I think it is no security hole.
The most secure webserver use port 443 (if no port is added) and this is no security hole.
Also not the name of a user is a problem but the password
If you use the pi at home and not forward port 4443 from the internet, it is additional only accessable from your internal network.