WordPress · cweiske · Apr 3, 2026
diff --git a/src/wp-includes/default-filters.php b/src/wp-includes/default-filters.php
@@ -393,6 +393,9 @@
 add_action( 'login_init', 'send_frame_options_header', 10, 0 );
 add_action( 'login_init', 'wp_admin_headers' );
 
+// Registration
+add_filter( 'validate_username', 'wp_validate_username_spam', 10, 2 );
+
 // Feed generator tags.
 foreach ( array( 'rss2_head', 'commentsrss2_head', 'rss_head', 'rdf_header', 'atom_head', 'comments_atom_head', 'opml_head', 'app_head' ) as $action ) {
 	add_action( $action, 'the_generator' );

diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
@@ -5094,6 +5094,22 @@ function wp_validate_user_request_key(
 	return true;
 }
 
+/**
+ * Reject usernames that can be used for spamming people.
+ *
+ * @param string $username Username to check.
+ * @return bool Whether username given is valid.
+ */
+function wp_validate_username_spam( $valid, $username ) {
+	//username begins with "www." or has " www." in it,
+	// which gets auto-linked by email clients
+	if ( strpos( ' ' . $username, ' www.' ) !== false ) {
+		return false;
+	}
+
+	return $valid;
+}
+
 /**
  * Returns the user request object for the specified request ID.
  *

diff --git a/tests/phpunit/tests/user.php b/tests/phpunit/tests/user.php
@@ -1273,6 +1273,14 @@ public function test_validate_username_invalid() {
 		$this->assertFalse( validate_username( '@#&99sd' ) );
 	}
 
+	/**
+	 * @ticket 63085
+	 */
+	public function test_validate_username_spam() {
+		$this->assertFalse( validate_username( 'www.example.com - 1.2342 BTC' ) );
+		$this->assertFalse( validate_username( '1.23 BTC www.spammer.example.com' ) );
+	}
+
 	/**
 	 * @ticket 29880
 	 */