No matter the platform, there is always going to be someone trying to "hack" it. Plenty of large companies have dealt with data breaches, whether its credit card numbers or complete credit history. Discord has its own issues. Spam comes in waves, and while there haven't been total data breaches, certain attacks have made people nervous. In this article, we are going to try to be as comprehensive as possible about how to keep your Discord server safe from attacks. This will include built-in security features, downloadable bots, and just common sense actions you can take every day. Because we want to be as accurate as possible, please don't hesitate to leave a comment with how you defend your server, or if any of our information has gone out of date.
While these Discord security features won't protect your server from every threat, it is good to have them in place. The app comes with a lot of baked-in security features that you should take advantage of. These are simply things that defend against simple spam, but they can go a long way. After all, they only take a few moments to set up!
Server verification settings can help protect against individual trolls, as well as immediate spammers. There are 5 levels of security, ranging from unrestricted, all the way up to requiring members to have a verified phone on their Discord account. This maximum level of protection is not needed in most cases, but is perfect if you're extra paranoid. Discord themselves recommend level 4, which requires a user to be a server member for 10 minutes before being allowed to post.
The next level of security is for NSFW and explicit spam. You can leave your server wide open to any message, scan only messages from regular members, or scan all messages sent by anyone. This won't catch every spam post, but will scan some that have obvious NSFW language or images.
Two-factor authentication will protect your server from hackers who gain control of your admins' accounts. Requiring 2FA means that all admins need to also have 2FA enabled in order for them to use the server. This won't help against raids and spam, but will prevent some unfortunate situations in which an admin's information is compromised and a malicious person nukes your server.
Many servers these days are customized to start a user on a specific page of the server. They have to verify they are a human by answering a question or typing a specific command. This will at least be a roadblock against some attacks, but will not stop all of them. If the attack is specifically targeted, the fake accounts can be programmed to answer the command. You can also have moderators personally verify each user who joins, in which case it will be obvious that there is an incoming bot attack.
The Discord widget is something that can be embedded on a website and will link to the server and show all online users. Over at Discord Me, we figured out how to leverage it to generate server invites. Security concerns from August 2018 have forced us to take a different route. We currently suggest that our servers disable the widget, and we no longer require it to have your server discoverable on Discord Me. We have created a secure bot to handle this task. Discord Me and Digital Zealot care deeply about the safety of the users, so we acted swiftly to create this bot to handle invite generation.
This server scraping raid was only able to see the user IDs of server members, and no additional account information. While this data is not private or dangerous, the principle of the matter still remains. We do not want to see any users made uncomfortable by their user or server information becoming public.
One way that bots are raiding innocent Discord servers is by using an invite link to invite numerous other malicious bots. If this is something you would like to avoid, you can disable invite link creation from roles, to prevent these self-assigning bots from using a never-expire invite link for nefarious purposes.
By default, Discord uses IP security to protect you, as an individual user, from DDoS attacks. Your IP is secure and safe. And you will have to verify your account by email if you attempt to log in from a different IP. However, you need to be aware of external links. Once you leave Discord, that website can know your IP address.
Thanks to Discord's public feedback forum, we can see some of the creative ideas users have come up with. Some of these deal with security issues, and there are some great ideas. Some of these can be taken care of with bots.
One popular idea to enable a server freeze, which would allow a server owner to essentially flip a lightswitch to turn their server on or off. If a raid is happening, just shut off the server to stop the raid. This proposed feature would also pause all server invites, so a live bot attack would get shut out halfway through. Some users have accomplished this "maintenance mode" through the use of bots. One of the shortcuts to accomplish this is to execute a command that strips users of their role, gives every user a new role, and have that role only be able to access one channel, which is one that can't be posted to that says something to the effect of "Maintenance in Progress".
We'll cover some of the bots people use to accomplish this and similar activities later on in this post.
The most common way for servers to be attacked is with a massive influx of bot accounts. Unfortunately, the information on how to raid a server is very public knowledge, and not some secret hacker methodologies. You can easily find YouTube video tutorials, and even entire Discord servers dedicated to raiding other servers. These trolls try to perform DDoS attacks on a server by overwhelming it with spam messages. We almost fell prey to one of these attacks ourselves, but managed to contain it without a server crash. Our giant list of banned users whose accounts have been deleted exists to prove that these were not legitimate users, but just malicious bots:
In addition to bot accounts, there are actual Discord bots (the extremely helpful tools you can install on your server) that can be malicious. The worst part about these bots is that they can assign themselves roles, including moderator and admin privileges. Luckily these bots can't join a server on their own, so this attack will come from within. And it can be an honest mistake on the part of an admin, who installs a bot that unknowingly comes with bad intent.
If you are not comfortable with the role that a bot has, try to remove that role. If the bot doesn't function without that role, decide if that is something you want to risk in your server. For example, your music bot probably doesn't need to be able to kick and ban users - so make sure that it can't, or find a new one if it insists on having that permission!
Now, of course, raiding is against Discord's terms if service, but when has that ever stopped anyone? Discord has stated that if users fall victim to raiding, they can email the Discord support team. However, this isn't very helpful after the fact. Discord has stated that they are working on anti-raiding initiatives. However, they cannot disclose any details so that malicious users do not try to circumvent their efforts.
In the meantime, there are a whole host of user-created bots that you can use on your server, and we're going to cover some of the best ones. Check back in this section every so often. We may add or remove bots from our list as their features change.
There are plenty of bots out there designed to help protect your Discord server from raids, malicious bots, and spam. Here are just a few of them that we've found, but don't hesitate to do your own research to find the bot that's right for your exact needs.
Gaius uses a constantly-updated Global Ban System that blocks thousands of users ranging from userbots, raiders, phishers, and other various malicious users in order to prevent harmful users from joining your community. Their ban system is the largest and most updated of any bot out there. They have a detailed anti-spam system that can block various types of spam messages. It also auto-detects NSFW content to keep your server squeaky clean! Gaius has a large database of spam and phishing links to auto-block. In terms of anti-raid features, the bot can mute new users who join in a short amount of time. It is highly customizable, to suit your server needs.
There are a ton of moderation bots out there including Mee6, Dyno, and Vortex. These automoderation bots include a lot of basic features to keep your members in line. You can censor certain words, block obvious spam including repeated words and all caps, enable or disable external links, block mass tagging, and more. This will not necessarily block every raid, but it will deal with some aspects of it. Raiders are getting smarter, however, so many messages aim to get around these restrictions, and focus more on lots of accounts, rather than just a few posting the same spam. Vortex in particular features an additional Anti-Raid Mode, which will kick all new users out when a certain number of users join in a short amount of time.
It is also notable that Mee6 is one of the biggest bots out there, so you may already be using it!
Discord Bans is a bot that protects servers by creating a blacklist of banned users to warn server owners. Their goal is to create a comprehensive blacklist that can protect servers everywhere. Their list includes raiders, spammers, harassers, and mass advertisers. A simple command allows you to check your server for blacklisted users, or check specific users and the reason they are on the list. As with most blacklists, Discord Bans lets you appeal if you are on their list.
Discord can be a scary place, but it doesn't have to be. There are so many things that you can do to protect yourself, and the good guys of the internet are always working on new technology. Join the fight against those who want to sow discord on Discord! If any of these tips have worked for you, or there's something we missed, please let us know in the comments. This will not only help other readers out, but will give us more helpful material to update this article with. Stay safe!
Watch or share the video version of this post here: