In my own MMORPG project RPGFX.com, I handle this directly on the server side. Client injection is easy to catch, but the more reliable method is monitoring player behavior against server-side conditions.
I check for things like:
Action timing – humans rarely click or move with machine-level precision or consistency. If they keep clicking the exact same spot, it might be a click bot. RuneScape did a great job detecting this for example with their random events.
Pathing patterns – repetitive, perfectly efficient routes or grinding loops stand out compared to natural exploration.
Reaction delays – bots respond instantly to events that normally take a human at least a few hundred milliseconds.
Social behavior – bots often lack meaningful chat, grouping, or trading interactions.
For economy protection, I also analyze transaction networks between accounts to detect gold-farming rings or scripted trade patterns.
So it’s not just one test, but a combination of sufficient conditions (unnatural behavior/social patterns) and necessary conditions (transaction analysis). The server enforces these checks continuously without trusting the client. (If you want to keep up on what I'm doing follow my game's Subreddit thanks!)