✅Security Audit Checklist

This is merely a guide of the essentials. Individuals may wish to customize/make additions to this for their own personal needs and/or create their own version. This is the bare necessities.

Auditing Discord Security

Discord servers should be reviewed periodically to ensure security is properly maintained. Over time, especially in larger discords, simple mistakes in small changes could lead to vulnerabilities. Misconfigured channel permissions can also be duplicated when new channels are cloned.

Security Audit Checklist

• Owner account maintain ownership, without any other roles, and offline

• Administrator permissions are designated to correct user/s and bots

  • Vanity Admin and Moderators do NOT have Administrator permission

  • Ensure only bots that absolute need Administrator have it

  • Outside of + role (hidden admin) no other role has Administrator

• Role hierarchy maintained:

  • + (hidden admin)

  • ++ (hidden channel admin)

  • Bots

  • Vanity Admin

  • Vanity Team

  • Vanity Moderator

  • Paid Users: Token-gated, Server boosters, Patreon, etc.

  • Verified Users

• Join Gate separates Verified from Unverified users

  • No users visible in list except hidden admin, server owner, and unverified users

  • No unverified users visible outside of Verified channels

• Management and Staff roles don't have Manage Roles, Manage Channels, Manage Server, Manage Webhooks and all other High Threat Permissions

• Management and Staff roles don't have access to High Threat Channels

• Channels synced with their Category permissions, with exceptions to Social, Bot feed channels that may grant access to one specific bot in otherwise read-only channels

• No roles other than Administrator and Owner have ability to configure bots

• /kick /ban /timeout commands working (if disabled in permissions and tied only to automod)

• Webhooks removed from Server Integrations after use

• No unaccounted for bots

• Channels are only visible to the roles intended

  • Non-staff can't see staff channels/private channels

  • Non-holders can't see token-gated channels

• Log Channels configured correctly and logging events as intended

• Staff accounts had read-only or no access to channel logs