A word-press user can download FTP into wordpress via plugin and somehow it gives them full access to the entire root directory of that account without having to know ftp credentials. I have no idea how it works, but to me it doesn’t seem right.
This is not a Hosting issue this is a security issue on WP. If a developer is running a system for a client and they happen to have /blog loaded with wordpress. The wordpress user can load in FTP and download and delete files within that public directory. That is a major security issue for developers.
