Skip to content
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 62 additions & 3 deletions docs/pages/community-management/discord.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -6,21 +6,80 @@
- Security Specialist
contributors:
- role: wrote
users: [mattaereal, zedt3ster, fredriksvantes, auditware]
users: [mattaereal, zedt3ster, fredriksvantes, auditware, nftdreww]
- role: reviewed
users: [mattaereal]
- role: fact-checked
users: [nftdreww]
---

import { TagList, ContributeFooter } from '../../../components'
import { TagList, AttributionList, ContributeFooter } from '../../../components'

# Discord

<TagList tags={frontmatter.tags} />
<AttributionList contributors={frontmatter.contributors} />

For a comprehensive guide on securing your Discord server, see the [**Discord Security Guide**](/guides/account-management/discord).
Discord server security spans account hygiene, role architecture, server hardening, and bot management — each covered in depth in the [Discord Security Guide](/guides/account-management/discord).

Check failure on line 23 in docs/pages/community-management/discord.mdx

View workflow job for this annotation

GitHub Actions / lint

Line length

docs/pages/community-management/discord.mdx:23:121 MD013/line-length Line length [Expected: 120; Actual: 195] https://github.com/DavidAnson/markdownlint/blob/v0.40.0/doc/md013.md

---

## The community manager's role in security

A community manager is the primary public-facing operator of a project's Discord server. They control who gets access, which bots run, what permissions roles carry, and how the server responds when something goes wrong. In a Web3 context, that responsibility is significant: your server is often the first place users go to ask questions, verify information, and form their opinion of your project's legitimacy.

Check failure on line 29 in docs/pages/community-management/discord.mdx

View workflow job for this annotation

GitHub Actions / lint

Line length

docs/pages/community-management/discord.mdx:29:121 MD013/line-length Line length [Expected: 120; Actual: 411] https://github.com/DavidAnson/markdownlint/blob/v0.40.0/doc/md013.md

That visibility is also what makes the community manager one of the most targeted roles in the organisation. Attackers specifically pursue community manager accounts because a compromised account grants immediate access to a trusted, high-reach communication channel. A bad actor who takes control of your Discord can post malicious links to your entire community, impersonate your team to drain wallets, lock out your administrators, and permanently damage user trust, often within minutes.

Check failure on line 31 in docs/pages/community-management/discord.mdx

View workflow job for this annotation

GitHub Actions / lint

Line length

docs/pages/community-management/discord.mdx:31:121 MD013/line-length Line length [Expected: 120; Actual: 491] https://github.com/DavidAnson/markdownlint/blob/v0.40.0/doc/md013.md

### Why following this guide is not optional

Most Discord compromises do not happen because of sophisticated zero-day exploits. They happen because of predictable, preventable failures: reused passwords, SMS-based 2FA, over-permissioned bots, and admin accounts used for everyday activity. The controls in this guide exist specifically because these attack patterns repeat across projects at scale.

Check failure on line 35 in docs/pages/community-management/discord.mdx

View workflow job for this annotation

GitHub Actions / lint

Line length

docs/pages/community-management/discord.mdx:35:121 MD013/line-length Line length [Expected: 120; Actual: 353] https://github.com/DavidAnson/markdownlint/blob/v0.40.0/doc/md013.md

As a community manager you are a custodian of user trust. Members follow links you post, believe announcements you make, and act on guidance your account sends. That trust is the attack surface. Hardening your account and your server configuration is not a technical exercise, it is a direct obligation to the people in your community.

Check failure on line 37 in docs/pages/community-management/discord.mdx

View workflow job for this annotation

GitHub Actions / lint

Line length

docs/pages/community-management/discord.mdx:37:121 MD013/line-length Line length [Expected: 120; Actual: 335] https://github.com/DavidAnson/markdownlint/blob/v0.40.0/doc/md013.md

### What's at stake if you don't

| Risk | Consequence |
|---|---|

Check failure on line 42 in docs/pages/community-management/discord.mdx

View workflow job for this annotation

GitHub Actions / lint

Table column style

docs/pages/community-management/discord.mdx:42:9 MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"] https://github.com/DavidAnson/markdownlint/blob/v0.40.0/doc/md060.md

Check failure on line 42 in docs/pages/community-management/discord.mdx

View workflow job for this annotation

GitHub Actions / lint

Table column style

docs/pages/community-management/discord.mdx:42:5 MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"] https://github.com/DavidAnson/markdownlint/blob/v0.40.0/doc/md060.md

| **Account takeover** | Attacker posts phishing links to your entire member base from a trusted account |
| **Admin privilege abuse** | Compromised admin role used to add malicious bots, wipe channels, or ban legitimate team members |

Check failure on line 45 in docs/pages/community-management/discord.mdx

View workflow job for this annotation

GitHub Actions / lint

Line length

docs/pages/community-management/discord.mdx:45:121 MD013/line-length Line length [Expected: 120; Actual: 128] https://github.com/DavidAnson/markdownlint/blob/v0.40.0/doc/md013.md
| **Bot or webhook hijack** | Automated announcements replaced with scam content; hard to detect and revoke quickly |
| **Impersonation** | Lookalike accounts exploit gaps in anti-impersonation rules to social-engineer users at scale |
| **Raid or coordinated attack** | Unprotected servers can be flooded with spam or illegal content, triggering platform action against your server |

Check failure on line 48 in docs/pages/community-management/discord.mdx

View workflow job for this annotation

GitHub Actions / lint

Line length

docs/pages/community-management/discord.mdx:48:121 MD013/line-length Line length [Expected: 120; Actual: 148] https://github.com/DavidAnson/markdownlint/blob/v0.40.0/doc/md013.md
| **Reputational damage** | Even brief compromise events are publicly visible, screenshot, and shared; recovery of community trust is slow |

Check failure on line 49 in docs/pages/community-management/discord.mdx

View workflow job for this annotation

GitHub Actions / lint

Line length

docs/pages/community-management/discord.mdx:49:121 MD013/line-length Line length [Expected: 120; Actual: 140] https://github.com/DavidAnson/markdownlint/blob/v0.40.0/doc/md013.md

The controls in this guide address each of these directly. None of them require advanced technical skills. All of them take significantly less time to implement than a compromise takes to recover from.

---

## What the guide covers

The guide is structured by privilege level, so find your role and start there.

| Audience | What it covers |
|---|---|
| **All team members** | DM spam filtering, authorized app review, connected device audit |
| **Moderators** | Reading your role permissions, understanding AutoMod rule scope |
| **Administrators** | Role architecture, Cold Admin setup, verification levels, raid protection, bot vetting, anti-impersonation, integration security |

---

## Topic index

| Topic | Summary | Guide section |
|---|---|---|
| **Role permissions** | Restrict Administrator, Manage Webhooks, Manage Server, Manage Roles, and Manage Channels to the minimum required roles | [Role permissions →](/guides/account-management/discord#roles) |
| **Cold Admin account** | A dedicated owner account on a factory-reset device, used only for major changes and incident recovery | [Cold Admin →](/guides/account-management/discord#cold-admin-setup) |
| **Verification level** | Set to at least Medium (5+ minutes on Discord) — Moderate recommended for public servers | [Verification →](/guides/account-management/discord#member-screening-setup) |
| **Raid protection** | ML-based join-raid detection with auto-lockdown and CAPTCHA for new users | [Raid protection →](/guides/account-management/discord#safety-setup) |
| **AutoMod rules** | Block spam, harmful links, mention spam, and impersonation keywords in usernames | [AutoMod →](/guides/account-management/discord#automod) |
| **Anti-impersonation** | Custom rules blocking lookalike usernames and profile pictures; bots like Wick | [Anti-impersonation →](/guides/account-management/discord#anti-impersonation-bots) |
| **Bot & integration security** | Apply least privilege to bots; restrict command permissions; audit webhooks | [Integrations →](/guides/account-management/discord#additional-recommendations) |

---

> Spotted an error or have ideas to enhance this content? Your contributions are valuable to us.

For a comprehensive guide on securing your Discord server, see the [**Discord Security Guide**](/guides/account-management/discord).

<ContributeFooter />