Discord Security

Authored by:

matta

The Red Guild | SEAL

zedt3ster

Sigma Prime

Fredrik Svantes

Ethereum Foundation

Auditware

Auditware

Reviewed by:

matta

The Red Guild | SEAL

Fact-checked by:

NFTDreww

PocketUniverseZ

Summary

🔑 Key Takeaway for Discord: To secure your Discord server, focus on implementing robust access controls and enforcing two-factor authentication for all administrators. Regularly audit roles and permissions, and maintain vigilant moderation. Educate your community about security best practices to prevent unauthorized access and protect against potential threats.

Discord offers a variety of security features that are essential to use. Despite these, users should stay alert to threats like phishing, which can target server moderators. Such threats may appear as QR code scams, fake login screens, or misleading direct messages pretending to be from Discord support.

To enhance the security of your Discord server, take into account these suggestions. They cover important aspects like server settings, roles and permissions, moderation, bots, channels, invites, member screening, logging, and other security measures.

For Individuals

These settings apply to your personal Discord account. All team members, moderators, and admins should configure these on their own accounts.

Account Security Checklist

• My Account:
  • Ensure 2FA is enabled (authenticator app and/or security key)
  • Ensure SMS Backup Authentication is disabled
• Privacy & Safety:
  • Allow direct messages from server members > Disabled
  • Select Keep Me Safe for direct messages (encourages moderators and community members to adopt the same setting to minimize phishing DMs)
• Authorized Apps:
  • Review and Deauthorize any unnecessary apps
• Devices:
  • Review and remove unnecessary devices, or Log Out All Known Devices
• Connections:
  • Review and remove any unnecessary connections

For Team Members

These guidelines apply to moderators and team members who help manage the server but don't have full administrative access.

Team members should:

• Understand the permissions their role grants using Server Settings > Roles > View Server as Role — this allows you to see what members with a certain role can see and access
• Be aware of the server's AutoMod rules for: Spam, Harmful Links, Mention Spam, Inappropriate Words, and any custom keyword filters and exempted roles

For Admins

These settings and practices apply to server administrators with elevated privileges.

Server Settings Checklist

Safety Setup

• Safety Setup > Moderation:
  • Require 2FA for moderation > Enabled
  • This ensures all moderators have an extra layer of security
• Safety Setup > Verification Level:
  • Choose from: None, Low, Medium, High, Highest
  • Set to at least Medium (registered on Discord for 5+ minutes) — Recommended: "Moderate" for public servers
  • Higher levels protect against spammers and raids
• Safety Setup > Content Filter:
  • Set to Scan messages from all members
  • This automatically blocks messages containing explicit images in non-age-restricted channels
  • Age-restricted channels are exempt from this filter
• Safety Setup > Raid Protection and CAPTCHA:
  • Activate all relevant settings to require CAPTCHA for new user actions
  • Activity Alerts > Enabled
  • CAPTCHA suspicious accounts before they are able to join > Enabled
  • CAPTCHA all accounts before they are able to join > Enabled
  • This protection uses machine learning to detect and block bot-driven join-raids. When activated, it sends alerts to a specified channel and requires CAPTCHA verification for new users for one hour after detection.
• Safety Setup > DM and Spam Protection:
  • Hide DMs from suspicious users > Enabled
  • Filter DMs from unknown users > Enabled
  • Warn members before they visit outbound links > Enabled
  • Hide all messages from and delete suspected spammers > Enabled
• Safety Setup > Timeout:
  • Set default duration (e.g., 60 minutes)
  • Educate moderators on using timeouts effectively
• Safety Setup > Permissions:
  • Remove risky permissions from @everyone > Enabled
• Safety Setup > Membership Screening:
  • Enable Membership Screening > Enabled
  • Set up screening questionnaire (server rules, age verification, etc.)
  • Require members to agree to rules before joining

AutoMod

• Server Settings > AutoMod:
  • Set up rules for: Spam, Harmful Links, Mention Spam, Inappropriate Words
  • Configure custom keyword filters and exempted roles
  • Customize the response to spam (block message, send alert, timeout member)
  • Add to the existing automod rule to block keywords in a user's name: Support, Bot, Admin, Tech, Helpdesk, etc.
  • Set the Explicit image filter to filter messages from all members

Server Overview

• Server Settings > Overview:
  • Default Notifications > Mentions Only
  • Reduces potential spam notifications for members, making them more vigilant about suspicious or phishing content

Roles

• Server Settings > Roles:
  • Review admin role members — high-privilege roles with Administrator permission should have 2-3 members max
  • Review bot role permissions and confirm members list contains only the bot user
  • Review mod role permissions and members list
  • Review user role permissions — watch for: Manage Channels, Manage Roles, Manage Webhooks, Manage Server, Administrator
  • Remove any lingering or overly broad permissions, and any roles with excess or unintended members
  • Check channel-level permission overrides on private channels

Note on Role Permissions: For each role, carefully review the 32 available permissions. Key permissions to restrict: Administrator, Manage Webhooks, Manage Server, Manage Roles, & Manage Channels. Never give Admin or Kick permissions to anyone you don't fully trust.

Administrator should ideally be reserved for a single admin role with minimal members. It is recommended to have no more than 2-3 admins with this privilege in order to reduce risk due to account compromise and insider threats, but to retain some redundancy.

Bots often require Administrator permissions with no flexibility. In these cases, it is recommended to mitigate this risk by monitoring the Discord audit logs frequently or to create alerts on a private channel to notify when admin permissions are exercised within the server.

Permissions can also be set at the channel level. It is important to check your private channels for any permission overrides that may have been set!

Integrations

• Server Settings > Integrations:
  • Review each bot's permissions and remove unnecessary permissions
  • Remove any unnecessary integrations & reevaluate necessity of integrations with excessive permissions
  • Remove permissions for bots that ask for Admin or other permissions that aren't needed — use least privilege with permissions at the role level and channel level
  • Uninstall any bots that aren't actively used or needed
  • Confirm all bots and apps are Verified
  • Restrict command permissions of integrations where possible (Manage > Roles & Members / Channels / Command Overrides)
  • Allow new integrations to be added by > Only Administrators (to prevent unauthorized bot additions)
• Server Settings > Integrations > Webhooks:
  • Review and remove any unnecessary webhooks
  • Reevaluate necessity of webhooks with excessive permissions

Note on Integration Security: Integrations and webhooks add 3rd party risk and permission misconfiguration risk. Ensure that permissions are correct, and either remove external integrations or understand the risk they present.

Invites

• Server Settings > Invites:
  • Un-check "Allow anyone with administrative permissions to create invites"
  • Review and delete unnecessary or old invites regularly

Privacy Settings

• Server Settings > Privacy Settings:
  • Disable "Allow direct messages from server members"

Community Features

• Server Settings > Community:
  • Enable the Community Feature
  • Unlocks tools like membership screening, server insights, welcome screen, and discovery settings. Helps maintain a structured, secure environment by surfacing official rules and critical info to newcomers.
• Server Settings > Server Insights:
  • Enable Server Insights for detailed analytics
  • Use this data to inform moderation strategies and server improvements

Note on Safety Features:

• Activity alerts notify on anomalous DM activity, which could indicate your community is being targeted by scammers or social engineering attackers.
• Raid Protection and CAPTCHA can also be satisfied by a bot, if preferred over Discord's built-in functionality.
• Hiding/filtering DMs between server members is recommended to prevent scams, spam, and social engineering of your users.
• In the event of a security incident, Discord provides Security Actions for pausing invites and DMs to allow you to protect your community while responding to ongoing threats.

Role Hierarchy Setup

Roles should be structured with higher-privilege roles at the top. Go to Server Settings > Roles, create roles like Cold Admin, Team, Moderator, & Verified, and drag to reorder (higher roles override lower roles):

1. Cold Admin (highest)
2. Team
3. Moderator
4. Verified (lowest)

Use Server Settings > Roles > [Role] > View Server as Role to see what members with a certain role can see and access.

Channel Management

• Use categories to group related channels
• Suggested categories: Information, General, Voice Channels, Topic-Specific

Per-Channel Settings (Right-click channel > Edit Channel > Permissions):

• Set custom permissions for roles or members in specific channels

• Slow Mode: Set appropriate cooldown (e.g., 5-30 seconds) for busy channels
• Age-Restricted Channel: Enable for channels with mature content

Member Screening Setup

Beyond enabling in Safety Setup:

• Require users to react to a message or post an introduction — this helps filter out bots and spam accounts from joining
• Implement a verification bot like Wick
• Require users to complete an in-channel captcha before accessing the server
• Advance Settings: Have verification bot filter based on account age, PFP set, and timeout for incomplete captcha

Invite Best Practices

When creating invites:

• Set "Expire After" (recommended: 24 hours)
• Set "Max Number of Uses" (recommended: 50-100)

Logging Setup

• Ensure admin/mod roles have "View Audit Log" permission
• Create a private logging channel visible only to admins/mods
• Use a logging bot like Logger or Dyno to send detailed logs
• Audit logs can be output to a private channel for easier monitoring

Security Bots

Various third-party Discord bots offer valuable security and protection features, facilitating automated moderation for your server. In the sections below, we'll explore different categories of security bots and highlight popular options for each category.

Set up custom rules to prevent other users from joining using the same username and PFP (profile picture) to impersonate you or other important members of the server. A popular bot in this category is Wick Bot.

to prevent spam bots from joining your server all at once, an attack known as raiding, you can also set up bots with particular rules. Beemo is a good example of a bot in this category.

This is a monitoring system to observe and note any changes (spontaneous or planned) that take place in your discord server. Some key observation markers are channel and role creation/deletions, banning or kicking members, and webhook creation/deletion.

Only allows approved links to be used in the discord server. A popular bot in this category is Goodknight Bot.

Consider bots like Dyno for advanced moderation and logging, or Carl-bot for reaction roles and custom commands. Set up security Bots as described above.

The bots above are not all-inclusive but rather a recommended list of bots to help protect your Discord server in these categories.

Establish Clear Server Rules

• Create a #rules channel
• Use Discord's built-in rules screening feature
• Include sections on: Behavior, Content, Moderation Actions, Appeals Process

Regular Reviews

Also regularly:

• Ensure bots are from reputable sources and receive frequent updates
• Review bot permissions after each significant update to avoid newly introduced vulnerabilities
• Keep track of newly introduced features such as Threads, Scheduled Events, or Stage Channels and configure their permissions carefully (e.g., who can start or join a Thread) to prevent abuse by spammers or scammers

Cold Admin Accounts

A "Cold" Admin Account provides an extra layer of security for the server owner and is highly resistant to phishing.

• Create a new account on a separate device never used for chatting or clicking links
• Create a new email account for the cold account
• Factory reset the device used for this account

• In User Settings > Privacy & Safety, deselect any quick login or QR scan options — this prevents attackers from using QR phishing tactics to hijack this high-privilege account

• Use only for: managing bots, modifying server settings, responding to compromises
• Never use this account for regular server activities

Backup Systems

• Use a bot like ServerBackup to regularly backup your server configuration
• Store backups securely off-platform

Additional Recommendations

• Set up account leveling for new members for gradually enabling permissions
• Regularly review server audit logs for admin and mod actions
• Use anti-raid bots like Wick or Dyno and configure automatic lock-down settings for suspicious activity
• Regularly review Server Settings > Integrations for newly added apps or link shorteners; disable suspicious integrations or automate link scanning with a bot that checks URLs against known phishing databases

Important: Discord servers should not be used for any confidential communication (i.e., any admin discussions beyond the scope of server moderation) — even restricted channels and DMs are not end-to-end encrypted.

Stay Updated

• Consult the official Discord Moderator Academy for ongoing best practices and new features
• Implement recommended strategies (e.g., improved spam filters, updated role recommendations)

Additional Resources

• Securing Your Server - Discord
• Four Steps for a Super Safe Server - Discord
• How to setup a Discord server securely - Ledger