The 10 Most Common Discord Security Risks and How to Avoid Them

In supporting across a variety of Discord servers for our clients, our Community Management experts at Keywords often encounter the various pitfalls and misconceptions that can impact greatly on server security.

We caught up with Jonathan Allford, Community Management Lead at Keywords Studios, to take us through these risks in a little more detail:

1. Permissions set wrong

Discord is an incredibly secure platform, but with the wrong permissions you can open your server up to unnecessary risks. Here are a few easy points that are sometimes missed:

• It’s generally best to set permissions for a whole category instead of on every individual channel. This greatly reduces the likelihood of making mistakes.
• Role hierarchy matters for permissions. Ensure admins are at the top, mods below, bots below them and then VIPs and other users beneath them. The muted role should be at the bottom.
• Administrator permissions give users access to everything on your server. You almost never want to allow this. Moderation and high-level permissions can be set without being given admin status.
• Without the ‘embed links’ permission, users can’t post GIFs in channels. They’ll just appear as basic hyperlinks.

2. No leveling system

Levelling systems are an easy way of stopping drive-by trolls and other users who cause disruption shortly after joining. The idea is simple: as users post messages/engage with the server, they get experience points or “XP” and eventually level up. Each level gives them a new role with additional permissions.

3. No logging

Your security is only as good as your records. If you don’t have logs of deleted comments and warnings, moderation is nearly impossible. We recommend using an easy to setup moderation bot like GearBot for automatic logs, to help you and your team of moderators stay on top of any issues.

4. No 2FA on admins and mods

Even people familiar with the latest technology can get phished. Without two-factor authentication, your admins and moderators can put your whole server at risk. Two-factor authentication should be a basic standard across any account that has moderation privileges.

5. Vanity link generated before server ready to launch

If you’re working on a branded or company server, you’ll probably feel proud once you get your vanity link (e.g discord.gg/yourawesomename) – however, setting a vanity link means the server is discoverable and, unless specific permissions are set, users can start joining immediately. Don’t set your vanity link until your server is ready to launch. Setting up your server without hundreds of users watching makes life so much easier!

6. Bots given permissions they don’t need

Very few bots need admin access to be able to do everything you need them to do. In general, you should only ever give admin rights to admins – your most trusted team members. While rare, bots can get hacked or used for malicious purposes, and if they have admin access to your server, they can access a lot of valuable information and security details.

7. Low verification level on safety setup

Discord gives you different verifications levels, which prevent new users from posting immediately until certain conditions are met. Low requires a user to have a valid email address associated with their Discord account, medium requires a valid email address and to have been registered for at least 5 minutes, high for at least 10 minutes and highest requires a phone number to be associated with the account. Most public-facing Discord servers should be set to high or highest, though highest enforces a phone linked to the account which may prevent some genuine users from joining.

8. Unvetted moderators

Moderators have a lot of power over your community, both with permissions and as representatives of your server. It can be tempting to hand moderation powers to the people who want them most/who appear to be the most active, but vetting candidates, working out who has good judgment and who knows what. Consider setting up a Google Form and seeing who applies, but check people’s posts, their backgrounds, make sure they don’t have any warnings, choose your mods carefully. Or talk to us about our moderator solutions.

9. Lack of/Low explicit media content filter

Discord can automatically scan posts for NSFW or explicit content. In most public Discords, there’s no reason to turn this off or set any lower than high. It’s unintrusive and false positives are comparatively rare.

10. No anti-raid bot

Malicious users can create bots to raid a server, without any protection in place this can lead to phishing scams, abuse and other security risks. Discord has implemented automatic raid protection, but it’s still in beta. Beemo is a bot that’s easy to install that helps prevent these raids automatically. There’s virtually no reason not to install it!

If you would like to discuss your Discord server settings, book an audit, or need help
with moderating and engaging your server, get in touch with our Player Support team here!