- Not that this prevents it, but first it's important to host the game and the web separately.
- The sourcer you can protect using it only when compiling (when finished, save it on your computer and delete from server).
- Grep -r "readfile" on your web to check if you have this malicious code (it + $_request you could end up hurting yourself).
- Never invite anyone you don't trust to use anyDesk or TeamView, as it can copy files without your noticing
- Sprites you can't protect 100%, there is encryptions but some guys know how to decrypt it
- As I know, map you can't protect yet (there is few types of map track)
Good list.
A couple points worth mentioning about map tracking I think is that:
1) It doesn't track spawns perfectly, and of course it requires a player to actually play the game to be able to explore the entire map manually, taking a lot of time and effort (and map tracking won't give you access to npcs, monsters, map scripts, map zones (at least with older versions), etc) and
2) If the server uses OTClient and blocks Cipclient I assume the injection can, if not be 100% blocked, at least be tampered with and make it hard to get the tracker working, assuming it's compatible with OTClient in the first place.
And there's a similar situation with OTClient encryption, you can't protect against theft 100%, but you can make it harder to get to and tamper with modules. Sprites I think is probably the hardest to protect though. I imagine one of the best and simplest defenses against theft of sprites is splitting the file into tiny segments upon loading it in memory and only putting it back together on a per-request basis. This should at least defend successfully against simple memd attacks, especially if the segmentation process is randomized.