[wp-docs] Hardening WordPress

[Owen Winkler]

Scott Merrill wrote:
> Owen Winkler wrote:
> 
>>That reminds me... The whole "renaming the admin account" problem
>>doesn't exist in 1.6.  Not sure where to note that since 1.6 isn't live
>>yet, but the docs should change when it is.
> 
> 
> Can you elaborate, for those of us not tracking the SVN commits?
> 

The reason you can't change the admin username in 1.5 via WP is because 
in order to edit a user, you must have a higher user level than the 
level of the user you want to edit.

Since "admin" is level 10, it can't edit itself, and WordPress 1.5 
doesn't let you promote past user level 9.

In 1.6 SVN, your ability to edit users is dependent on having the 
edit_users capability.  If you have it, you can edit users.  Period.

Since there is no heirarchical distinction between users in the new 
role-based system, there is no way for WP 1.6 to know what WP 1.5 knows 
about "lesser" users not editing users with a "higher level".  There's 
just no such concept.

As such, users with the "Administrator" role (an arbitrary name for the 
benefit of assigning a pre-configured set of capabilities) have the 
edit_users capability, and those users can edit any username.  So you 
need not use phpMyAdmn to change the default "admin" username if you 
don't want to in 1.6.

Owen