Anyone without the network skills to detect and thwart intrusions should never open their machine up to the internet. There are plenty of guidelines on the web that will show you what to do, but my advice is not to do it because for most people it is like leaving the doors of an expensive sports car open with a sign that says "Hey, go ahead and steal me."
XAMPP (as is the built-in Apple Apache/PHP) was designed for internal use only. If you want to have an external site, get yourself a web host for a few dollars a month and do it that way. In the long run it will be a lot cheaper. One good hacker can screw up your machine such that you will have to reinstall everything. How expensive in your time and nervous system is that?