Using IFTTT to connect Reddit to Discord

I spent far too long this morning trying to get posts from a particular subreddit to show up in a particular channel on a Discord server I belong to. There was a lot of bad and wrong information out there on how to do this, and finding the correct way took me down many incorrect pathways.

The goal here is to set up the workflow like this:

Reddit post in /r/yoursubreddit > IFTTT applet > Discord webhook > posted to your Discord channel

Essentially, the Discord webhook is a very simple Discord bot that is fed content by IFTTT when someone posts to the subreddit of interest. The webhook takes that content and feeds it to the channel you desire.

For the record, this is the way to do it.


  • A sufficient user role to edit the channel settings on Discord of the channel you want to post your Reddit content to.
  • Webhooks capability enabled for your Discord user role *and* for the channel you want to use. See here for more info on how to enable Webhooks.
  • An If This Then That (IFTTT) account.
  • Optional: an image/icon for the webhook. This will show up for the account that will be posting the Reddit post to your Discord channel. I used this one.

The Setup

Let me preface this by saying that these instructions were created using the desktop version of Discord and a desktop web browser. It may be a little more tricky on mobile, and what you see may be a little different, but perhaps not.

Create a webhook for your Discord Channel.

1. Go to the Discord channel you want to use and click the gear icon to Edit Channel:




2. Click Webhooks in the left-side menu, then click the blue Create Webhook button on the right.

3. Give your webhook bot a name such as “Reddit post bot” and select the channel you are having it post to.

4. This is where you can optionally upload an icon for this bot. This will show up as the user icon when this bot posts to Discord.

5. Copy the Webhook URL, or keep it handy, so that you can paste it elsewhere in a few steps.

6. Click Save.

Create an IFTTT recipe

8. Open your IFTTT account, go to My Applets, then click New Applet.

9. Click the blue “+this” to add the first action.

10. Use “Search services” to search for Reddit, and choose the “Any new post in subreddit” trigger

11. For the “Subreddit” field, enter the subreddit you want to use without the “/r/” in front of it. For example:

12. Click Create Trigger.

13. Now you should see something like the following:



Click the “+that” link.

14. This time, under “Search services,” search for “webhooks.” Select the result and click “Make a web request.”

15. Now you can paste the Webhook URL you created in Step 5 above into the URL field here.

16. For “Method” choose POST and for Application Type choose “application/json”

17. Here’s the crucial part. Under “Body” copy and paste this entire line of json code exactly as-is EXCEPT, change YOUR BOT’S NAME to the name you want to give this bot (such as “Reddit Feed Bot” or “Fred”):

Optionally, you can change the “I have received a new post!” text to anything you want to show up any time there is a new post to Discord from this bot. Leave all the rest of the code as-is.

18. Click Save.

That’s it! Any new posts in the subreddit you chose should now show up in the Discord channel you chose. Keep in mind that it isn’t instant. It usually take about 15 to 30 minutes for new posts to show up for me, for whatever reason. If anyone knows how to speed that up, please feel free to post the solution in the comments section below.


My Slides from Drupal Camp Asheville 2017

Thanks to all for coming to my talk! Here are my slides. Drupal Security #devsecops #dcavl @drupalasheville
DevSecOps – Slides

I enjoyed being at Drupal Camp, and it was good talking with the many new folks I met (as well as the ones I already know). If you have any questions or comments, feel free to post here or contact me directly.


Video is Now Available Too!

Speaking at Drupal Camp Asheville

I will be doing a talk on Drupal and Security at this year’s Drupal Camp Asheville. I will cover some security best practices for Drupal developers, how to avoid certain Drupal-specific security gotchas, some lessons learned in keeping Drupal sites secure, and some handy tidbits you can use to prevent the bad people from ruining things.

The times for the various speaker sessions haven’t been announced yet, but stay tuned. I hope to see you all there!


A jQuery 1.x vulnerability exists and no fix is planned

I haven’t seen much talk about this issue around the Internet, so I thought I’d present what I’ve learned for others to be aware of. It mainly has to do with the fact that jQuery 1.x (and 2.x, for that matter) were replaced by 3.x, yet they are still thriving in many, many projects, applications, and websites to this day.

While doing a security review of some code the other day, a retirejs scan informed me that jQuery 1.x contained a Medium vulnerability regarding cross-domain requests in ajax. According to Snyk:

“Affected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain ajax request is performed without the dataType option causing text/javascript responses to be executed.

Remediation: Upgrade jquery to version 3.0.0 or higher.”

“Upgrading to 3.0.0 or higher seems pretty drastic,” I thought to myself. Well, according to a comment I found on jQuery’s GitHub page, this is actually their stance, and they don’t plan on patching 1.x because it is a ‘breaking change’:

So it would behoove you to upgrade to jQuery 3 if you don’t want to be susceptible to this vulnerability. The magnitude of that may seem rather staggering if you consider all the projects across just about everything (WordPress plugins, Drupal modules, etc etc) that bundle the 1.x version of jQuery, and haven’t updated it in years.

While the vulnerability may not be relevant if you are not making cross-domain ajax calls, this is but one risk that has come to light for which there will be no fix. And it’s not exactly reasonable to assume that developers know they need to avoid that if they intend to use jQuery 1.x.

The longer jQuery 1.x sits in your project, the higher a risk it becomes.

As the impending OWASP Top-10 for 2017 says, “Applications and APIs using components with known
vulnerabilities may undermine application defenses and enable various attacks and impacts.”

Long story short: Keep your bundled libraries up to date!

WordPress Security from WordCamp Asheville 2016

One of the coolest things about WordCamp is that they post videos of each talk and presentation on for viewing afterwards. It give you the chance to see all the great presentations you may have missed, or to revisit the ones you attended.

With so many WordCamps happening all over the world, it is a great resource.

My presentation from WordCamp Asheville 2016, titled WordPress Security: Don’t Be a Target, is now live on

Speaking at WordCamp Asheville – June 3 – 5, 2016

Tickets are on sale for WordCamp Asheville, and I hope many of you will come. This is my first opportunity to attend WordCamp, and I’ll actually be getting to speak at it. Come check it out if you are attending.

My presentation will be about WordPress security, how to make yourself less of a target, and how to harden your WordPress website against hackers using freely available tools.

Come say Hi if you attend!