Discord Best Practices: Guidelines on how to keep Discord safe and secure

Overview

Discord is one of the most popular platforms for communication and collaboration. Many of our students and faculty use Discord as a means to connect, share ideas, and engage in real-time conversations. This guide will explore a range of best practices to help you maintain safe and secure accounts and servers. Many of Rensselaer's communities have fallen victim to cyber-attacks and threats. This guide is to establish specific recommendations for the protection of our campus community.

This document aims to cover personal and server security that club members should follow to keep their space safe. It covers security measures that each member with a discord account should follow and safe server practices the club webmaster or IT specialist should follow. Additionally, it goes over features of Discord that the club may choose to include on their server to improve security. Finally, common types of malicious links, user activity, and actions that are seen on Discord are discussed in this document, along with how to prevent and stop them. While this document is not intended to fully cover every detail of server security, following the guidelines here should reduce the chance of malicious actors being able to perform unwanted actions within your server.

Details

Personal Security

Password Security

An easy way to protect your account is to use strong passwords.

Secure Passwords

Create a long password with mixed-case letters, numbers, and special characters. We recommend creating one 16 characters or longer. 

You can make a random string of characters. For example:

• 6)O7Bk=3Akg\=;2Zvu
• uuY0%A+S?c6u*Vds!Q4B
• mvF46g%swVR56sk8ds#g

You can also create a memorable phrase of unrelated words. For example:

• pRiDeWidenpileOrGaniCStain
• pRiDe6$Wden@!pileOrG12aniCStain (Better)

You should NOT include common passwords. For example:

• 123456
• qwerty
• password
• password123

You should NOT include Personal Identifiable Information (PII). For example:

• SSN
• Driver's license number
• Taxpayer identification number 
• Patient identification number 
• Financial account
• Personal address
• Phone number

You should use a different strong password for each account. Don't reuse passwords.
Remembering all these passwords is difficult and we recommend using a password manager.

Password Manager

Password managers are a simple program that can store all of your passwords. Remembering long, random, and unique passwords for all of your accounts is difficult and near impossible. Password managers can generate strong passwords and tell you whether or not a password is weak or reused too often. They can also autofill logins and allow you to access multiple accounts. 

Usually, you only need to remember one strong password which is the password for the manager itself. There are many password managers to choose from so you should compare options and find a good manager for you.

Recommendations from Discord: 1Password (Mac) or Dashlane (Windows)

Other free options: KeePass, Bitwarden, NordPass, Norton etc.

Multi-factor Authentication (MFA)

Multi-factor authentication is a good way to add an extra layer of security to your Discord account. When you enable MFA, you must provide a combination of two or more authenticators to verify your identity before you are granted access to services. Users with MFA are less likely to be victims of malicious cyber actors because if one factor gets compromised (like a password), they would need a second authentication requirement to gain access.

When using Discord, there are three options: Authenticator App, SMS, and Security Keys.

Authenticator App

When using an authenticator app, you will manually enter a key with an app on your phone or a password manager and it will generate a new code for you to use every 30 seconds. You would need to enter your credentials as well as the 30-second code to get access to your account.

If you lose your phone or credentials to the app, you can use a backup code to get back into the account. Backup codes are special codes that are given after signing up for MFA. These are codes to recover your account so keep them in a secret and well-protected place. 

SMS/Texts

This security measure requires users to enter a code sent via text message in addition to their credentials. This is very common but Discord recommends using an Authenticator App.

Again, if you lose your phone this could be a problem. Hackers have also been able to intercept text messages or call up phone carriers and take over phones so users should be careful when using this method of MFA.

Security Keys

Security Keys allow you to use a passkey to gain access to the account. This will include using Windows Hello, FaceID, or TouchID. When you register a passkey for Discord, you will protect it using Biometric scans and the key itself will live on the device. You will then authenticate using the Biometric and your credentials.

Privacy and Safety Settings

Your settings will give you control over who can contact you and what they can send you. By adjusting your settings, you don't have to see the content you don't want to, and get rid of spam or unwanted sensitive media.

Explicit Image Filter

You can filter out explicit images from personal DMs. You can choose to "Filter all direct messages" so all messages with explicit imagery will be blurred out. 

DM Settings

You can filter out spam from personal DMs. You can choose to "Filter all direct messages" so that all DMs will be filtered for spam. Any messages that contain spam will automatically be sent to a separate spam inbox.

You may also only want certain people to be able to DM you. By default, anyone who has a shared server with you may send you a DM. You may change this setting to block DMs from users in a server who aren't friends with you. 

Friend Request Settings

In your settings, you may determine who can send you friend requests. There is "Everyone", "Friends of Friends" and "Server Members". If you don't want to receive any friend requests, you need to deselect all of them.

You should only accept friend requests from people that you know and trust.

Cache & Cookies

If you decide to use Discord on a web browser instead of the app, your information will be collected via Cookies. There are two ways to control this. The first way is to disable unnecessary cookies through your browser by managing your settings for each browser you use. The second way is to clear up your cache and cookies. Clearing these two things will help Discord function more quickly as it decreases loading time and also removes any temporary data stored on the browser and reduces personal data loss if your browser gets compromised

If you decide to use the Discord app, your information will be collected in a cache file. There are two ways to control this. You can clear up your cache and cookie files on your local machine using File Explorer.

Unfortunately, Discord does not have a built-in feature that lets you do that on the browser so you are going to have to do it manually. You can find a guide on how to clear cache and cookies in the Skill Sheet section.

Good Habits

Besides knowing how to create a strong password, you should also have a good habit of maintaining the secrecy of your password. 

Good habits to keep your password secure include, but are not limited to:

• Reset if you think it's been compromised (like after using a public computer) 
• Keep it secret! Don't share it with friends, roommates, or even your family.
• Don't allow your internet browser to remember passwords 
• Never leave your computer unlocked or unattended 
• Don’t recycle password

Server Security

Server security is crucial to keeping your organization and its users safe from malicious actors. This becomes increasingly important as the number of users in your server increases and there are fewer people you know personally. Potential threats to your organization include users who join with bad intent, alienated club members who may seek revenge, alumni who have too many admin privileges, or even members of your e-board who have their accounts compromised. These are some basic server security tools you can implement to keep your activities safe.

Authentication and Authorization

Authentication describes the process of verifying the identity of a user or service. Authorization determines a user's access rights and permissions. Users should be authenticated before being allowed to interact with the rest of your community and only select users should be authorized to perform certain actions. This reduces the risk of having a malicious user within your community and performing actions to damage either your server structure, integrity, or security. 

Server Invite Links

One way to control the authenticity of users on your server is by managing your server invite links. In your server settings under "Invites", you can see who the invite is, what the invite code is, and how many people used the code. Under "Members", you can view the code used to join the server. You may also view when a code was created under "Audit Logs".

You should only invite people who you know and trust. Make it so that only an admin can send people an invite and that way you can trace back who invited a person if they were malicious or someone who shouldn't be part of the server.

We recommend that RPI Clubs should only send invite links to specific members or if you want a public link, to only put it in Official RPI Discords where users must verify that they are a student, faculty, or alumni. 

Verification Levels

Verification Levels are the levels of security a member of the server must meet before they are allowed to send text messages in a channel. This is mainly to protect servers from being bombarded by spam or bots especially if you have a public invite link or something of that sort.

There are 5 different levels of verification

• None: anyone who enters may chat immediately
• Low: the user must have a verified email
• Medium: Low + registered user for 5 minutes
• High: Medium + must be a server member for more than 10 minutes
• Highest: High + the user must have a verified phone number

We recommend setting your server to Highest. This will make it so every person who can send a message has a verified email and phone number. You can find the steps on how to set up the verification level in the Skill sheets.

For RPI Community Discord Servers, We recommend setting up a verification system where ONLY RPI students can join. This can be through RPI's Sign-On System.

Moderation

Role Management

Roles can be utilized to categorize members or control permissions of users. This is important because members of an organization with specific jobs may need access to more settings, controls, or channels to do their job. For example, members with a higher position in the club may want private channels and the webmaster may need permission to kick inactive members of the club.

We recommend users only be given just enough permissions to do their job. For example, users who just joined the club should only be able to read, send, and react to messages. As they incur more roles and responsibilities, they can now be trusted to see certain channels, change certain settings, or add emojis or stickers. However, it is important to remove these permissions from these members as soon as they do not need them anymore. For example, members who graduate, leave or get kicked out should immediately have their administrative permissions removed or even be booted from the server entirely. 

Security Actions

Security Actions are actions that you can do if an incident occurs. You will be able to pause invites so that no new member can join the server. You will also be able to pause DM's between non-friends that are members of a server. This can be useful in preventing a compromised account from setting phishing links and causing more damage.

Activity Alerts

Activity Alerts are alerts that appear on the top of your Discord to warn you about unusual/suspicious activity that is happening on your server. If you are offline, you will get a notification and this alert will allow admins and moderators to immediately know of problems and deal with them.

Bots

AutoMod

AutoMod is a built-in discord system that applies content filters to your server. You can filter with Keywords and the AutoMod will automatically detect and block messages containing these words or phrases that could be harmful to your community. You can also set it up to block spam and harmful messages or links. AutoMod will also send an alert saying that the message was blocked so that you can report it if necessary.

Commonly Flagged Words Categories are Sexual Content, Insults and Slurs, and Profanity.

Spam Filters can block invite spam, unsolicited messages, and advertisements.

(RPI Bot name) 

If you want to limit people joining to only RPI students, you can use RPI custom build bots called (Bot name here) that allow you to verify RPI students using their credentials and login information (RPI's Sign-On System).

Threats and Dangers

Phishing

Phishing happens when cyber attackers try to get you to open a harmful link, email, or attachment that could give up personal information or infect devices. These messages are designed to look like they come from a trusted person or organization.

Suspicious Links

To protect yourself from phishing, the best way is to be able to spot when you are getting phished. Some common signs are messages that have urgency, requests to send personal or financial information, untrusted shortened URLs, and incorrect email addresses or links. Sometimes, you can even pick out misspellings or poor grammar.

Think before you click. Do NOT click on any links that appear suspicious or appear to be shortened. Discord will warn you about questionable links and there will be a pop-up asking if you are sure you want to go to a link.

You should not download files or applications from users you do not know or trust. If your browser or computer has flagged the file as potentially malicious, do not open it. If you weren't expecting a file, don't click on it.

Next Steps

If you suspect phishing, report the phishing link to protect yourself and others. On Discord, select the message and right-click. Select Report Message.

Next, the Webmaster or IT Specialist should delete the link from the server and announce to the server that the link is malicious to prevent users from clicking on it. In addition, if members of the club have clicked on it, their short-term activity should be carefully monitored.

Malicious Users

Malicious users are attackers who impersonate one of your friends, server admins, or official discord accounts (admins). 

Download Scams

Some malicious users will pretend to be one of your friends in an attempt to get you to click a link or download a file which will result in a malicious program entering your computer or account. They may also ask you to open your developer tools to show them your token and then they will be able to access your account. 

Discord will never ask for any of this information.

Never give away your Discord login or password information to anyone.

Never give away your Discord authentication token to anyone.

Never give away any account information to other users on any platform.

Giveaway Scams

Sometimes, hackers will pretend to be a server admin from a server you are active on. They will send you a link that looks very genuine but this is usually too good to be true. Don't click on it.

Another common scam is the Nitro Scam where hackers will ask you to scan a QR code to get free Nitro. Don't scan any QR codes.

Hackers may also pretend to be official discord accounts (admins). They may offer you community initiatives such as HypeSquad or Partnership programs. This is almost always fake. Official Discord Accounts will have the "System" tag next to their name.

Next Steps

If you suspect any user to be malicious, report them. You can click on "Report Spam" or "Report User Profile". 

Authorization Tokens

Authorization tokens are unique identifiers assigned to every user or bot on Discord. These tokens act as a means of authentication and each token is a string of characters that uniquely identify an account or bot.

Token Security

When a user logs in to Discord, a token is generated. A token is an encryption of your username and password. This token is then used in API requests to authenticate the user and make sure that requests made are coming from a legitimate user. Exposing a token can lead to unauthorized access to an account. Tokens are stored in your desktop browser and expire in 24 hours. Users don't typically interact with their token and usually, a token is taken through other means like phishing. 

When a malicious user gets access to your token, this can bypass credential logins and MFA, so keeping these confidential is crucial.

Next Steps

If you suspect that your Discord token has been compromised, you should immediately change your account password.

Compromised Accounts

An account is compromised when an attacker gains access to a user's credentials. 

What should you do? 

If you still have access to the account:

• Start by changing your password and email
• Add additional measures of security to your account
• Re-generate your backup codes
• Submit a support ticket under "Hacked Account". Include all information that you know and explain the situation so that when they get to your ticket, they can immediately resolve the issue.
• Make sure to let everyone know that your account has been compromised so that no one else is impacted. Some hackers will contact your friends through your account to get access to their accounts.

If you no longer have access to the account and your account isn't disabled:

• Submit a support ticket under "Hacked Account". 
• Make sure to let everyone know that your account has been compromised.

If your account is disabled:

• If your account has been disabled, there is a high chance that an attacker has gotten into your account. They then committed acts against Discord's TOS
• Submit a support ticket under "Appeals & Age Update Requests". Then select, "Appeal an account taken on my account or bot".
• Make sure to let everyone know that your account has been compromised.

Discord Support

Discord Support is known to be relatively slow. Ticket response times vary and depend on their volume. The only team that will talk to you about your compromised account is their Trust and Safety Team.

When you submit a ticket, Discord will recommend some pages of support. Make sure to click "No" when they ask if your issue has been resolved. 

If you have submitted a ticket, you will most likely get a response from one of their bots (Clyde usually). You need to make sure to respond to their bot for your ticket to be put in the right queue.

You can view the status of your tickets on their website. When you add additional Information, you will go to the back of the queue. It is best if your ticket status is "Open" but if it is "Solved", know that you may still receive responses from the support team.

Skill Sheets

1) Clearing Cache & Cookies

For Chrome

If you’re using the Discord website as opposed to the Discord app, you can clear your Discord cache using a web browser. To clear your Discord cache, you must clear your browser cache. 

1. Open Google Chrome.
2. press Ctrl + Shift + Delete. This will automatically take you to the ‘delete browsing data’ tab.

[Clear browsing data showing areas that will be deleted, such as browsing/download history, cookies and cached images and files]

3. Check the relevant data that you want to remove. To delete all possible Discord cache, set the time range to ‘all time’.
4. Click ‘clear data’ to clear your Discord cache.

For Safari

If you use Discord on Safari, you can clear your Discord cache by clearing Safari’s browser cache.

1. Open the Settings, and locate the Safari app. 
2. Click to open Safari’s settings. 
3. Scroll through the options until you see ‘clear history and website data’. 
4. Select the option to clear your Discord cache. NOTE: This will also clear other website cache, history, and cookies as well.

[Safari settings features]

Alternatively, there is a way to more selectively clear the Discord cache for Safari.

1. Go to Settings > General > iPhone Storage. 
2. Locate and click on the Safari app.
3. Select the ‘website data’ option to see a list of website cache.

[Safari app showing the Website Data option]

4. Click ‘edit’ located in the top right corner. Now, you can individually delete the website cache. 
5. Locate the cache for Discord, and delete it by clicking the minus icon. You can expand the cache list by selecting ‘show all sites’. 
6. Afterwards, click ‘done’ to exit edit mode.

For Desktop

On Desktop, you have to do a little bit more to clear the cache but the good thing is that you do not have to deal with cookies. You can find your Discord cache in the File Explorer.

1. Press the Window logo key + R to open up the Run dialog box and type in %appData%.

[Run window showing %appData% typed in the Open: field]

2. Select the ‘open’ option to access File Explorer.
3. Locate and double-click on the Discord folder.
4. Open the Cache folder.

[Cache folder highlighted from the Discord folder]

5. Delete all the files in the Cache folder to clear your Discord cache.

For IOS

For iOS, you can clear the app cache in the device settings. This option is only available for certain apps. Unfortunately, there is no option to clear the cache for the Discord app. You can only clear the Discord cache by deleting the app in the settings. Deleting the app will also delete its cache. Afterward, you can reinstall the app if you wish to continue using it. To delete discord apps:

1. Open device settings
2. Select General > iPhone Storage
3. Scroll down and click on the Discord app. 
4. Select the ‘delete app’ option to clear your Discord cache.

[Discord app screen showing the Delete App option]

For Android

On Android, you can delete the app cache from the device settings.

1. Open Settings, and then click the ‘battery and device care’ option. 
2. Select ‘storage’. You should now see a list of categories. 
3. Press ‘apps’ to see your list of currently installed apps. 
4. Scroll through the list until you find the Discord app. Select the app. NOTE: Alternatively, you can go to Settings > Apps > Discord to reach the same location.
5. Select the ‘storage’ option and then click ‘clear cache’ to delete your Discord cache. NOTE: You can also choose to clear your Discord data by pressing ‘clear data’.

[Storage screen options in Discord]

2. Setting up Multi-Factor Authentication (MFA)

There are two methods of MFA on Discord. You can set them up by going into Your -> Settings -> Account or User Settings -> My Account.

Phones:

[Multi-Factor Authentication screen showing settings on a phone]

PCs:

[Password and Authentication screen for PCs]

Either process will make you perform the same actions on your device. The Authenticator app acts like the Duo App which prompts you to enter a code every time you log in. The security key activates your device’s biometrics or passcodes each time you log in. Both processes will create backup codes in case your device or authenticator app is lost.

Save these codes when Discord prompts you to as shown below:

[Download Backup Codes screen with the Download Backup Code button]

These codes will download as a .txt file that you can open using Notepad or a similar app. Save these codes somewhere safe. You can also save the codes by copying them down independently:

[List of Backup codes]

These codes should not be shared for any reason. If they are leaked (like how mine have been placed on this document), you should generate new backup codes immediately.

3) Managing Server Invite Links

Server links are significant security risks because they control who can join your server in the first place. If you are a club that frequently publicizes your discord link to gain members, set up these boundaries and checkpoints so you can control the access of malicious users or track them if they get in. When sending invite links, notice the options:

[Send a server invite link to a friend dialog box with a copy button]


[Invite a friend dialog box with several options to invite someone like: Share Invite, Copy Link, Messages, Email and Messenger]

When you click edit invite link, you have these options:

[Server invite link settings and link settings dialog boxes]

If you are posturing for a certain time period, you might only want your link to be active during that time period so your link cannot be used by dumpster divers. Setting a max number of users can reduce the potential for spam. Finally, if you only want your server to host loyal members, granting temporary membership is recommended so users don’t fill up your server just to never use it again. An excessive amount of members leads to an increase in risk.

To manage invite links that you create, first access server settings:

 

[Discord Service Settings options]

After you get into settings, you should see an option for invites:

[Invites option with User Management showing Invites as an option to choose]

On the invite page, you should see this:

[Invites page showing a list of active invite links]

[Information on an invite from the Invites area]

When you hover over an invite link, you should see a red x. This allows you to delete that specific invite link if you notice malicious users entering through that link. You may also click pause invites at the top to stop all links from working. To check which link members may be using, check the members list:

[List of Recent Members]

Mobile users will not have this view.

By following these steps, you should be able to effectively manage the entry point of your server and online community.

4) Setting up Verification Level

1. Safety Setup > Verification Level

[Verification Level dialog box showing None, Low, Medium, High and Highest]

2. Select the level that fits best for the discord group and click change.

References/Links 

Discord Best Practices

Credit:

Rebecca Lin

Samuel Leung

Patrick Nguyen

Brian Robert Callahan

Last Reviewed:   25-Mar-2025