I won't get into that, though.
The Danger/Concern is...
There's this file located in your /wp-includes/ folder that's called registration.php.
It essentially allows you to insert users into your WP user table on the fly. Thing is; it doesn't ask for any type of authentication!!
That means that anybody that knows about this file and a little bit of PHP can basically insert users into your WP database. This is bad.
I'm not gonna get into all that could happen; just FIX the possibility of someone hacking you by doing the following; (this is just off the top of my head and I have NOT tested this so I'm not sure if it will affect anything else -- but, I don't think it will because it seems that this file was put in place specifically for the purpose of inserting users outside of the normal channel).
That being understood...
Simply rename that file to something only you know. <-- NOT the answer
EDIT: I'm still looking for a solution that would be easy to implement. "I" could easily just add an IF statement that looked for a secret key; but, that wouldn't be very easy for non-coders. So, I'll keep looking.
I did some frantic searching and didn't find anybody yelling about it or complaining. The WP codex talks about it rather gingerly like its no big deal . I did find quite a few sites in Russian (I think) talking about it.. I'm not prejudice but.. <ahem>... not sure what they were talking about since I don't read Russian.
Do this NOW if you're wanting to protect your WP site(s) from being hacked.
One thing that could happen is someone adding themselves to your WP user database as an Admin and reaping havok on your blog. That would suck!
OK.. I warned ya. Hope you take heed.
IF someone with more WP expertise than me has something more elegant OR knows for a FACT that this can not hurt our blogs, PLEASE speak up.
Edited for those coming behind us reading this thread.