We provide support during business hours, including weekends and out-of-hours when needed.

Locking Down a Website with OAuth2

Manual approvals and impersonation sign-ups were letting the wrong people reach private alliance intel. We enforced Discord OAuth2 SSO so members get verified entry and access is revoked within 24 hours if they leave the server.

  • Industry: Online Private Community
  • Users: 1500+ (UK + worldwide membership)
  • Location: Aberdeen, Scotland, UK
  • Main Issue: Impersonation sign-ups + slow manual approvals

Challenges

  • Manual approval queue slowed access for legitimate members.
  • Impersonation sign-ups used fake names to target restricted pages.
  • Membership changes were not enforced automatically on the website.

Solutions

  • Deployed Discord OAuth2 SSO so identity came from Discord, not typed names.
  • Enforced Discord API authorisation checks for server and access conditions.
  • Added a daily sync to disable accounts when Discord membership was revoked.

Outcomes

  • Removed the manual approval bottleneck for verified members.
  • Blocked impersonation attempts that relied on fake names.
  • Revoked website access within 24 hours after a member left Discord.

The Bottleneck

The site held alliance war plans, member intel, and private strategy notes. If it leaked, it would trigger sabotage, internal drama, and a loss of trust in leadership.

Martin Pan supported a private gaming alliance community built around a Game of Thrones strategy game. The WordPress site was meant to be private, but access relied on manual approvals after a basic sign-up.

That created two problems: the approval queue took time, and impostors could register using fake names that matched real players to reach restricted information.

Screenshot of the “Sign in with Discord” button enabling private access to the alliance WordPress website

The Zero-Trust Approach

We treated it as an identity and authorisation failure, not a “web design issue”. Typed names are not identity, and manual approval is not security.

We also worked within a hard constraint: the game does not allow external API access and using it would break the rules. We did not touch the game.

Instead, we used the system the alliance already trusted every day: Discord. Leadership was based in Aberdeen, but the community was spread across the UK and worldwide, so the checks had to run automatically.

The Execution

We rebuilt login so Discord membership became the gate. If the membership check failed, the site blocked access by default.

Members sign in via Discord, then the site verifies they belong to the correct server and meet the required access conditions. Once verified, the account is approved without a human queue.

We also added ongoing enforcement so access does not linger when someone leaves the community.

Security Controls Deployed

  • Auth: Discord OAuth2 SSO verified identity at sign-in.
  • Authorisation: Discord API checks verified server membership and required access conditions (role/channel rules).
  • Deprovisioning: A daily sync re-checked membership and disabled website accounts within 24 hours when access was revoked in Discord.
  • Failure Mode: If checks failed, the site denied entry and restricted pages stayed locked.

Mission Accomplished

Legitimate members stopped waiting for approvals. If they were in the right Discord server and met the rules, they gained access immediately.

Impersonation stopped working because typed names no longer mattered. Discord membership became the only accepted proof.

Manual approvals were removed, and access was revoked within 24 hours when someone left the server.

Instant Verification, Zero Impostors

Rated 5 out of 5 stars by the client

We needed our WordPress site to stay genuinely private for alliance members, but our old sign-up process was a constant headache. People would register with any name, leaders had to approve accounts manually, and it wasn’t just slow, it also made it too easy for impostors to try using fake names to get access to information they shouldn’t see.

The solution was simple and smart: we moved access control to Discord, because that’s where our community already lives. Members now sign in with Discord, the site checks they’re actually in the right server and meet the access rules, and then access is granted automatically without anyone needing to babysit approvals.

What I like most is that it keeps working after launch. If someone leaves or is removed from Discord, their website access is automatically disabled on the daily sync. That gives us real peace of mind, the site stays private without constant admin work, and we’re no longer wasting time on approvals or worrying about who is slipping through.

Clear communication, a clean implementation, and exactly the kind of security-minded thinking we needed for a community site.

Martin Pan
Founder at SXO
Verified Client