Does Restrict Usernames have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Restrict Usernames compatible with WordPress 4.9.29?

According to WordPress.org data, Restrict Usernames 3.7 has been tested up to WordPress 4.9.29. Check the plugin's changelog for the latest compatibility information.

How often is Restrict Usernames updated?

Restrict Usernames was last updated on Jun 21, 2018. Frequent updates are generally a positive security signal.

What is Restrict Usernames's security score?

Restrict Usernames has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Restrict Usernames Security & Risk Analysis

wordpress.org/plugins/restrict-usernames

Restrict the usernames that new users may use when registering for your site.

200 active installs v3.7 PHP + WP 4.7+ Updated Jun 21, 2018

registrationrestrictionssignupusernameusers

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Restrict Usernames Safe to Use in 2026?

Generally Safe

Score 85/100

Restrict Usernames has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago

Risk Assessment

The "restrict-usernames" v3.7 plugin exhibits a generally strong security posture with a minimal attack surface and a good track record of no known vulnerabilities. The static analysis reveals no direct entry points like AJAX handlers, REST API routes, or shortcodes that are unprotected. SQL queries are exclusively handled with prepared statements, and there are no file operations or external HTTP requests, all of which are positive security indicators. However, a significant concern arises from the presence of the `unserialize` function, which, without proper sanitization of the data being unserialized, can lead to Remote Code Execution (RCE) vulnerabilities. The low percentage of properly escaped output (26%) also presents a risk of Cross-Site Scripting (XSS) vulnerabilities, particularly if user-controlled data is being displayed without adequate sanitization.

Key Concerns

Dangerous function `unserialize` present
Low percentage of properly escaped output

Vulnerabilities

None known

Restrict Usernames Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Restrict Usernames Release Timeline

v3.7Current

v3.6

v3.5.1

v3.5

v3.4.1

v3.4

v3.3

v3.2

v3.1

v3.0.1

v3.0

v1.1

v1.0

Code Analysis

Analyzed Mar 16, 2026

Restrict Usernames Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

9 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$plugins = unserialize( $r['body']['plugins'] );c2c-plugin.php:276

Output Escaping

26% escaped34 total outputs

Attack Surface

Restrict Usernames Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 17

actioninitc2c-plugin.php:120

actionadmin_initc2c-plugin.php:124

actionadmin_headc2c-plugin.php:126

filterplugin_row_metac2c-plugin.php:183

filterhttp_request_argsc2c-plugin.php:186

actionadmin_menuc2c-plugin.php:190

filtercontextual_helpc2c-plugin.php:193

filterwhitelist_optionsc2c-plugin.php:289

actionnetwork_admin_menurestrict-usernames.php:190

actionall_admin_noticesrestrict-usernames.php:195

actionadmin_initrestrict-usernames.php:196

filterillegal_user_loginsrestrict-usernames.php:199

filterwpmu_validate_user_signuprestrict-usernames.php:203

filterbp_core_validate_user_signuprestrict-usernames.php:206

filtervalidate_usernamerestrict-usernames.php:209

filterregistration_errorsrestrict-usernames.php:212

filtervalidate_usernamerestrict-usernames.php:507

Maintenance & Trust

Restrict Usernames Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29

Last updatedJun 21, 2018

PHP min version

Downloads24K

Community Trust

Rating72/100

Number of ratings14

Active installs200

Alternatives

Restrict Usernames Alternatives

New User Approve

new-user-approve

WordPress user approval plugin to moderate registrations. Approve or deny real users and prevent fake signups to control who registers on site.

20K 9 CVEs

Allow Multiple Accounts

allow-multiple-accounts

Allow multiple user accounts to be created, registered, and updated having the same email address.

9K No CVEs

Customer Email Verification for WooCommerce

customer-email-verification-for-woocommerce

100

Secure WooCommerce registrations with OTP-based email verification, reducing spam and ensuring only valid email addresses are used.

2K No CVEs

Users Registration Date

users-registered-list

100

New sortable "Registered" date column on the Users page in wp-admin area to see when each user has registered on a site.

2K No CVEs

Manage User Columns

manage-user-columns

This plugin allows you to manage columns under the users page in the WordPress admin area.

1K 1 CVE

Developer Profile

Restrict Usernames Developer Profile

Scott Reilly

63 plugins · 92K total installs

trust score

Avg Security Score

88/100

Avg Patch Time

374 days

View full developer profile

Detection Fingerprints

How We Detect Restrict Usernames

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/restrict-usernames/c2c-restrict-usernames.css/wp-content/plugins/restrict-usernames/restrict-usernames.js

Script Paths

/wp-content/plugins/restrict-usernames/restrict-usernames.js

Version Parameters

restrict-usernames/c2c-restrict-usernames.css?ver=restrict-usernames/restrict-usernames.js?ver=

HTML / DOM Fingerprints

CSS Classes

c2c-restrict-usernames-settings

HTML Comments

Copyright (c) 2008-2018 by Scott Reilly (aka coffee2code)This program is free software; you can redistribute it and/ormodify it under the terms of the GNU General Public Licenseas published by the Free Software Foundation; either version 2+24 more

Data Attributes

data-setting-name="c2c_restrict_usernames"

JS Globals

c2c_restrict_usernames_admin_script

FAQ