HOLIDAY OFFER: Get the gift of up to $70 of Bitcoin. While supplies last!

Shop now

Up your Web3 game

Ledger Academy Quests

  • Test your knowledge
  • Earn POK NFTs
Play now See all quests

The Classroom

PATHWAY K) Launch a Crypto Project Securely: Wallets, Socials, and Protecting Your People

chapter 3/5

Setting Up Your Crypto Project’s Discord Server Securely

Read 8 min
Beginner
KEY TAKEAWAYS:
— Discord is a key platform in the crypto ecosystem for building digital communities.

— Discord’s popularity makes it a target for bad actors.

— Discord Servers without proper security setup and rules are vulnerable to malicious attacks.
— This article will dive into the details of Discord, exploring how to manage roles, permissions, verification methods, and security bots.

Ever thought about launching your own web3 community? Join Ledger Academy and Boring Security in this series, exploring all the things you need to know to launch a token, platform, or DAO securely. Make sure you take the Ledger Quest to prove your knowledge at the end of the module!

This is the third article in the series, so if you missed them, you can find parts one and two here.

Discord is a popular communication platform originally designed for gaming communities but is now a prominent communication platform within the Web3 ecosystem.  Discord supports text, voice, video, and other forms of communication and has been adopted as an unofficial hub for interaction outside conventional platforms such as  X(Twitter).  Discord can integrate with a wide array of Web3-centric 3rd party bots with features such as; token-gated channels, real-time checking of blockchain gas fees, tracking floor prices of NFT collections, and much more.  It is a great way for founders and team members to directly communicate with the community about upcoming announcements, mints, and important news.

However, Discord’s pivotal role as a communication hub renders it susceptible as a prime target for malicious actors to compromise/exploit. Without proper security protections in place, bad actors can use your Discord server for their nefarious means. So what does it take to set up and manage a secure Discord server? 

Let’s take a look.

How to Set up your Discord securely

Setting up a Discord server may seem straightforward, but ensuring its security can be daunting. Often, server owners overlook security measures due to the perceived complexity, particularly when the server is new and user numbers are low. As servers grow rapidly, security concerns can take a backseat, leaving them vulnerable to exploitation. Channel permissions, role permissions, and leveraging built-in Discord security features are crucial elements often neglected.

How to Set up Secure Discord Channels 

When embarking on the journey of setting up a Discord server, simplicity is key to ensuring manageability and scalability as your community flourishes. A recommended guideline involves maintaining a maximum of around 5 channels, and 8 roles; only installing or setting up necessary bots initially. This streamlined approach lays a strong foundation for growth while minimizing complexity.

Setting up secure Discord channels also involves assigning the appropriate permissions. This ensures that only the right roles have access. It’s worth noting that channels synced to a category inherit its permissions, underscoring the importance of configuring permissions thoughtfully. By hovering over the channel gear icon, you can easily access and edit channel or category permissions to tailor them to your community’s needs.

Understanding Discord Roles and Permissions

In the realm of Discord, roles serve as convenient labels that can be shared among multiple users, simplifying the process of assigning permissions within channels or categories. Opting to configure permissions based on roles streamlines the setup process and establishes clear user flows. By assigning roles to users, they automatically inherit the permissions associated with those roles. However, it’s crucial to adhere to the principle of least privilege, granting users only the minimum permissions necessary. This practice is paramount for security, as it prevents unauthorized access and mitigates potential risks posed by overly permissive permissions. By implementing least privilege principles, Discord communities can ensure a secure and well-organized environment for all members.  Boring Security has a detailed article that dives deeper into the configuration of roles and permissions:  Securely Set Up a Discord Server.

What are Discord Roles?

Discord roles are groups you can sort your discord server members into that determine their appearance and privileges through your discord server.  Discord roles can be customized by color and name. Certain roles can perform certain actions in your server; such as sending embedded messages or being a moderator for other roles.

What are Discord Permissions?

Permissions within a Discord server serve as a mechanism for allocating and restricting specific abilities to users. These permissions are customizable at various levels, including Server, Category, Channel, or User, encompassing a comprehensive range of over 20+ permissions. A thorough understanding of each permission is paramount to ensuring precise configuration.

Different Types of Discord Permissions

The hierarchical arrangement of permissions and overrides within Discord plays a pivotal role in achieving optimal configuration and security for your server. Understanding the order of role permissions is essential, as it dictates the precedence of permission settings. Server-level permissions serve as the baseline, followed by any overrides at the category level, and culminating in overrides specific to individual channels. By comprehensively exploring the functionalities of each permission, we aim to provide you with a thorough understanding to effectively navigate and configure your Discord server. Below are permissions that are commonly misconfigured and can pose significant risks when assigned.

Administrator

Exercise caution when assigning this permission to roles, as it grants full control over all permissions within the Discord server. While some bots may require this role for specific functions, it is generally unnecessary. Refer to the bot’s documentation to ensure it only requests essential permissions following least privilege, mitigating potential security risks.

Manage Webhooks

Exercise discretion when assigning a role to manage webhooks, as it should be reserved for specific use cases, such as automating custom feeds from external sources to designated Discord channels.

Manage Roles

This permission is primarily required by verification and role assignment bots. However, if obtained by a malicious actor, it could lead to the escalation of permissions for other accounts and roles.

Manage Server

Granting this permission enables users to add bots, modify the vanity URL, and adjust auto-mod rules within the Discord server. However, its usage should be limited due to its potential to impede proper moderation.

Mention @everyone, @here, and All Roles 

This permission is utilized by security bots employing a 2FA method to temporarily grant permissions for making announcements. Restricting access to this permission prevents users from disseminating erroneous notifications for announcements, spamming, or sharing malicious links across the Discord server.

Kick, Ban, Timeout Members

Exercise caution when granting these permissions, as they can be exploited by a compromised account to ban moderators or server members. If the compromised account is the sole remaining moderator, it can lead to a hostile takeover of the Discord server, potentially resulting in the dissemination of harmful links.

Private Threads 

Exercise caution when assigning these permissions to roles, as they can facilitate the creation of private threads for sharing malicious content with other community members, effectively circumventing moderation oversight.

These permissions listed above are not exhaustive but rather highlight those that are commonly misconfigured and pose potential risks within Discord servers. You can find a full list of permissions in Discord on the Discord support website.

Of course, Discord is still evolving, releasing new features and updates all the time. To ensure your server’s security, you’ll want to stay abreast of changes, which you can track via ChangeLog. Additionally, comprehensive insights into setting up secure permissions for Servers, Categories, and Channels can be found in resources such as the guide provided by Boring Security: Securely Set Up a Discord Server.

Using Discord’s In-built Security Features

Discord offers a range of security enforcement settings. You can explore the security features in the app yourself, but the following are important to know.

Raid Protection and CAPTCHA

Discord’s Raid Protection system utilizes machine learning to detect and prevent join-raids, where bot armies attempt to overwhelm your server. Activate Raid Protection alerts to receive notifications when a raid is detected. Upon detection, automated actions are taken, including sending alerts to a designated channel and implementing CAPTCHA verification for new joiners within the following hour to deter raiders. To enable these features, navigate to Server Settings > Safety Setup > Raid Protection and Captcha, and activate all relevant settings to prompt users for CAPTCHA verification when performing actions as new users.

DM and Spam Protection 

The DM and Spam Protection settings are designed to ensure that users joining your server adhere to the rules and meet a minimum verification level. Additionally, these settings help filter out direct message spam and display a warning to users when visiting external links. Enable all settings and set the verification level to at least medium, considering higher levels for servers with larger user counts.

AutoMod 

Discord’s AutoMod offers a robust content filtering system to streamline moderation and ease moderator workload. Configurable Keyword Filters automatically detect and block messages containing harmful words or phrases. Additionally, machine learning-powered filters are being developed to detect and block harmful messages, including malware links. Enabling AutoMod and configuring custom keywords for each setting is recommended to leverage Discord’s embedded security features.

2FA

Enabling Two-Factor Authentication (2FA) is strongly advised to enhance security. Enabling this setting forces Discord to require moderators and above to set up 2FA on their accounts, mitigating the risk of compromises. It’s recommended to use an authenticator app for 2FA rather than SMS for added security.

Vanity URLs

Discord provides the option to create a vanity URL for your server, offering a distinct non-expiring custom Discord invite link, such as ‘discord[.]gg/BusinessName’ versus ‘discord[.]gg/HsSfAw’. However, unlocking this feature and others requires boosting your server to level 3 using Discord Nitro.

Discord Security Best Practices: The Extra Step it takes to stay secure

While this article serves as an excellent initial guide to securing your Discord server, there are additional configurations to consider that we will cover below. These measures further bolster your server’s defenses against common attack vectors frequently exploited by bad actors within the web3 ecosystem.

Set up a Cold Admin Owner

A “Cold Admin Owner” refers to a Discord account exclusively dedicated to owning the Discord server. This account and its associated device are reserved solely for this purpose. By transferring server ownership to an account not routinely used, the risk of granting control to a bad actor is significantly reduced.

Set up logging channels

Establishing dedicated channels for detailed logging by security bots and Automod is essential for comprehensively tracking all changes and actions within the server, ensuring an organized and simplified approach. These logs provide a comprehensive record of activities, enhancing clarity and organization within your Discord server. This practice is highly recommended in conjunction with utilizing audit logs, further augmenting the effectiveness of your server’s logging system.

Set up a Verification Method

Effective entry control is vital to minimize bot floods and impersonation attempts in your Discord server. verification bots like Wick, Pandez Guard, or Server Supervisor can help implement preventative measures. Avoid verification methods that redirect users outside of Discord or use QR codes, as scammers frequently exploit these methods to steal login information. Opt for numerical, text-based, or combined captcha challenges integrated within the Discord channel interface for a secure verification approach. Note that while verification using Reaction Roles is an option, it is less secure than captcha verification methods in preventing bot raids.

Set up security Bots

Various third-party Discord bots offer valuable security and protection features, facilitating automated moderation for your server. In the sections below, we’ll explore different categories of security bots and highlight popular options for each category.

Anti-Impersonation Bots: Set up custom rules to prevent other users from joining using the same username and PFP to impersonate you or other important members of the server. A popular bot in this category is Wick Bot.

Anti-Raid Bots: to prevent spam bots from joining your server all at once, an attack known as raiding, you can also set up bots with particular rules. Beemo is a good example of a bot in this category.

Anti-Nuke Bots: This is a monitoring system to observe and note any changes (spontaneous or planned) that take place in your discord server. Some key observation markers are channel and role creation/deletions, banning or kicking members, and webhook creation/deletion.

Moderation & Link Whitelisting Bots: Only allows approved links to be used in the discord server. A popular bot in this category is Goodknight Bot.

The bots above are not all-inclusive but rather a recommended list of bots to help protect your Discord server in these categories.

Get your Server Audited By a Professional

Obtaining a Discord security audit is strongly recommended to receive professional recommendations for maximizing your server’s security. Selecting a competent Discord security auditor is crucial in ensuring the integrity of your server. Initiate the vetting process by seeking recommendations from previously audited Discord servers. It’s important to note that Discord audits are not free, which should be considered when arranging for an audit. 

Conclusion

Discord is an excellent platform for building and managing communities for businesses.  Leveraging web3 implementations within Discord can help foster a community and establish it as the primary community hub.  However, proactive prioritization of the Discord server security is extremely important.

Malicious actors often employ sophisticated tactics to deceive team members through social engineering, potentially compromising their accounts and potentially the entire server.  Server compromises in turn can lead to financial and reputational loss for the community.  These scenarios have detrimental effects on trust, brand, and overall community sentiment.

Taking proactive measures to ensure the proper permissions, channels, roles, categories, security bots, and configuration are as secure as possible is crucial. Every server should undergo a Discord security audit, even if you believe yours is well-protected.  An audit will significantly reduce the likelihood of a successful compromise by bad actors.

This article was written by NFT_Dreww for Boring Security. Follow him on X here, and check out Boring Security’s X account, Discord server, and official website for more information.

Finally, don’t miss the next article in the series where Intelligence on Chain dives into how to manage your crypto project’s wallets and treasuries. And, of course, test your knowledge via Ledger Quest!


Stay in touch

Announcements can be found in our blog. Press contact:
[email protected]

Subscribe to our
newsletter

New coins supported, blog updates and exclusive offers directly in your inbox


Your email address will only be used to send you our newsletter, as well as updates and offers. You can unsubscribe at any time using the link included in the newsletter.

Learn more about how we manage your data and your rights.