Según el manual de PHP, correr PHP con register_globals=on es, por lo menos, imprudente. Y por eso, desde hace varias versiones, la configuración por defecto es off. Considerando que para usar WordPress es necesario instalarlo en algún servidor, para protegerse de esta vulnerabilidad basta asegurarse de que el servidor en cuestión no tiene register_globals habilitado.

Del website de php (http://www.php.net/register_globals):
When on, register_globals will inject (poison) your scripts will all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier. It was a difficult decision, but the PHP community decided to disable this directive by default. When on, people use variables yet really don't know for sure where they come from and can only assume.

Roberto Zoia