This is slightly off-topic from the original post so I'm changing the subject.
On Dec 9, 2007 6:30 PM, Shai Gluskin shai@content2zero.com wrote:
Here is the handbook page that describes why not using user/1 for day-to-day is a best practice:
I don't think the conclusion you've drawn is really reflected in the meat of the page. That's especially true if you use an account that is granted a role that has all permissions on a site - that account is just as vulnerable to most of the security problems listed on that page.
The only thing that the "user 2 with all privileges" setup gets you is a small amount of protection on security holes/actions in the update.php file. But if you have a "user 2 with all privileges" then that person probably has access to php input format and can do a lot of damage to your site (which is worth a reminder: if you don't need it then disable the php input format).
Regards, Greg