Replying to azouamauriac:
I'm able to reproduce the issue, the function was introduce here [8728]. For what I understand it used to replace mt_rand RE https://www.php.net/manual/en/function.mt-rand.php.
but "why" i don't know.
You can find more details in the WordPress 2.6.2 release post.
Looks like the current behavior is intentional, see for example this line added in [34981] / #28633:
$_max = ( 0 != $max ) ? $max : $max_random_number;
This is also consistent with mt_rand()
, which returns a random integer and not 0 when parameters are omitted. So changing this behavior does not seem feasible due to security implications, but we can update the documentation to mention that the $max
value is only taken into account if it's greater than zero.