Some thoughts
Server side:
Store the games internal state sever side and check the input send by clients on the server.
Autoaim: Create fake sprites which are invisible to normal players, if they get hit too often you have a bot. (will not always work as the bots may be updated to check for invisibility)
check client reaction time to changes on the server, check for too many too fast reactions. (has to accept a large number of fast responses before reacting as a human could react fast and the time has to account for the network delay to catch anything). Give the player some sort of captcha, a regular player would never see it.
Client side:
use obfuscation to make it harder to interface with your code
check for functions defined in the hacks you know about. Has to be modified/updated often as the creators of such hacks can work around those.
Game design: making your game less repetitive this makes it harder to write tools/bots for it.
update the client to change parts of its structure from time to time. While this will not stop bots it will take work to keep them running. Either make it transparent to the user or disguise it with a new feature.
Important: make sure your server interface checks the user input, obfuscation and client side checks wont help against someone writing their own client.
