Definitive Discord Anti-Nuke

One of the scariest prospects to Discord server owners is an admin getting compromised, deleting everything, banning everyone... Or maybe scamming/phishing your members. This had always been a hard problem to solve, until now.

Your admins don't always need admin!

I would always give this advice when talking to moderation teams. The Admin perm is scary! All perms that allow server modification are. So your admin team shouldn't be walking around with these perms 24/7. But how can you let them access their perms without having to ask someone higher up?

This is a problem I thought on for a while, and the solution I came to was locking roles behind MFA & a timeout. Need Admin for 5 minutes to move some channels around? Maybe update some roles?

Introducing Roleify

This system allows staff members to claim roles with all the scary permissions, by passing an MFA challenge, and having a role that grants them entitlement to those permissions.

Simply pick a cosmetic, perm-free role you want to assign to your admins or mods, then use the config to assign that role additional granted roles after passing the MFA challenge.

Granted roles can stick around for anywhere from 5 minutes to 12 hours, and you can grant several roles (up to 5) per eligibility role. Your server can have up to 25 eligibilty roles!

Enrolling with Roleify is as simple as running the /enroll command, scanning the TOTP QR code with your chosen authenticator app (such as Google authenticator), entering your first TOTP code and that's it, you're good to go!

You can click here to add Roleify to your server!

At this time, backup codes are NOT provided. You should save the TOTP seed securely if possible. If you lose access to your authenticator, there is no guarantee you will be able to re-enroll.

⚠️ DO NOT SCAN QR CODES WITH YOUR DISCORD APP! ⚠️

All data is encrypted at rest, data is not reverse attributable, read the privacy policy & ToS.

This isn't the only duck in the pond!

During the testing of Roleify, I discovered other bots support this exact same system. Roleify, as with all of the small utility bots from PNLY, is very narrowly scoped & will only do the one thing it's built to do.

One of these bots is called Exoguard, which has a more expansive MFA implementation including WebAuthn, a login system for staff & extensive configuration options. Exoguard also ties MFA on a per-server basis, so server owners can revoke MFA or allow staff to re-enroll. If you're looking for a little bit extra, this bot is a seriously good option!

The Good Knight Discord bot also features TOTP & Password-based MFA, as well as a plethora of other moderation features. While this bot is primarily focused on Web3/Crypto communities, it has a good deal to offer as a kitchen sink moderation/security bot.

How can I prevent my staff getting compromised?

Check out our first guest article, a crash course on 2FA, to learn more about how to keep all of your accounts safer online, not just Discord!