Unsecured fresh install states that rely on you signing in before an attacker does were always a horrible idea. It's been a welcome change on the Linux side where Linux distros can install with your SSH key and details preloaded so password login is always disabled.

These PHP apps need to change so you first boot the app with credentials so the app is secured at all moments.