When asked the question of how many accounts are needed on a personal blog, most people will likely answer, that they see no need for having more than one on a single user system and therefore just use the administrator account for everything. More experienced users might know better and setup an extra account for day to do work, logging in as administrator only when there are administrative tasks at hand. This limits the danger of accidentally messing up the blog in a sleep deprived state and the damage that might be caused by a break-in.
There is most certainly a difference between what an attacker could do when getting hold of the administrator account as compared to what can be done with just the blogger account.
Starting out with two accounts, "administrator" and "blogger", is a wise choice to begin with. It is, however, not sufficient. Consider being on vacation and not having access to a trusted computer, but having the need to blog about something. In such cases, an internet cafe or a public library might provide the only kind of internet connection available. Using computers in such locations bears two prime risks:
- A previous user may (accidentally) have installed some kind of spyware.
- Forgetting to logout/clear cookies after finishing the blog post.
Though at least the administrator account is safe in both scenarios, the blogging account is not. That is, while potential attackers may not gain the ability to execute PHP code, they most certainly could delete the entire content, deface the blog or sneak backlinks for own sites in older articles (for the purpose of pushing their own page rank).
Taking the previous considerations into account, makes it advisable, to use at least three accounts. The "administrator" account for doing site management, the "blogger" account for anything content related and the "sandbox" account submitting blog posts from untrusted computers.
While a "sandbox" account is a security feature, it also requires some discipline to employ. The thing to keep in mind, when using this kind of setup is, that the "sandbox" account only serves as escrow and node ownership must be transferred to the regular blogging account as soon as a secure internet connection becomes available again.