diff --git a/public/src/admin/manage/groups.js b/public/src/admin/manage/groups.js
index 6c4276c268..bab28bfa16 100644
--- a/public/src/admin/manage/groups.js
+++ b/public/src/admin/manage/groups.js
@@ -101,7 +101,7 @@ define('admin/manage/groups', ['translator', 'benchpress'], function (translator
 				}, function (html) {
 					translator.translate(html, function (html) {
 						groupsEl.find('[data-groupname]').remove();
-						groupsEl.find('tr').after(html);
+						groupsEl.find('tbody').append(html);
 					});
 				});
 			});
diff --git a/src/socket.io/groups.js b/src/socket.io/groups.js
index fa88cd9e24..7d6417b700 100644
--- a/src/socket.io/groups.js
+++ b/src/socket.io/groups.js
@@ -291,7 +291,7 @@ SocketGroups.search = async (socket, data) => {
 		const groupData = await groups.getGroupsBySort(data.options.sort, 0, groupsPerPage - 1);
 		return groupData;
 	}
-
+	data.options.filterHidden = data.options.filterHidden || !await user.isAdministrator(socket.uid);
 	return await groups.search(data.query, data.options);
 };
 
@@ -309,6 +309,13 @@ SocketGroups.loadMore = async (socket, data) => {
 
 SocketGroups.searchMembers = async (socket, data) => {
 	data.uid = socket.uid;
+	const [isOwner, isAdmin] = await Promise.all([
+		groups.ownership.isOwner(socket.uid, data.groupName),
+		user.isAdministrator(socket.uid),
+	]);
+	if (!isOwner && !isAdmin) {
+		throw new Error('[[error:no-privileges]]');
+	}
 	return await groups.searchMembers(data);
 };
 
diff --git a/test/groups.js b/test/groups.js
index 3d1627e062..986509e863 100644
--- a/test/groups.js
+++ b/test/groups.js
@@ -196,6 +196,15 @@ describe('Groups', function () {
 				done();
 			});
 		});
+
+		it('should not return hidden groups', async function () {
+			await Groups.create({
+				name: 'hiddenGroup',
+				hidden: '1',
+			});
+			const result = await socketGroups.search({ uid: testUid }, { query: 'hiddenGroup' });
+			assert.equal(result.length, 0);
+		});
 	});
 
 	describe('.isMember()', function () {