If you put a piece of software out on the internet, expect it to be targeted by people intent on creating havoc. They may just be bastards trying it on, they may be disgruntled users getting their own back, they may be criminals attempting to gain details that will assist in bilking people out of money. Whatever the reason, web sites are always attacked.
I find it disturbing that people fail to read installation instructions detailing how to secure an application, and then blame the coders for not having a secure application. This is just blame shifting. If you don't read the instructions you have nobody but yourself to blame. This doesn't matter if it is web software or if it is a chainsaw. If you take your arm because you didn't read the instructions it doesn't make you a victim, it makes you a dickhead.
Now wise up, people. Security is your responsibility. Sure, the programmer needs to do best efforts to make sure their code is secure, but I can tell you right now, there will always be a flaw. It doesn't matter if it is built by a two person team or a team with money coming out of their backside, it will have a flaw. It is your responsibility to make sure you set up your environment to be as secure as it can be, so at the very least you are not bypassing the security of the application.
We programmers hate writing instructions, so if we do, you'd better read them as there is a good reason for them being written.