Anti-nuke
Per-user rolling-window limits on dangerous Discord actions. Auto-punishes ANY user — even an admin — who exceeds a limit. Defends against compromised moderator accounts. Pro feature.
The threat model
Most server attacks come from outside: phishing URLs in chat, mass-join raids, scam DMs. Anti-nuke addresses the threat from inside: a moderator's account gets compromised (via phishing, credential stuffing, social engineering), and the attacker uses their permissions to mass-delete channels, mass-ban members, or add malicious bots.
Discord's native permission system doesn't help here — the attacker has the legitimate permission. Anti-nuke watches for behavioral signals (too many dangerous actions in too short a window) and acts even when the user has the perm to do what they're doing.
Seven tracked actions
| Action | Default limit (per 60s) | Why this threshold |
|---|---|---|
| Bans | 10 | Manual mod-cleanup rarely hits 10 bans/minute |
| Kicks | 10 | Same reasoning as bans |
| Channel deletes | 2 | No legit workflow deletes 2 channels in a minute |
| Channel creates | 5 | Batch creation during setup is occasionally legit |
| Role deletes | 2 | Defacement signal — keep tight |
| Role creates | 5 | Same as channel creates |
| Bot adds | 5 | Catches malicious-bot injection during compromise |
Set any limit to 0 to disable that specific action while keeping the others active.
Why rate, not total count
The 60-second window is deliberately short. A real attack hammers actions (5–20 events/minute); legitimate post-raid cleanup paces at 0.5–2/minute because each ban requires lookup + click + confirm. Counting per-minute discriminates cleanly without false-positives on legitimate work.
Adjust the window in the dashboard (60–3600 seconds). Longer windows mean "average rate over more time" — more forgiving of legitimate bursts, slower to react to attacks.
Four punishment modes
| Mode | What it does |
|---|---|
| STRIP_ROLES | Default. Removes all roles below Zippy Wall's. Reversible — an admin can re-grant in seconds. Best for first-time setup. |
| KICK | Removes the user. Reversible — they can re-join via invite. |
| BAN | Permanent ban. Use only when you're confident in the thresholds. |
| LOG_ONLY | Posts to mod-log, takes no action. Use for the first 7 days to tune thresholds without risk. |
Critical: whitelist your senior admins
Anti-nuke does NOT auto-exempt users with the Administrator permission — that's by design (the threat model is "compromised admin account"). If you don't add your trusted admins to the whitelist, a legitimate cleanup of 10+ raid alts will trip anti-nuke and strip their roles.
Add your senior moderator role to Exempt roles, or specific user IDs to Exempt users, before enabling anti-nuke in non-LOG_ONLY mode. See Whitelist.
Recommended first-time setup
- Toggle anti-nuke ON in the dashboard.
- Set punishment to LOG_ONLY.
- Run for 7 days. Watch the mod-log for what would have tripped.
- Add false-positive triggers (legit admins doing cleanup) to the exempt list.
- Switch punishment to STRIP_ROLES.
- Re-check the mod-log weekly. Only escalate to KICK or BAN once you're confident in the limits.