diff --git a/models/site.rb b/models/site.rb
index c1458f1a..76a2f5ae 100644
--- a/models/site.rb
+++ b/models/site.rb
@@ -245,6 +245,10 @@ class Site < Sequel::Model
     filename.gsub(/[^a-zA-Z0-9_\-.]/, '')
   end
 
+  def self.valid_username?(username)
+    !username.empty? && username.match(/^[a-zA-Z0-9_\-]+$/i)
+  end
+
   def self.valid_file_type?(uploaded_file)
     mime_type = Magic.guess_file_mime_type uploaded_file[:tempfile].path
 
@@ -375,6 +379,10 @@ class Site < Sequel::Model
       errors.add :over_capacity, 'We are currently at capacity, and cannot create your home page. We will fix this shortly. Please come back later and try again, our apologies.'
     end
 
+    if !self.class.valid_username?(values[:username])
+      errors.add :username, 'A valid user/site name is required.'
+    end
+
     # TODO regex fails for usernames <= 2 chars, tempfix for now.
     if new? && values[:username].length > 2 && !values[:username].match(VALID_HOSTNAME)
       errors.add :username, 'A valid user/site name is required.'
@@ -384,7 +392,6 @@ class Site < Sequel::Model
       errors.add :username, 'User/site name cannot exceed 32 characters.'
     end
 
-
     # Check that email has been provided
     if new? && values[:email].empty?
       errors.add :email, 'An email address is required.'
diff --git a/tests/acceptance_tests.rb b/tests/acceptance_tests.rb
index 29a1071e..2f58fe01 100644
--- a/tests/acceptance_tests.rb
+++ b/tests/acceptance_tests.rb
@@ -16,6 +16,47 @@ describe 'index' do
   end
 end
 
+describe 'change username' do
+  include Capybara::DSL
+
+  def visit_signup
+    visit '/'
+    click_button 'Create My Website'
+  end
+
+  def fill_in_valid
+    @site = Fabricate.attributes_for(:site)
+    fill_in 'username', with: @site[:username]
+    fill_in 'password', with: @site[:password]
+    fill_in 'email',    with: @site[:email]
+  end
+
+  before do
+    Capybara.reset_sessions!
+    visit_signup
+  end
+
+  it 'does not allow bad usernames' do
+    visit '/'
+    click_button 'Create My Website'
+    fill_in_valid
+    click_button 'Create Home Page'
+    visit '/settings'
+    fill_in 'name', with: ''
+    click_button 'Change Name'
+    fill_in 'name', with: '../hack'
+    click_button 'Change Name'
+    fill_in 'name', with: 'derp../hack'
+    click_button 'Change Name'
+    ## TODO fix this without screwing up legacy sites
+    #fill_in 'name', with: '-'
+    #click_button 'Change Name'
+    page.must_have_content /valid.+name.+required/i
+    Site[username: @site[:username]].wont_equal nil
+    Site[username: ''].must_equal nil
+  end
+end
+
 describe 'signup' do
   include Capybara::DSL