Security

Yes, bots routinely scan IP addresses for phpMyAdmin and other things to hax0r. You could set up fail2ban or somesuch to whack them, but it's probably not worth bothering. There are so many of them, and you're not letting them actually find anything, right?

You can but it's generally not worth it. If you make services publicly available assume that people are going to try things against them.

There does exist software that you can use to guard against these sorts of things but in general unless you want to monitor it nearly every day and add filter rules, it's not worth it.

Your best defense against this stuff is to move applications out of default directories, keep your applications updated, never allow the applications to have root access to anything (databases, or system)–and go from there.

If you do have or want remote Administration applications, try doing a server-side validation of your client before allowing a connection. In this manner the TLS connection will fail since the server isn't provided with a valid client certificate.