Looks like you can, though I’ve never tried. After digging through wp-login.php
and a few other files, I found my way to the sanitize_user
function and filter. Here’s the function description from /wp-includes/formatting.php
(on line 888 as of this writing):
Removes tags, octets, entities, and if strict is enabled, will only keep alphanumeric, _, space, ., -, @. After sanitizing, it passes the username, raw username (the username in the parameter), and the value of $strict as parameters for the ‘sanitize_user’ filter.
Here’s the filter, the last line of the function:
apply_filters( 'sanitize_user', $username, $raw_username, $strict );
So, you obviously need to take care to appropriately sanitize the username (and probably should account for when $strict
is true
), but you can override the username passed onto WordPress from the login form and other forms (which is to be say, be careful and watch out for something unexpected).