I’ve said before they need to make the game server-authoritative (client only sends key presses and nothing else, that way most forms of hacking are impossible), but if they DON’T do this, there are other things they can do (not nearly as good, and probably still vulnerable, but would help a little):
Limit horizontal movement speed - Check the player’s horizontal ( in the X and Z directions, ignoring all vertical motion) speed. If it goes above some threshold, warn the player that they have been flagged as “speedhacking”. If it happens twice more, the player is temporarily banned.
Limit upwards movement - If the player is moving upwards, check their speed (we ignore the player moving downwards because if they fall from a tall building they could be moving quite fast by the time they hit ground) and if it’s higher than some threshold, warn the player that they have been flagged as “super jumping”. If it happens twice more, the player is temporarily banned.
Sanity check damage - If a player shoots another player, the server performs a sanity check to see if it’s even possible (make sure there’s no obstacles between them). It would also ensure that the damage value is the correct value for the gun the player is wielding. It’s possible for the sanity check to fail in the case of lag, so it shouldn’t warn or ban the player.
Enforce health - The server should be totally in charge of health and damage. If a player dies, the server needs to make sure all of the player’s commands are ignored in case they attempt invincibility cheats.
Sanity check movement - The server should check the player’s movement to ensure the player doesn’t walk through walls. Perhaps check and make sure there aren’t any obstacles between the last and current position. If there is an obstacle, warn the player that they have been flagged as “wallhacking”. If it happens twice more, temporarily ban the player.
These would need to be highly tuned to make sure they NEVER warn or ban a player who isn’t hacking - but still catch most if not all cases of hacking.
Additionally this wouldn’t solve lag-stepping, since there’s really no way to detect whether a person is intentionally disconnecting their internet, or if it’s simply a case of shoddy internet.