Manual: Defending a Discord Server
What to do if your server gets attacked:
First off, don’t panic. What’s happening cannot harm you or anyone else and is an inconvenience, nothing more. Your server wasn’t the first to be attacked and won’t be the last. Swift decisive action by you and your moderators can clean up a server in mere minutes.
Emergency Lockdown Protocols:
- Delete all of your instant invite links to the discord by right clicking on your server icon and choosing Server Settings -> Invites
- Under the members section just above the Invites, Ban all the most recent suspicious looking people.
- When you go to ban someone, ENSURE YOU HAVE THEIR POSTS DELETED FOR AT LEAST THE PAST 24 HOURS. It will prompt you when you click block.
- Note if you want to report them, you’ll have to keep the messages there otherwise when the messages are deleted they aren’t recoverable.
These two steps will prevent new spambots and trolls from coming in while kicking out and cleaning up the ones who already snuck into your server. It’s quick and efficient.
Post Cleanup:
Implement the changes outlined above, and check for other miscreants in your Audit logs to determine who’s recently come into the server and ban all suspicious looking users. Kicking them won’t cut it because they can just come back in through your invite link until you invalidate it.
Also, it is recommended to delete and recreate any and all invitation links to your server to prevent spammers from coming back. Although it is inconvenient because you’ll have to update the link on all of your social media platforms, it is the only way to prevent future issues as these links are really the only way to access your server.
Reporting Offenders:
The process to report spam accounts is rather tedious and very user unfriendly in my opinion. Discord has outlined the procedure to submit reports to them for action and can be followed here: https://discord.com/safety/360044103651-reporting-abusive-behavior-to-discord
Recommended Server Settings for Server Owners:
Overview:
- AFK Channel: When someone is extensively idling in your chat channel, they’re still sucking up bandwidth and resources. Discord can automatically move them to a different channel designated for people AFK to keep things clean and tidy.
- System Messages: Best practice is to create a special dedicated channel for these announcements to go into, and assign it to be visible only to you and your mods.
- Default Notification Settings: If your discord server is mostly for casual chat or dank memes it would seem more reasonable to set this to only @mentions so people aren’t overwhelmed with pinging sounds. However if your discord is for collaboration or announcements requiring people to be aware of activity, then you should leave it at the default and let your users customize it to their own taste. Colleagues can’t collaborate if they are unaware of what’s happening.
Moderation:
- Verification Level should be set to a minimum of Low. There is no reason to ever have it set to None. This will provide basic protection as it is highly unlikely a hostile user would verify an email address for every bot account they create.
- Increasing the level to Medium will help counteract any newly created discord accounts.
- If your server is set up so a role does not have to be assigned before new users can post, you may wish to enforce the table flip level to prevent hostile spammers.
- Explicit Content Filter: If your discord is configured so new users do not need a role assigned to them before they can post, enforce scanning messages from members who do not have a role assigned to them.
How to Effectively Use Roles
By default only the creator/owner of a discord server can enforce the rules by banning and deleting offending messages. It is highly recommended to lock down the everyone role, and create a role so you can have moderators to enforce security in your server. After you lock down the everyone role, create a new separate role to put your vetted users in. New people come in with the secured everyone role and can’t do anything until authorized by you (the owner) or a mod.
In computer science “the principle of least privilege” states that users should be granted the last amount of access to a system to accomplish what they need to do. With that in mind, these changes should be made:
Everyone Role:
If you are going to have a vetted role for a server, lock down every permission for @everyone except Send Messages and Read Message History. The only thing that they need to do is let you know that they are there.
Otherwise these minimum restrictions should be followed:
- Revoke “Create Instant Invite” as malicious people can use this to create new links for more bots or hostile users to enter. This might make sharing your discord less convenient, especially if the instant invite you’ve created isn’t well advertised.
- Revoke TTS Messages. Text to speech is one of the easiest and most visible means to exploit by malicious users. If you so choose to allow people to use TTS, create a separate user role granting these privileges.
- Revoke Attach Files/Embed Links: another easy way for malicious users to spread offensive material, as with TTS this should be assigned to a separate role.
- Revoke Mention Everyone: This one can even be used accidentally to annoy others. Reserve this for a higher role as with TTS.
User Role:
Create a new role with a cute name related to the theme of your discord where you can put verified users who you know won’t abuse your server. Then grant the permissions you feel are appropriate. In general though, regular users should NOT have the following permissions:
- Mention @everyone, which pings everyone in the server whether on or offline
- Create Instant Invite
- /TTS. Even your friends will abuse this from time to time, especially if you are a streamer 🙂
Moderator Role:
Your mods/admins are here to support you, the owner, and enforce policy on your behalf. However they can’t do that until they are granted sufficient privileges to do so. Choose your staff with care obviously, as they will have extensive access to your server and if they go rouge they can do damage. I would recommend choosing your staff based on qualifications rather than who’s your BFF. Admins should know how to use all of Discord’s settings without having to ask you first, otherwise they’re not going to be of any use to you in an emergency.
It’s important that the mod/admin role appears first on the list of roles (drag and drop to reorder them). Grant the following permissions to a separate admin/mod role and then assign specific trusted users to it:
General Permissions
- View Audit Log
- Kick Members
- Ban members
- Create Instant Invite
Text Permissions
- Sent TTS Messages (optional, handy for announcements)
- Manage Messages
- Mention Everyone (again handy for announcements)
Voice Permissions
- Mute Members
- Deafen Members
- Move Members
- Priority Speaker
Admin Role
There are some optional permissions you may wish to grant to only specific admins, in which case you’d want a separate admin role vs a moderator role. These additional, optional privileges are:
- Manage Roles
- Manage Channels
- Manage Server
- Administrator (WARNING: this permission will give a user nearly the same access as you, be EXTREMELY careful with who you give this to! E.g. they have the authorization to delete your entire server with this permission)
\<todo>
(using a bot to assign roles for you)
Other Best Practices
Bots
Bots exist to serve as automation tools. As your discord server grows it will become impractical for even a big moderation team to watch over it 24/7 through all the channels you will have set up. So, bare minimum, you need a good moderation bot.
Bots can be set up to automatically delete posts with offensive words/phrases in them, ban people who upload .exe files, or links to other discord servers. Their capabilities vary, consult their documentation on how to set them up. This list is merely suggestions.
Regarding cutesy bots: Its against best practice to use a bot that proudly and obnoxiously announces a user has “leveled up” after posting so many times in your discord server. Nobody likes them. It clutters up conversations. It’s bloody annoying. DON’T USE THEM.
\<todo>
(balancing how many channels you have)
Channel Structure
It is fortunate that discord allows you to group together channels in collapsable menus. It is best practice to do so, at the very least to make it easy for people to find where to post things. Common Sections might be:
- Administration
- Containing channels for the system log,
- a space for your admins to talk privately about server concerns
- Bot logs
- Other under the hood things your users don’t need to see
- Welcome Section
- Landing Zone/ Welcome Mat
- Rules
- “About Us”
TODO: (managing NSFW and underage users)
Users – Defending Yourself
- Disable TTS, there’s rarely a good reason to have this enabled, especially since most don’t have it protected. UNCHECK:
- Settings->Text & Images->Allow playback and usage of /tts command.
- Suffering from Notification Spam? Right click on the server and select Only @messages
- You can override specific channels, like announcements , by selecting it in the box below and checking the “All” box to get alerts for every message.
Acknowledgements
Special thanks to the following people for their contributions to this manual:
- ruggbean#0213 – Moderator for The Animal House, a furry charity stream run by VinceWuff
- Nibbles#0859 – Moderator for furry streamer WhiskeyDing0
- Tonytins#1198 – Owner of the Fennec Retreat Discord Server
This manual was written by Stefen Auris and last updated on 4/29/2020