diff --git a/includes/class-admin.php b/includes/class-admin.php
index a7da307e..9c708d76 100644
--- a/includes/class-admin.php
+++ b/includes/class-admin.php
@@ -1867,6 +1867,10 @@ public function process_admin_add_friend( $vars ) {
 				return new \WP_Error( 'friend-yourself', __( 'It seems like you sent a friend request to yourself.', 'friends' ) );
 			}
 
+			if ( ! Friends::check_url( $friend_url ) ) {
+				return new \WP_Error( 'invalid-url', __( 'You entered an invalid URL.', 'friends' ) );
+			}
+
 			$friend_user = User::get_user( $friend_user_login );
 			if ( $friend_user && ! is_wp_error( $friend_user ) ) {
 				if ( $friend_user->is_valid_friend() ) {
diff --git a/includes/class-feed.php b/includes/class-feed.php
index 2f781abb..81625cb2 100644
--- a/includes/class-feed.php
+++ b/includes/class-feed.php
@@ -796,6 +796,9 @@ public function invalidate_post_count_cache( $post_ID, \WP_Post $post ) {
 	 * @return array The available feeds.
 	 */
 	public function discover_available_feeds( $url ) {
+		if ( ! Friends::check_url( $url ) ) {
+			return array();
+		}
 		$available_feeds = array();
 		$content = null;
 		$content_type = 'text/html';
diff --git a/includes/class-user.php b/includes/class-user.php
index caea054f..8c2d43ff 100644
--- a/includes/class-user.php
+++ b/includes/class-user.php
@@ -496,6 +496,10 @@ public function retrieve_posts_from_feeds( array $feeds ) {
 
 	public function modify_query_by_author( \WP_Query $query ) {
 		$query->set( 'author', $this->ID );
+		if ( ! user_can( $this->ID, 'friends_plugin' ) || user_can( $this->ID, 'administrator' ) ) {
+			// If the user doesn't belong to the friends plugin, only show their local posts so that subcriptions don't spill in.
+			$query->set( 'post_type', 'post' );
+		}
 		return $query;
 	}