So, I can't imagine this has gone completely unnoticed, but I found it very odd.
I set up WordPress (I uploaded it via ftp) and configured the wp-config.php file with the MySQL database info. Now it seems that when you go to the website, ANYONE can set up the initial username and password.
Of course I always go to the site immediately and set up my own username and password, after which you get the login screen, but shouldn't there be a more secure way?
[Moved to Requests & Feedback]