Hey all, Recently I was in a conversation of one of my owners of a server I moderate and we started talking about bot security. One of the things that started this conversation was the owner saying that he doesn’t want anyone to host his bot because they could change the bot code and give themselves admin, Causing damage to the server. After me explaining to him that unless the bot has admin permissions it cannot create roles and give it the admin permission, After explaining this I realized that I can create a blog post going more in detail about bots. I previously explained in one of my blog posts located Here. I may create a part two of this post just because of my large list of what I have planned to talk about. So let’s begin
Like I said earlier unless bots have admin they cannot give members admin permission this is the same with all permissions you cannot give a role permissions that you do not have yourself. So usually the permissions I do not give a bot is Administrator, Manage channel. The reason I do not give the manage channel permission is that I have it so users cannot send bot commands in general chat. And if they have manage channel it bypasses those settings.
It’s usually fine to add any bots to your server as causing damage to servers using bots is against the T&S. Personally, I have not had any issues with bots causing damage to the server I have though had situations when the bot gets compromised which I will discuss later.
There are a few rules that you have to be careful of when using a bot some of these rules include rainbow roles. Rainbow roles are when you make your bot change the color of the role every few seconds. Although it looks cool it is not permitted and could get you in trouble so do not use them, bots must obey the terms and services that discord has for users, you must make sure that your bot does not exceed the rate limits, your bot must not collect users messages. You are able to view the documentation Here.
As I once talked about in a previous blog post you must be careful what you do with your bot tokens you can read the blog post Here. Anyways there are people who like to token scrape on GitHub. What this means is people are able to search for keywords using github’s search function so people look for discord bot.login code on bots, and if they find a bot token they will use it which will compromise your bot. If you feel you accidentally leaked your bot token you are able to generate a new token by going to your bot profile on discord’s developer website and clicking generate a new token. Keeping your token a secret is #1 because if someone gets hold of your token and starts breaking T&S using that token YOUR account will be terminated as the token is linked to your account. There are ways you can hide your token on GitHub by putting the token in config.json and then adding config.json to git.ignore so only you can see that file, you should never have your token in your main file ever, some hosting services allow you to create an ENV file which hides the content from everyone else except you.
What is eval?
You must make sure that eval only works with your ID you can add in a line of code saying
if(message.author.id !== ownerID) return;
And then at the top of the code add
ownerID = “Your ID”
This will make it so if the user does not have your ID nothing will happen.
You must make sure to never give anyone permission to use eval as they could wipe your entire computer if you are hosting your bot on your PC.
Depending on how popular this post is I may create part 2 of this post.
Thanks for reading