One of the items that I see often get overlooked in building a website with user profiles is limits to username validation. The obvious list to exclude are items like ‘admin’, ‘staff’, and ‘system’, however I’d suggest an even wider blacklist. Should your website offer shorter profile urls (site.com/username vs site.com/users/username) or virtual subdomains (username.site.com), the list should also include items like ‘account’, ‘secure’, and ‘redirect’.
Security isn’t easy. Hopefully this helps you add yet another layer of protection to your site or client project. Username blacklists – added to the checklist.