Discord
Discord server security spans account hygiene, role architecture, server hardening, and bot management — each covered in depth in the Discord Security Guide. Use this page to find the right section.
The community manager's role in security
A community manager is the primary public-facing operator of a project's Discord server. They control who gets access, which bots run, what permissions roles carry, and how the server responds when something goes wrong. In a Web3 context, that responsibility is significant: your server is often the first place users go to ask questions, verify information, and form their opinion of your project's legitimacy.
That visibility is also what makes the community manager one of the most targeted roles in the organisation. Attackers specifically pursue community manager accounts because a compromised account grants immediate access to a trusted, high-reach communication channel. A bad actor who takes control of your Discord can post malicious links to your entire community, impersonate your team to drain wallets, lock out your administrators, and permanently damage user trust, often within minutes.
Why following this guide is not optional
Most Discord compromises do not happen because of sophisticated zero-day exploits. They happen because of predictable, preventable failures: reused passwords, SMS-based 2FA, over-permissioned bots, and admin accounts used for everyday activity. The controls in this guide exist specifically because these attack patterns repeat across projects at scale.
As a community manager you are a custodian of user trust. Members follow links you post, believe announcements you make, and act on guidance your account sends. That trust is the attack surface. Hardening your account and your server configuration is not a technical exercise, it is a direct obligation to the people in your community.
What's at stake if you don't
| Risk | Consequence |
|---|---|
| Account takeover | Attacker posts phishing links to your entire member base from a trusted account |
| Admin privilege abuse | Compromised admin role used to add malicious bots, wipe channels, or ban legitimate team members |
| Bot or webhook hijack | Automated announcements replaced with scam content; hard to detect and revoke quickly |
| Impersonation | Lookalike accounts exploit gaps in anti-impersonation rules to social-engineer users at scale |
| Raid or coordinated attack | Unprotected servers can be flooded with spam or illegal content, triggering platform action against your server |
| Reputational damage | Even brief compromise events are publicly visible, screenshot, and shared; recovery of community trust is slow |
The controls in this guide address each of these directly. None of them require advanced technical skills. All of them take significantly less time to implement than a compromise takes to recover from.
What the guide covers
The guide is structured by privilege level, so find your role and start there.
| Audience | What it covers |
|---|---|
| All team members | DM spam filtering, authorized app review, connected device audit |
| Moderators | Reading your role permissions, understanding AutoMod rule scope |
| Administrators | Role architecture, Cold Admin setup, verification levels, raid protection, bot vetting, anti-impersonation, integration security |
Topic index
| Topic | Summary | Guide section |
|---|---|---|
| Role permissions | Restrict Administrator, Manage Webhooks, Manage Server, Manage Roles, and Manage Channels to the minimum required roles | Role permissions → |
| Cold Admin account | A dedicated owner account on a factory-reset device, used only for major changes and incident recovery | Cold Admin → |
| Verification level | Set to at least Medium (5+ minutes on Discord) — Moderate recommended for public servers | Verification → |
| Raid protection | ML-based join-raid detection with auto-lockdown and CAPTCHA for new users | Raid protection → |
| AutoMod rules | Block spam, harmful links, mention spam, and impersonation keywords in usernames | AutoMod → |
| Anti-impersonation | Custom rules blocking lookalike usernames and profile pictures; bots like Wick | Anti-impersonation → |
| Bot & integration security | Apply least privilege to bots; restrict command permissions; audit webhooks | Integrations → |
Spotted an error or have ideas to enhance this content? Your contributions are valuable to us.
For a comprehensive guide on securing your Discord server, see the Discord Security Guide.