HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

username restriction

Is there a way to restrict the allowed string in the username during registration in a custom plugin?

example: spaces, . etc are not allowed


  • Thank you!

  • subdreamersubdreamer San Jose, CA

    Great posts, guys! Now is there any way to restrict predefined usernames?

  • You mean to prevent certain words to be ever registered as a username by somebody (without due permission)?

  • edited October 2019

    You would need to add this function to your plugin or themehook, after the last closing curly bracket


    if (!function_exists('validateAgainstUsernameBlacklist')) {
        function validateAgainstUsernameBlacklist($value) {
            $vanillaBlackList = UserModel::getUsernameBlacklist();
            $myBlackList = c('Garden.User.UsernameBlacklist', 'boss, admin, administrator, owner, founder, staff, system, manager');
            //change the defaults ^^^
            $myBlackList = explode(',', $myBlackList);
            $myBlackList = array_map('trim', $myBlackList);
            $myBlackList = array_filter($myBlackList);
            $myBlackList = array_map('strtolower', $myBlackList);
            $finalList = array_merge($vanillaBlackList, $myBlackList);
            if (in_array(strtolower($value), $finalList)) {
                return '('.$value.') - '.t('Username is reserved. Please choose a different username.');
            return true;

    To make $myBlackList more configurable, make a config for it (comma-separated list of names, case does not matter!):

    $Configuration['Garden']['User']['UsernameBlacklist'] = 'boss, admin, administrator, owner, founder, staff, system, manager';

    If you are curious what the existing vanilla blacklist is:

    public static function getUsernameBlacklist() {
    $pluginEndpoints = [

  • subdreamersubdreamer San Jose, CA

    Thanks a bunch, @donshakespeare! I appreciate your help. I'll try this out as soon as I can.

  • edited October 2019


    When you try it let us know how it goes.

    I use SSO, so I have a custom solution from the mother site :)


    I went and tested the code, so I corrected a few things above. Works as expected now.

  • edited April 2021

    Any recommended changes since the release of 2021.003 in regards to the username blacklist?

  • BleistivtBleistivt Moderator

    @somerandomfellow You can also just add a ban rule for the user name to prevent it being registered.

  • @Bleistivt Where are the ban rules located?

    I wondered if I could just append it as this method doesn't seem to work anymore.

  • KasparKaspar Moderator

    See left side

  • edited April 2021

    @Kaspar You know what, didn't even realize the UI/Dashboard had a selection for username.

    Thought it was just IP and email.

    Nvm, although am still curious where the ban rules are in the directory as I'd like to change the alert/message users receive when being rejected.

Sign In or Register to comment.