution through the server command map, including commands from plugins such as CMI.
- Command history, filtering, log export and clear action in the browser.
- Configurable web aliases through
!alias, including chained aliases with&&. - Audit log for auth events, command execution, player actions and log exports.
Dashboard
- Desktop-focused two-column dashboard layout for server administration.
- Server health: TPS, JVM heap, online players, worlds, loaded chunks, entities and session errors.
- Machine health: host CPU load, Java process CPU load, physical RAM, server disk usage and JVM thread counts.
- Performance history charts for TPS, JVM RAM, online players and host CPU.
- Machine details: CPU model, cores/threads, memory, disk mount, OS, Java runtime, PID and JVM uptime.
- Analytics blocks for log levels, per-world chunks/entities and recent activity.
- Player list with quick kick/ban actions.
Security
- Web users stored in
plugins/Better-WebConsole/users.datwith BCrypt hashes. - HttpOnly + SameSite session cookies, optional Secure cookies for HTTPS reverse proxies.
- CSRF protection for login.
- IP whitelist with CIDR support.
- Login lockout and command rate limit.
- Optional command block list for dangerous console commands.
First Setup
- Put the JAR into the server
plugins/folder. - Start the server once to generate
plugins/Better-WebConsole/config.yml. - Create a web user:
/bwc adduser admin YourStrongPassword123
- Open:
http://your-server-ip:4242
Production recommendation: bind to 127.0.0.1 and expose the panel through Nginx, Caddy, a VPN or a tunnel with HTTPS.
Commands
Main command aliases: /betterwebconsole, /bwc, /webconsole, /bwconsole, /betterconsole.
Permission: betterwebconsole.admin (default: op).
| Command | Description |
|---|---|
/bwc status | Show web server, user, session and config status |
/bwc reload | Reload config values that do not require web server restart |
/bwc adduser <user> <password> | Add a web user |
/bwc removeuser <user> | Remove a web user and invalidate sessions |
/bwc listusers | List web users |
/bwc setpassword <user> <new-password> | Change password and invalidate sessions |
/bwc logoutall <user> | Invalidate active sessions for a user |
Extra command aliases: useradd, createuser, deluser, deleteuser, users, passwd, password, killsessions.
Configuration
The default config is intentionally small and only contains implemented behavior.
web:
port: 4242
bind-address: "0.0.0.0"
log-buffer-size: 1000
security:
session-timeout-minutes: 60
max-login-attempts: 5
lockout-duration-minutes: 15
command-rate-limit-per-minute: 30
ip-whitelist: []
secure-cookies: false
logging:
log-commands: true
log-auth: true
audit-log: true
system-stats:
# Adds host CPU, machine RAM, disk, OS and JVM details to the dashboard.
enabled: true
# OS-level polling interval. Keep this above 2 seconds for production servers.
update-interval-seconds: 5
# Reports disk usage for the Minecraft server folder.
show-disk: true
commands:
blocked: []
aliases:
tps: "tps"
list: "list"
save: "save-all"
day: "time set day"
night: "time set night"
clear-weather: "weather clear"
system-stats can be disabled if the host does not allow OS-level metrics or if you only need Minecraft/JVM data.
Use commands.blocked to prevent risky commands from web access, for example:
commands:
blocked: ["stop", "restart", "op", "deop"]
Use an alias by typing !name in the web console. Aliases can chain up to 10 commands with &&.
/bwc reload updates aliases, logging, system stats settings and command block rules. Restart the Minecraft server after changing web.port, web.bind-address, security.ip-whitelist, session timeout or rate-limit settings.
Security Notes
- Do not expose
0.0.0.0:4242directly to the internet unless firewall/IP whitelist/VPN rules are in place. - Set
secure-cookies: trueonly when users access the panel through HTTPS. - Block or avoid destructive commands such as
stop,restart,op,deop,ban-ipandwhitelist. - Keep aliases short and auditable.
- Keep
commands.blockedempty only when every web user is trusted as a full console administrator. - Treat machine metrics as operational data: expose the panel only to trusted administrators.
