The Curriculum

The Curriculum

Introduction

241: Securing Your Discord Account

Personal account security on Discord is of the utmost importance. If your account is compromised, you could lose access to cherished direct message conversations with friends and servers in which you are an active community member. However, when you’re a moderator there is an additional danger: the attacker that compromised your account may ruin the Discord servers you moderate by banning tons of members, deleting channels and messages, or more.

To avoid this, it is important that you not only secure your own account but use Discord responsibly to avoid accidentally compromising your account.

Account Security

The first step towards securing the server you moderate is securing your own Discord account. Your first line of defense is a strong and unique password. Some characteristics of strong passwords include:

  • Length - Longer passwords are harder to guess
  • A mix of character types - Including numbers, symbols, lowercase, and uppercase letters make the password harder to guess
  • Uniqueness - Avoid reusing passwords you are using on other sites. If those sites are compromised, it could also compromise your Discord password

You can also use a random password generator or a password manager to create a completely random password that will be nearly impossible to guess, but difficult to remember. Another option is to combine several random words together. The key, though, is that the words need to be completely random. Using a tool to help select words at random from the dictionary is a good way to help ensure their randomness.

Once you have a strong password, you should also enable two-factor authentication, also known as 2FA. 2FA ensures that even if someone manages to guess your password, they won’t be able to get into your account without access to the device where the 2FA app is. You can also enable 2FA via SMS and receive your authentication code via text message. However, SMS 2FA is less secure than application-based 2FA because text messages can be intercepted or your phone number could be stolen. Although the chance of this is still low, you should still avoid enabling the SMS backup for this reason if possible.

You also need to make sure the devices where your Discord account is logged in and the device that has your 2FA app are physically secure. Make sure your computer is password protected and locked when you are physically away from it. If you use a public computer, make sure that you use incognito mode on the web browser to ensure that your Discord information is removed when you close the browser. For a phone or tablet, require a PIN code to unlock it so that it can’t be used by strangers.

Now that your account is nice and secure, there is one more thing you must closely monitor to ensure it doesn’t fall into the wrong hands: yourself.

Avoiding Social Engineering Attacks

The weakest link in any cybersecurity system is usually a human, and the security of your Discord account is no exception. Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. People attempting to gain access to your Discord account may attempt to get you to log into a fake site, download a malicious file, or click on a suspicious link. Being able to identify these actions and avoiding potential pitfalls is an important part of keeping your account (and the servers you moderate) safe.

One of the most common and dangerous scams on Discord is a user or a bot sending out a direct message with a QR code saying that you should scan the QR code with Discord’s QR code scanner for free nitro. This will generally be combined with instructions on how to access and use Discord’s QR code scanner. However, it is important to remember that Discord's QR code scanner is only used to log in to Discord. Scanning the given QR code will allow that attacker to directly log into your account, bypassing your password and any 2FA you may have configured. If you accidentally scan a suspicious QR code, you should immediately change your password as this will invalidate your current account token and log you out of all devices.You can also report any such scams directly to Discord Trust and Safety for further action. For more information on making reports, check out this article.

Another common attack is to encourage you to click on a link that redirects to a fake Discord website. Before clicking on any links from a user, ask yourself the following questions:

  • Is the sender a stranger?
  • Is this message unexpected?
  • Does the message imply urgency or promise something as a reward (e.g., “If you don’t do this in the next five days, your Discord account will be deleted”)
  • Are they asking me to perform a suspicious/sensitive action (e.g., download a file, log in to a website)

If you find that the answer to many of the above questions is “yes”, you should avoid performing whatever action they are requesting. You can also check any suspicious-looking URLs with various URL checkers, such as this one.

If the user is specifically asking you to click on a link that prompts you to log in to Discord, another option you have is to navigate directly to https://discord.com in your web browser and log in from there. If clicking on the user’s link still takes you to a login page, double check the URL of the website. One thing you’ll want to check is if the website starts with https:// instead of http:, or that there is a lock next to the beginning of the URL. Although some fake sites may still have an https:// designation, many of them will not. Other signs may be slight misspellings of the URL or visual tricks such as diiscrd.com or dlscord.com with a lowercase “l” instead of an “i”. If you notice any of these signs, it is highly likely that it is not actually Discord’s website and instead a fake website intended to trick you into entering your login credentials so that it can steal your account.

Most modern browsers will have a lock icon indicating that the connection is secure if they do not show https:// before the URL. If the icon is shown as an unlocked lock or you see http:// rather than https:// before the URL, your connection is not secure.

Conclusion

Creating a strong password, enabling 2FA, and following best practices for physical device security are the first steps towards keeping your Discord account secure. However, there may be people that try to trick you into giving access to your Discord account through various scams or other social engineering attacks. Being able to spot suspicious messages and users and being cautious when encountering strange links or files is another important part of keeping your account safe. Of course, anyone that is able to illicitly gain access to a moderator account on your server still has the potential to do great harm, such as banning users and deleting messages, channels, and roles. Be sure to share this information with the other moderators on your server so that you can each do your part to keep your community safe by keeping your accounts secure.

Characteristic
Add Verified Role
Remove Unverified Role
Bypassing the server verification level
Users will be subject to the server verification level until they verify.
Users will not be subject to the server verification level on joining, but will be after they verify.
Role Permissions
The @everyone role should have no permissions, the Verified role should have the permissions you would normally give to @everyone.
The @everyone role should have normal permissions. The Unverified role should have no permissions.
Channel Permissions
Separate instructional & verification channels

@everyone role

✔ Read Messages in both channels

❌ Add Reactions in both channels
✔ Read Message History in instructional

❌ Send Messages in instructional

✔ Send Messages in verification
❌ Read Message History in verification

Verified role

❌ Read Messages in both channels

❌ Add Reactions in both channels

Combined channel
@everyone role

✔ Read Messages
✔ Read Message History

✔ Send Messages

❌ Add Reactions

Verified role

❌ Read Messages

❌ Add Reactions
Separate instructional & verification channels

@everyone role

✔ Read Messages in both channels

❌ Add Reactions in both channels
✔ Read Message History in instructional

❌ Send Messages in instructional

✔ Send Messages in verification
❌ Read Message History in verification

Verified role

❌ Read Messages in both channels

❌ Add Reactions in both channels

Combined channel
@everyone role

✔ Read Messages
✔ Read Message History*

✔ Send Messages

❌ Add Reactions

Verified role

❌ Read Messages

❌ Add Reactions

*Unless you are using the channel description for verification instructions rather than an automatic greeter message.

If you want to use the remove unverified role method, you will need a bot that can automatically assign a role to a user when they join.

Verification Actions
Once you decide whether you want to add or remove a role, you need to decide how you want that action to take place. Generally, this is done by typing a bot command in a channel, typing a bot command in a DM, or clicking on a reaction. The differences between these methods are shown below.

Characteristic
Interview
Click Reaction
Command in Channel
Command in DM
Ease of use
Requires the most effort from both moderators and users
Simple to perform, cannot mistype anything
More complex, users must read and type more carefully
Interaction with Server Verification Level
Users subject to server verification level (if using the Verified role method)
Users not subject to server verification level
Effectiveness
Extremely effective at deterring trolls from reaching the rest of the server
Users do not need to read instructions/rules as closely to understand what to do
Encourages users to read the verification message carefully
Encourages users to read the verification message carefully, but DM may not go through
Visibility
Moderators are directly involved
Moderators are unlikely to notice user action.
User action is visible to moderators
User action is not visible to moderators
Simplicity of setup
While the involvement of bots may be minimal, writing interview questions and determining evaluation criteria could be complex
Requires only a single #welcome type channel with instructions to click the reaction
Can require either only a single channel or two channels depending on preference
Does not require any channels, unless you want a backup verification method for users that have DMs disabled

In order to use the command in channel method, you will need to instruct your users to remove the Unverified role or to add the Verified role to themselves.

Element
Description
Title
The text that is placed above the description, usually highlighted. Also directs to a URL, if given.
Description
The part of the embed where most of the text is contained.
Content
The message content outside the embed.
URL
The link to the address of the webpage. Mostly used with the thumbnail, icon and author elements in order to link to an image.
Color
Color of your embed’s border, usually in hexadecimal or decimal.
Timestamp
Time that the embed was posted. Located next to the footer.
Footer
Text at the bottom of the embed.
Thumbnail
A medium-sized image in the top right corner of the embed.
Image
A large-sized image located below the “Description” element.
Author
Adds the author block to the embed, always located at the top of the embed.
Icon
An icon-sized image in the top left corner of the embed, next to the “Author” element. This is usually used to represent an Author icon.
Fields
Allows you to add multiple subtitles with additional content underneath them below the main “Title” & “Description” blocks.
Inline
Allows you to put multiple fields in the same row, rather than having one per row.

Markdown is also supported in an embed. Here is an image to showcase an example of these properties:

Example image to showcase the elements of an embed
An important thing to note is that embeds also have their limitations, which are set by the API. Here are some of the most important ones you need to know:

An important thing to note is that embeds also have their limitations, which are set by the API. Here are some of the most important ones you need to know:

  • Embed titles are limited to 256 characters
  • Embed descriptions are limited to 2048 characters
  • There can be up to 25 fields
  • The name of a field is limited to 256 characters and its value to 1024 characters
  • The footer text is limited to 2048 characters
  • The author name is limited to 256 characters
  • In addition, the sum of all characters in an embed structure must not exceed 6000 characters
  • A webhook can have 10 embeds per message
  • A webhook can only send 30 messages per minute

If you feel like experimenting even further you should take a look at the full list of limitations provided by Discord here.

It’s very important to keep in mind that when you are writing an embed, it should be in JSON format. Some bots even provide an embed visualizer within their dashboards. You can also use this embed visualizer tool which provides visualization for bot and webhook embeds.

Hypothesis
Chart/Table Affected
Expected Result
Removing invite links from less relevant traffic sources will decrease server growth.
  • How many new members are joining?
  • Total membership over time
  • Most popular invites/referrers
  • New members joining decreases
  • Total membership over time grows more slowly or decreases
  • Total joins from the invite link/referrer decreases
Adding or promoting an invite link on a relevant traffic source will increase server growth
  • How many new members are joining?
  • Total membership over time
  • Most popular invites/referrers
  • New members joining increases
  • Total membership over time increases more quickly or decreases more slowly
  • Total joins from the invite link/referrer increases
Improving the overall quality of referrers will attract people that are more likely to stay on your server and engage with your community
  • Server leaves over time
  • How many new members successfully activate on their first day?
  • Members remain on your server after joining, decreasing server leaves over time from new members
  • Members are more likely to want to engage with your server prior to joining, and will be more likely to talk or visit multiple channels
Webhooks
Bots
Function
  • Can only send messages to a set channel.
  • They can only send messages, not view any.
  • Can send up to 10 embeds per message.
  • Much more flexible as they can do more complex actions similar to what a regular user can do.
  • Bots are able to view and send messages.
  • Only one embed per message is allowed.
Customization
  • Can create 10 webhooks per server  with the ability to customize each avatar and name.
  • Able to hyperlink any text outside of an embed.
  • Public bots often have a preset avatar and name which cannot be modified by end users.
  • Cannot hyperlink any text in a normal message, must use an embed.
Load and security
  • Just an endpoint to send data to, no actual hosting is required.
  • No authentication that data sent to webhook is from a trusted source.
  • No authentication that data sent to webhook is from a trusted source.If webhook URL is leaked, only non-permanent problems may occur (e.g. spamming)
  • Easy to change webhook URL if needed.
  • Bots have to be hosted in a secure environment that will need to be kept online all the time, which costs more resources.
  • Bots are authenticated via a token, compromised token can cause severe damage due to their capabilities if they have permissions granted to them by the server owner.
  • However, you can reset the bot token if needed.

Even though this comparison is important for better understanding of both bots and webhooks, it does not mean you should limit yourself to only picking one or the other. Sometimes, bots and webhooks work their best when working together. It’s not uncommon for bots to use webhooks for logging purposes or to distinguish notable messages with a custom avatar and name for that message. Both tools are essential for a server to function properly and make for a powerful combination.

Spam Type
Mee6
Dyno
Giselle
Gaius
YAGPDB
Carl
Gearbot
Fast Messages
No
Yes
Yes****
Yes
Yes
Yes
No
Repeated Text
Yes
Yes
Yes****
Yes
Yes
No
No
Newline Text
No
No
Yes****
Yes
No
No
No
Mentions
Yes
Yes
Yes
Yes
Yes
Yes
Yes*
Links
Yes*
Yes*
Yes*
Yes
Yes***
Yes
Yes
Invites
Yes*
Yes*
Yes*
Yes
Yes
Yes
Yes
Images
No
Yes
Yes
Yes**
No
Yes
No
Emoji
Yes
Yes
No
Yes
No
No
No

*Unconfigurable filters, these will catch all instances of the trigger, regardless of whether they’re spammed or a single instance

**Gaius also offers an additional NSFW filter as well as standard image spam filtering

***YAGPDB offers link verification via google, anything flagged as unsafe can be removed

****Giselle combines Fast Messages and Repeated Text into one filter

Anti-Spam is integral to running a large private server, or a public server. Spam, by definition, is irrelevant or unsolicited messages. This covers a wide base of things on Discord, there are multiple types of spam a user can engage in. The common forms are listed in the table above. The most common forms of spam are also very typical of raids, those being Fast Messages and Repeated Text. The nature of spam can vary greatly but the vast majority of instances involve a user or users sending lots of messages with the same contents with the intent of disrupting your server.

There are subsets of this spam that many anti-spam filters will be able to catch. If any of the following: Mentions, Links, Invites, Emoji, and Newline Text are spammed repeatedly in one message or spammed repeatedly across several messages, they will provoke most Repeated Text and Fast Messages filters appropriately. Subset filters are still a good thing for your anti-spam filter to contain as you may wish to punish more or less harshly depending on the spam. Namely, Emoji and Links may warrant separate punishments. Spamming 10 links in a single message is inherently worse than having 10 emoji in a message.

Anti-spam will only act on these things contextually, usually in an X in Y fashion where if a user sends, for example, 10 links in 5 seconds, they will be punished to some degree. This could be 10 links in one message, or 1 link in 10 messages. In this respect, some anti-spam filters can act simultaneously as Fast Messages and Repeated Text filters.

Sometimes, spam may happen too quickly for a bot to catch up. There are rate limits in place to stop bots from harming servers that can prevent deletion of individual messages if those messages are being sent too quickly. This can often happen in raids. As such, Fast Messages filters should prevent offenders from sending messages; this can be done via a mute, kick or ban. If you want to protect your server from raids, please read on to the Anti-Raid section of this article.

Text Filters
Text filters allow you to control the types of words and/or links that people are allowed to put in your server. Different bots will provide various ways to filter these things, keeping your chat nice and clean.

FIlter
Mee6
Dyno
Giselle
Gaius
YAGPDB
Carl
Gearbot
Banned words
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Whitelist
No
No
Yes
Yes
Yes
No
Yes
Templates
No
Yes
No
Yes
No
No
No
Immunity
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Banned Links
Yes*
Yes*
No
Yes
Yes*
Yes***
Yes
Whitelist
Yes
No
No
Yes
Yes**
Yes***
Yes
Templates
No
No
No
Yes
Yes**
Yes***
No
InvitesNo
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Extras
Zalgo
Selfbot
Regex
Regex
Files
No

*Defaults to banning ALL links

**YAGPDB offers link verification via google, anything flagged as unsafe can be removed

***Setting a catch-all filter with carl will prevent link-specific spam detection

A text filter is integral to a well moderated server. It’s strongly, strongly recommended you use a bot that can filter text based on a blacklist. A Banned words filter can catch links and invites provided http:// and https:// are added to the word blacklist (for all links) or specific full site URLs to block individual websites. In addition, discord.gg can be added to a blacklist to block ALL Discord invites.

A Banned Words filter is integral to running a public server, especially if it’s a Partnered, Community or Verified server, as this level of auto moderation is highly recommended for the server to adhere to the additional guidelines attached to it. Before configuring a filter, it’s a good idea to work out what is and isn’t ok to say in your server, regardless of context. For example, racial slurs are generally unacceptable in almost all servers, regardless of context. Banned word filters often won’t account for context, with an explicit blacklist. For this reason, it’s also important a robust filter also contains whitelisting options. For example, if you add the slur ‘nig’ to your filter and someone mentions the country Nigeria’ they could get in trouble for using an otherwise acceptable word.

Filter immunity may also be important to your server, as there may be individuals who need to discuss the use of banned words, namely members of a moderation team. There may also be channels that allow the usage of otherwise banned words. For example, a serious channel dedicated to discussion of real world issues may require discussions about slurs or other demeaning language, in this exception channel based Immunity is integral to allowing those conversations.

Link filtering is important to servers where sharing links in ‘general’ chats isn’t allowed, or where there are specific channels for sharing such things. This can allow a server to remove links with an appropriate reprimand without treating a transgression with the same severity as they would a user sending a racial slur.

Whitelisting/Blacklisting and templates for links are also a good idea to have. While many servers will use catch-all filters to make sure links stay in specific channels, some links will always be malicious. As such, being able to filter specific links is a good feature, with preset filters (Like the google filter provided by YAGPDB) coming in very handy for protecting your user base without intricate setup however, it is recommended you do configure a custom filter to ensure specific slurs, words etc. that break the rules of your server, aren’t being said.

Invite filtering is equally important in large or public servers where users will attempt to raid, scam or otherwise assault your server with links with the intention of manipulating your user base to join or where unsolicited self-promotion is potentially fruitful. Filtering allows these invites to be recognized, and dealt with more harshly. Some bots may also allow by-server white/blacklisting allowing you to control which servers are ok to share invites to, and which aren’t. A good example of invite filtering usage would be something like a partners channel, where invites to other, closely linked, servers are shared. These servers should be added to an invite whitelist to prevent their deletion.

Anti-Raid
Raids, as defined earlier in this article, are mass-joins of users (often selfbots) with the intent of damaging your server. There are a few methods available to you in order for you to protect your community from this behavior. One method involves gating your server with verification appropriately, as discussed in DMA 301.You can also supplement or supplant the need for verification by using a bot that can detect and/or prevent damage from raids.

Mee6
Dyno
Giselle
Gaius
YAGPDB
Carl
Gearbot
Raid detection
No
No
Yes
No*
No
No
No
Raid prevention
No
No
Yes
Yes
No
No
No
Raid-user detection
No
No
Yes
Yes
No
No
No
Damage prevention
No
Yes
No
Yes*
No
Yes
No
Templates
No
No
No
Yes
Yes**
Yes***
No
Raid anti-spam
No
Yes
Yes
Yes
Yes
No
No
Raid Cleanup
No
Yes
Yes
Yes
Yes
Yes
Yes

*Unconfigurable, triggers raid prevention based on user joins & damage prevention based on humanly impossible user activity. Will not automatically trigger on the free version of the bot.

Raid detection means a bot can detect the large number of users joining that’s typical of a raid, usually in an X in Y format. This feature is usually chained with Raid Prevention or Damage Prevention to prevent the detected raid from being effective, wherein raiding users will typically spam channels with unsavoury messages.

Raid-user detection is a system designed to detect users who are likely to be participating in a raid independently of the quantity of frequency of new user joins. These systems typically look for users that were created recently or have no profile picture, among other triggers depending on how elaborate the system is.

Raid prevention stops a raid from happening, either by Raid detection or Raid-user detection. These countermeasures stop participants of a raid specifically from harming your server by preventing raiding users from accessing your server in the first place, such as through kicks, bans, or mutes of the users that triggered the detection.

Damage prevention stops raiding users from causing any disruption via spam to your server by closing off certain aspects of it either from all new users, or from everyone. These functions usually prevent messages from being sent or read in public channels that new users will have access to. This differs from Raid Prevention as it doesn’t specifically target or remove new users on the server.

Raid anti-spam is an anti spam system robust enough to prevent raiding users’ messages from disrupting channels via the typical spam found in a raid. For an anti-spam system to fit this dynamic, it should be able to prevent Fast Messages and Repeated Text. This is a subset of Damage Prevention.

Raid cleanup commands are typically mass-message removal commands to clean up channels affected by spam as part of a raid, often aliased to ‘Purge’ or ‘Prune’.It should be noted that Discord features built-in raid and user bot detection, which is rather effective at preventing raids as or before they happen. If you are logging member joins and leaves, you can infer that Discord has taken action against shady accounts if the time difference between the join and the leave times is extremely small (such as between 0-5 seconds). However, you shouldn’t rely solely on these systems if you run a large or public server.

User Filters
Messages aren’t the only way potential evildoers can present unsavoury content to your server. They can also manipulate their Discord username or Nickname to cause trouble. There are a few different ways a username can be abusive and different bots offer different filters to prevent this.

Filter
Mee6
Dyno
Giselle
Gaius
YAGPDB
Carl
Gearbot
Bad words
No
No
No
Yes*
Yes
No
No
Spam
No
No
No
Yes*
Yes**
No
No
Hoisting
No
No
No
Yes*
Yes**
No
No

*Gaius can apply same blacklist/whitelist to names as messages or only filter based on items in the blacklist tagged %name

**YAGPDB can use configured word-list filters OR a regex filter

Username filtering is less important than other forms of auto moderation, when choosing which bot(s) to use for your auto moderation needs, this should typically be considered last, since users with unsavory usernames can just be nicknamed in order to hide their actual username.

Hypothesis
Chart/Table Affected
Expected Result
Enabling or adjusting the Welcome Screen will guide users to the right introduction channels and encourage engagement
Welcome Screen
  • All metrics
Growth & Activation
  • How many new members successfully activate on their first day? - % visited more than 3 channels
  • Users click on each channel in equal proportion and send messages in equal proportion afterwards
  • % visited more than 3 channels will increaseFirst day activation increases
Streamlining the channel and role structure will make the server less overwhelming to new users and encourage participatio

nand/or

Greeting people upon joining the server in a general chat channel will encourage them to respond and participate in the community
Growth & Activation
  • How many new members successfully activate on their first day?
Engagement
  • How many members visited and communicated?
  • Message activity
  • Which text/voice channels do people use the most?
  • % talked (voice or text) will increase
  • % communicators will increase
  • Message activity will increase
  • Channels that are made opt in, require privileged access, or moved to the bottom of the channel list will have less engagement than other channels
  • The channel with greet messages will have an increased number of readers and, if send messages is enabled, a greater number of messages and chatters
Implementing a news feed announcement channels with role notifications will encourage people to check the announcement channel regularly
Growth & Activation
  • How many new members retain the next week?
Engagement
  • Which text/voice channels do people use the most?
  • Members retained will increase
  • Readers on the announcement channel will increase
Implementing community engagement campaigns will improve activity
The measurement and expected results of each community engagement campaign will vary based on the exact nature of the campaign. However, you can expect that they will improve some combination of first day activation, user retention, and/or percent communicators within your server.

One additional component not included in the table is the effects of implementing a verification gate. The ramifications of a verification gate are difficult to quantify and not easily summarized. Verification gates make it harder for people to join in the conversation of your server, but in exchange help protect your community from trolls, spam bots, those unable to read your server’s language, or other low intent users. This can make administration and moderation of your server much easier. You’ll also see that the percent of people that visit more than 3 channels increases as they explore the server and follow verification instructions, and that percent talked may increase if people need to type a verification command.

However, in exchange you can expect to see server leaves increase. In addition, total engagement on your other channels may grow at a slower pace. User retention will decrease as well. Furthermore, this will complicate the interpretation of your welcome screen metrics, as the welcome screen will need to be used to help people primarily follow the verification process as opposed to visiting many channels in your server. There is also no guarantee that people who send a message after clicking to read the verification instructions successfully verified. In order to measure the efficacy of your verification system, you may need to use a custom solution to measure the proportion of people that pass or fail verification.

Ready to test your moderator skills?

Take the Discord Moderator Exam!

Take the Exam