A foolish but work example:
To make other not directly access your XAMPP welcome page, just rename the /xampp/htdocs/xampp folder...
I am not kidding, it is the simplest way to enable security. And I have already did that.
Only you, who know the directory real name, can access the xampp welcome page.
And I assume you have already known how to secure your phpmyadmin and mecury etc..
Hope it helps.