Skip to content

Discord Security

Community & MarketingSecurity Specialist

Authored by:

matta
matta
The Red Guild | SEAL
zedt3ster
zedt3ster
Sigma Prime
Fredrik Svantes
Fredrik Svantes
Ethereum Foundation
Auditware
Auditware
Auditware

Reviewed by:

matta
matta
The Red Guild | SEAL

Fact-checked by:

NFTDreww
NFTDreww
PocketUniverseZ

Summary

🔑 Key Takeaway for Discord: To secure your Discord server, focus on implementing robust access controls and enforcing two-factor authentication for all administrators. Regularly audit roles and permissions, and maintain vigilant moderation. Educate your community about security best practices to prevent unauthorized access and protect against potential threats.

Discord offers a variety of security features that are essential to use. Despite these, users should stay alert to threats like phishing, which can target server moderators. Such threats may appear as QR code scams, fake login screens, or misleading direct messages pretending to be from Discord support.

To enhance the security of your Discord server, take into account these suggestions. They cover important aspects like server settings, roles and permissions, moderation, bots, channels, invites, member screening, logging, and other security measures.

For Individuals

These settings apply to your personal Discord account. All team members, moderators, and admins should configure these on their own accounts.

Account Security Checklist

  • User Settings > My Account: Ensure 2FA is enabled (authenticator app and/or security key), Remove a phone number if you have one added to your account, and after 2FA is setup select View Backup Codes, and note down your backup codes offline
  • User Settings > My Account: Ensure SMS Backup Authentication is disabled
  • User Settings > Content & Social > Social Permissions: Allow DMs from other server members > Disabled
  • User Settings > Content & Social > Direct Message Spam: Select Filter all to filter all DMs for spam (encourages moderators and community members to adopt the same setting to minimize phishing DMs)
  • User Settings > Authorized Apps: Review and Deauthorize any unnecessary apps
  • User Setting > Devices: Review and remove unnecessary devices, or Log Out All Known Devices
  • User Settings > Connections: Review and remove any unnecessary connections

For Team Members

These guidelines apply to moderators and team members who help manage the server but don't have full administrative access.

Team members should:

  • Understand the permissions their role grants using Server Settings > Roles > View Server as Role — this allows you to see what members with a certain role can see and access
  • Be aware of the server's AutoMod rules for: Spam, Harmful Links, Mention Spam, Inappropriate Words, and any custom keyword filters and exempted roles

For Admins

These settings and practices apply to server administrators with elevated privileges.

Server Settings Checklist

Safety Setup

  • Safety Setup > Moderation:
    • Require 2FA for moderation > Enabled
    • This ensures all moderators have an extra layer of security
  • Safety Setup > Verification Level:
    • Choose from: None, Low, Medium, High, Highest
    • Set to at least Medium (registered on Discord for 5+ minutes) — Recommended: "Moderate" for public servers
    • Higher levels protect against spammers and raids
  • Safety Setup > Raid Protection and CAPTCHA:
    • Activate all relevant settings to require CAPTCHA for new user actions
    • Activity Alerts > Enabled
    • CAPTCHA suspicious accounts before they are able to join > Enabled
    • CAPTCHA all accounts before they are able to join during a suspected raid > Enabled
    • This protection uses machine learning to detect and block bot-driven join-raids. When activated, it sends alerts to a specified channel and requires CAPTCHA verification for new users for one hour after detection.
  • Safety Setup > DM and Spam Protection:
    • Hide DMs from suspicious users > Enabled
    • Filter DMs from unknown users > Enabled
    • Warn members before they visit outbound links > Enabled
    • Hide all messages from and delete suspected spammers > Enabled

AutoMod

  • Server Settings > Safety Setup > AutoMod:
    • Set up rules for: Spam, Harmful Links, Mention Spam, Inappropriate Words
    • Configure custom keyword filters and exempted roles
    • Customize the response to spam (block message, send alert, timeout member)
    • Add to the existing automod rule to block keywords in a user's name: Support, Bot, Admin, Tech, Helpdesk, etc.
    • Create a private channel that mods, team, and admins have visibility to and set each AutoMod rule to send logs to that channel for review

Server Overview

  • Server Settings > Engagement > Default Notification Settings: Select Only @mentions
    • Reduces potential spam notifications for members, making them more vigilant about suspicious or phishing content

Roles

  • Server Settings > Roles:
    • Review admin role members — high-privilege roles with Administrator permission should have 2-3 members max
    • Review bot role permissions and confirm members list contains only the bot user
    • Review mod role permissions and members list
    • Review user role permissions — watch for: Manage Channels, Manage Roles, Manage Webhooks, Manage Server, Administrator
    • Remove any lingering or overly broad permissions, and any roles with excess or unintended members
    • Check channel-level permission overrides on private channels

Note on Role Permissions: For each role, carefully review the 32 available permissions. Key permissions to restrict: Administrator, Manage Webhooks, Manage Server, Manage Roles, & Manage Channels. Never give Admin or Kick permissions to anyone you don't fully trust.

Administrator should ideally be reserved for a single admin role with minimal members. It is recommended to have no more than 2-3 admins with this privilege in order to reduce risk due to account compromise and insider threats, but to retain some redundancy.

Minimal bots actually need Administrator permissions. Review what permissions a bot actually needs and do not default to Admin permissions just because developers request it as the easy option. If a bot does require Administrator, mitigate this risk by monitoring the Discord audit logs frequently or create alerts on a private channel to notify when admin permissions are exercised within the server.

Permissions can also be set at the channel level. It is important to check your private channels for any permission overrides that may have been set!

Integrations

  • Server Settings > Integrations:
    • Review each bot's permissions and remove unnecessary permissions
    • Remove any unnecessary integrations & reevaluate necessity of integrations with excessive permissions
  • Server Settings > Integrations > Manage Bot/App > Roles & Members / Channels:
    • Remove permissions for bots that ask for Admin or other permissions that aren't needed — use least privilege with permissions at the role level and channel level
    • Uninstall any bots that aren't actively used or needed
    • Confirm all bots and apps are Verified
    • Restrict command permissions of integrations where possible (Manage > Roles & Members / Channels / Command Overrides)
  • Server Settings > Integrations > Webhooks:
    • Review and remove any unnecessary webhooks
    • Reevaluate necessity of webhooks with excessive permissions

Note on Integration Security: Integrations and webhooks add 3rd party risk and permission misconfiguration risk. Ensure that permissions are correct, and either remove external integrations or understand the risk they present.

Invites

  • Server Settings > Invites:
    • Review and delete unnecessary or old invites regularly

Privacy Settings

  • Server Settings > Privacy Settings:
    • Disable Direct Messages — this prevents users from DMing other members in this server

Community Features

  • Server Settings > Community:
    • Enable the Community Feature
    • Unlocks tools like membership screening, server insights, welcome screen, and discovery settings. Helps maintain a structured, secure environment by surfacing official rules and critical info to newcomers.
  • Server Settings > Server Insights:
    • Enable Server Insights for detailed analytics
    • Use this data to inform moderation strategies and server improvements
Note on Safety Features:
  • Activity alerts notify on anomalous DM activity, which could indicate your community is being targeted by scammers or social engineering attackers.
  • Raid Protection and CAPTCHA can also be satisfied by a bot, if preferred over Discord's built-in functionality.
  • Hiding/filtering DMs between server members is recommended to prevent scams, spam, and social engineering of your users.
  • In the event of a security incident, Discord provides Security Actions for pausing invites and DMs to allow you to protect your community while responding to ongoing threats.

Role Hierarchy Setup

Roles should be structured with higher-privilege roles at the top. Go to Server Settings > Roles, create roles like Cold Admin, Team, Moderator, & Verified, and drag to reorder (higher roles override lower roles):

  1. Cold Admin (highest)
  2. Team
  3. Moderator
  4. Verified (lowest)
Recommended permissions by role:
RoleRecommended Permissions
ModeratorsView Channels, View Audit Log, View Server Insights, Kick Members, Ban Members, Timeout Members, Send Messages and Create Posts, Embed Links, Attach Files, Add Reactions, Add External Emoji, Use External Stickers, Manage Messages, Bypass Slowmode, Read Message History, Request to Speak
MembersView Channels, Send Messages and Create Posts, Embed Links, Add Reactions, Read Message History, Request to Speak

Use Server Settings > Roles > [Role] > View Server as Role to see what members with a certain role can see and access.

Channel Management

Organization
  • Use categories to group related channels
  • Suggested categories: Information, General, Voice Channels, Topic-Specific

Per-Channel Settings (Right-click channel > Edit Channel > Permissions):

  • Set custom permissions for roles or members in specific channels
Channel Settings > Overview:
  • Slow Mode: Set appropriate cooldown (e.g., 5-30 seconds) for busy channels
  • Age-Restricted Channel: Enable for channels with mature content

Member Screening Setup

Beyond enabling in Safety Setup:

  • Implement a verification bot like Wick that does in-channel captcha for users to join the server
  • Require users to complete an in-channel captcha before accessing the server
  • Advance Settings: Have verification bot filter based on account age, PFP set, and timeout for incomplete captcha

Invite Best Practices

When creating invites:

  • Set "Expire After" (recommended: 24 hours)
  • Set "Max Number of Uses" (recommended: 50-100)

Logging Setup

  • Ensure admin/mod roles have "View Audit Log" permission
  • Create a private logging channel visible only to admins/mods
  • Use a logging bot like Logger or Dyno to send detailed logs
  • Configure audit log output to a private channel for easier monitoring

Security Bots

Various third-party Discord bots offer valuable security and protection features, facilitating automated moderation for your server. In the sections below, we'll explore different categories of security bots and highlight popular options for each category.

Anti-Impersonation Bots

Set up custom rules to prevent other users from joining using the same username and PFP (profile picture) to impersonate you or other important members of the server. A popular bot in this category is Hashbot.

Anti-Raid Bots

to prevent spam bots from joining your server all at once, an attack known as raiding, you can also set up bots with particular rules. Beemo is a good example of a bot in this category.

Anti-Nuke Bots

This is a monitoring system to observe and note any changes (spontaneous or planned) that take place in your discord server. Some key observation markers are channel and role creation/deletions, banning or kicking members, and webhook creation/deletion.

Moderation & Link Whitelisting Bots

Only allows approved links to be used in the discord server. A popular bot in this category is Goodknight Bot.

General Moderation Bots

Consider bots like Dyno for advanced moderation and logging, or Carl-bot for reaction roles and custom commands. Set up security Bots as described above.

The bots above are not all-inclusive but rather a recommended list of bots to help protect your Discord server in these categories.

Establish Clear Server Rules

  • Create a #rules channel
  • Use Discord's built-in rules screening feature
  • Include sections on: Behavior, Content, Moderation Actions, Appeals Process

Regular Reviews

FrequencyAction
MonthlyReview all role permissions; use a spreadsheet to track changes and justifications
QuarterlyAssess if server rules need updating; announce any changes in a dedicated announcements channel
Bi-annuallyDelete or archive inactive channels; remove roles that are no longer needed

Also regularly:

  • Ensure bots are from reputable sources and receive frequent updates
  • Review bot permissions after each significant update to avoid newly introduced vulnerabilities
  • Keep track of newly introduced features such as Threads, Scheduled Events, or Stage Channels and configure their permissions carefully (e.g., who can start or join a Thread) to prevent abuse by spammers or scammers

Cold Admin Accounts

A Cold Admin account provides enhanced security because it serves exclusively as the server owner and is not used for everyday activities. If a regular admin account is compromised, attackers gain full access to the server or account, making it challenging to involve support and potentially requiring days or weeks to resolve the issue. Using a Cold Admin means creating a separate account dedicated solely to ownership functions, keeping it isolated from routine operations.

What is a Cold Device?

A Cold Device is a factory-reset device with no previous configuration. This should be a dedicated phone or laptop — you can use an old iPhone/Android, Windows device, or even a Chromebook to keep costs down. Everyone involved in setup and maintenance must ONLY access the Cold Admin account from a cold device.

Cold Admin Setup

Step 1: Create a dedicated email account

Create a brand new Gmail account specifically for this Discord account. Do not use a VPN during this process, and it's best to use an incognito browser. After creating the Gmail account:

  • Set up 2FA immediately (authenticator app recommended, or Security Key for maximum security)
  • Ensure "Skip password when possible" is off
  • Do not add a phone number to the account
  • Note down the 10 backup codes offline on paper (DO NOT store online)
  • Write down the email, password, and backup codes on paper and store securely
Step 2: Create the Discord account

Head to https://discord.com and create a new account using the Gmail account you just created.

  • Write down the email, username, password, and date of birth offline
  • Use a username that is not related to your project
  • Give the profile a profile picture in My Account > Edit User Profile
  • Go to Content & Social and disable DMs from server members and set spam filter to maximum
  • Set the account status to Invisible so no one can see if it's online (click profile in bottom left > change status)
Step 3: Join the server and transfer ownership
  • Send the Cold Admin account a friend request from your personal Discord account
  • Have the Cold Admin join the Discord server and complete verification like a normal account
  • Assign the Cold Admin the highest admin role
  • Have the Cold Admin send a few messages in a private team chat
  • Wait approximately 24 hours, send a few more messages, then transfer ownership

To transfer ownership: Go to Server Settings > Members > Search for the Cold Admin account > Click the three dots > Select Transfer Ownership > Input 2FA > Confirm

⚠️ CRITICAL: Triple-check that you are transferring to the correct Cold Admin account. If you transfer to the wrong account, recovery will be extremely difficult.

Use of Cold Admin Account

  • Do not use the Cold Admin account for day-to-day operations
  • Log into both the Gmail and Discord account at least once a month (set a phone reminder)
  • Use only for: inviting/adding bots, making major changes only the server owner can perform
  • If an incident or compromise occurs, log into the Cold Admin to regain control — the server owner always maintains full access rights

Backup Systems

  • Use a bot like ServerBackup to regularly backup your server configuration
  • Store backups securely off-platform

Additional Recommendations

  • Set up account leveling for new members for gradually enabling permissions
  • Regularly review server audit logs for admin and mod actions
  • Use anti-raid bots like Wick or Dyno and configure automatic lock-down settings for suspicious activity
  • Regularly review Server Settings > Integrations for newly added apps or link shorteners; disable suspicious integrations or automate link scanning with a bot that checks URLs against known phishing databases

Important: Discord servers should not be used for any confidential communication (i.e., any admin discussions beyond the scope of server moderation) — even restricted channels and DMs are not end-to-end encrypted.

Stay Updated

  • Consult the official Discord Moderator Academy for ongoing best practices and new features
  • Implement recommended strategies (e.g., improved spam filters, updated role recommendations)

Additional Resources

Help us improve!

Spotted an error or have ideas to enhance this content?

Your contributions are valuable to us. Learn more

✏️ Contribute today!