I use pmachine pro for a members-only site and like it a lot. I’m a fairly unskilled ‘vanilla’ user though, so not sure about what kind of mischief you’re particularly concerned about.
One tip on configuring is to use an .htaccess file in the scripts directory to allow the scripts to run as cgi…the pmachine file browser did not work otherwise. I believe the necessary line in the .htaccess file was
AddType php-cgi .php
(Search the DH knowledge base for ‘php as cgi’ for confirmation.)
On the pmachine support forum (also very helpful) I have read the suggestion to also add .htaccess password protection to the admin directory, as an extra layer of security if you are so inclined.