Ah ya dam install directories. Ive seen that happen many times on other sites. Ive always programmed my install/setup programs to self delete after they have been ran first time. Also have the main script detect if install directory is preset and halt running if it is. More and more other scripts are starting to do this and its a good thing.
Also what allot of other people fail to do is protect upload scripts where its easy to upload a php (or other server side script) to do all the harm.