Hey friend!

That’s a great question. I’m afraid the answer won’t be as clear. First I’ll say that is not automatically done in the one-click images. Second, I’ll add that whether or not it’s necessary is up to you. The web server will run Wordpress through the privileged user “www-data” which does mean that a compromised Wordpress is not necessarily a compromised root user (I’ll side-step privilege escalation for this discussion as it gets further away from common, automated compromises).

Now, if you’re just managing a Wordpress site and the only reason you log in is to update packages (apt-get update && apt-get upgrade), you’re either going to use a sudo user or root, so most people honestly just stick with root and lock it down to SSH key only.

Since Wordpress isn’t running as root, and since you’re probably not doing much in the terminal, creating a second privileged user is probably not something that is worth your time to do (or would be of any real value in that case). That’s my two cents, and this is a topic in which someone will absolutely disagree with me (and they won’t be wrong for doing so).

Jarland